Security
When you build systems on AWS infrastructure, security
responsibilities are shared between you and AWS. This
shared
responsibility model
IAM roles
AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. The solution creates IAM roles that grant the solution’s constructs to access Regional resources provisioned by the solution, such as:
-
IAM role used by the EC2 instances that run Druid workloads to read and write data in S3 buckets.
-
IAM roles used by AWS CloudFormation custom resources to retrieve the password from the Druid
system_usersecret within AWS Secrets Manager.
By default, all Amazon S3 buckets for the solution have the following configuration:
-
Blocked all public access
-
Versioning enabled
-
Access log enabled
-
Encryption at rest by an AWS KMS customer managed key
Additionally, the Amazon S3 buckets are also configured with a default buckets policy that deny all non-HTTPS requests to ensure data in transit encryption.
AWS WAF
This solution incorporates the deployment of AWS Web Application Firewall (WAF) when the Application Load Balancer (ALB) is configured to be internet-facing. AWS WAF is used to enhance the security of the web applications exposed through the ALB by providing protection against various web-based threats and attacks.
AWS Key Management Service keys
The solution allows you to provide your own AWS KMS keys to encrypt stored data in the S3 bucket and Aurora cluster. We recommend referring to the security best practices for AWS Key Management Service to enhance the protection of your encryption keys.
Data protection
All data committed to the solution is encrypted at rest using
AWS Key Management Service
-
Amazon S3
-
Amazon Aurora
-
Amazon SNS
Communication between the solution’s different components is over HTTPS to ensure data encryption in transit.
