Security in AWS Cloud Control API

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that's built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to Cloud Control API, see AWS Services in Scope by Compliance Program.
Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

AWS CloudFormation provides the security architecture for Cloud Control API; because of this, you will need to configure CloudFormation to meet your security and compliance objectives when using Cloud Control API. Refer to the Security section in the AWS CloudFormation User Guide to help you understand how to apply the shared responsibility model when using AWS CloudFormation. You can also learn how to use other AWS services that help you to monitor and secure your AWS CloudFormation and Cloud Control API resources.

Note the following areas where Cloud Control API differs from CloudFormation when addressing security and compliance concerns:

For AWS Identity and Access Management (IAM) integration:
- In IAM policies, Cloud Control API actions are specified with the "cloudformation" prefix.
  
  For example, the following policy grants create, read, update, and list (but not delete) resource actions.
```
{
    "Version":"2012-10-17",
    "Statement":[{
        "Effect":"Allow",
        "Action":[
            "cloudformation:CreateResource",
            "cloudformation:GetResource",
            "cloudformation:UpdateResource",
            "cloudformation:ListResources"
        ],
        "Resource":"*"
    }]
}
```
- Cloud Control API does not currently support CloudFormation resource-level permissions.
- Cloud Control API does not currently support use of CloudFormation conditions.
For more information, see Controlling access with AWS Identity and Access Management in the AWS CloudFormation User Guide.
Cloud Control API does not currently support Custom resources.
When activity occurs in Cloud Control API and is recorded in AWS CloudTrail, the event source is listed as cloudcontrolapi.amazonaws.com.

For more information, see Logging AWS CloudFormation API calls with AWS CloudTrail in the AWS CloudFormation User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started

VPC endpoints (AWS PrivateLink)