AWS Launch Wizard security
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The shared responsibility
model
-
Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs
. To learn about the compliance programs that apply to AWS Launch Wizard, see AWS Services in Scope by Compliance Program . -
Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using AWS Launch Wizard. The following topics show you how to configure Launch Wizard to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Launch Wizard resources.
AWS Launch Wizard deploys Amazon EC2 instances into Amazon VPCs. For security information for Amazon EC2 and Amazon VPC, see the security sections in the Amazon EC2 Getting Started Guide and the Amazon VPC User Guide.
This section of the Launch Wizard User Guide provides security information that pertains to AWS Launch Wizard. For security topics specific to AWS Launch Wizard for SQL Server, see Security groups and firewalls. For security topics specific to AWS Launch Wizard for SAP, see Security groups in AWS Launch Wizard for SAP.
Launch Wizard security topics
Infrastructure security in Launch Wizard
As a managed service, AWS Launch Wizard is protected by the AWS global network security.
For information about AWS security services and how AWS protects infrastructure, see
AWS Cloud Security
Resilience in Launch Wizard
The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see AWS Global
Infrastructure
AWS Launch Wizard sets up an application across multiple Availability Zones to ensure automatic failover between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple datacenter infrastructures.
Data protection in Launch Wizard
The AWS shared responsibility model
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
-
Use multi-factor authentication (MFA) with each account.
-
Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
-
Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see Working with CloudTrail trails in the AWS CloudTrail User Guide.
-
Use AWS encryption solutions, along with all default security controls within AWS services.
-
Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
-
If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-3
.
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a Name field. This includes when you work with Launch Wizard or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
Encryption with AWS managed keys and customer managed keys
AWS Launch Wizard for Active Directory, SQL Server, and SAP use the default AWS managed keys to encrypt Amazon EBS volumes. Launch Wizard for SAP also supports the use of customer managed keys that you have already created.
If you don't specify a customer managed key, Launch Wizard for SAP automatically creates an AWS managed key in your AWS account.
If you want to use a customer managed key for Launch Wizard for SAP, see the steps for adding permissions to your KMS key policy for Launch Wizard to use your KMS key at Add permissions to use AWS KMS keys in the Launch Wizard for SAP User Guide.
Creating your own customer managed CMK gives you more flexibility and control. For example, you can create, rotate, and disable customer managed keys. You can also define access controls and audit the customer managed keys that you use to protect your data. For more information about customer managed keys and AWS managed keys, see AWS KMS concepts in the AWS Key Management Service Developer Guide.
Identity and Access Management for AWS Launch Wizard
AWS Launch Wizard uses the following AWS managed policies to grant permissions to users and services.
-
AmazonEC2RolePolicyForLaunchWizard
AWS Launch Wizard creates an IAM role with the name AmazonEC2RoleForLaunchWizard in your account if the role already does not already exist in your account. If the role exists, the role is attached to the instance profile for the Amazon EC2 instances that Launch Wizard will launch into your account. This role is comprised of two IAM managed policies: AmazonSSMManagedInstanceCore and AmazonEC2RolePolicyForLaunchWizard.
When you choose to deploy your SAP application with AWS Backint Agent for SAP HANA, you must attach the IAM inline policy provided in Step 2 of the AWS Identity and Access Management documentation for AWS Backint Agent for SAP HANA. This policy and instructions to attach the policy to the role are provided by Launch Wizard.
-
AmazonSSMManagedInstanceCore
This policy enables AWS Systems Manager service core functionality on Amazon EC2. For information, see Create an IAM Instance Profile for Systems Manager.
-
AmazonLaunchWizardFullAccessV2
This policy provides full access to AWS Launch Wizard and other required services.
-
AWSLambdaVPCAccessExecutionRole
This policy provides minimum permissions for a Lambda function to execute while accessing a resource within a VPC. These permissions include create, describe, delete network interfaces, and write permissions to CloudWatch Logs.
-
AmazonLambdaRolePolicyForLaunchWizardSAP
This policy provides minimum permissions to enable SAP provisioning scenarios on Launch Wizard. It allows invocation of Lambda functions to be able to perform certain actions, such as validation of route tables and perform pre-configuration and configuration tasks for HA mode enabling.
-
To run custom pre- and post-configuration deployment scripts, you must manually add the permissions provided in Add permissions to run custom pre- and post-deployment configuration scripts to the
AmazonEC2RoleForLaunchWizard
role. -
To save generated artifacts from Launch Wizard for SAP to Amazon S3, and your S3 bucket name does not include the prefix
launchwizard
, you must attach the policy provided in Add permissions to save deployment artifacts to Amazon S3 to the IAM user. -
To grant permissions for users to launch AWS Service Catalog products created with Launch Wizard for SAP, follow the steps in Set up to launch AWS Service Catalog products created with AWS Launch Wizard.
-
To grant permissions to AWS Service Catalog to create a launch constraint for users who want to launch an AWS Service Catalog product created by Launch Wizard for SAP, follow the steps in Create a launch constraint.
If you deploy domain controllers into an existing VPC with an existing Active Directory, Launch Wizard for Active Directory requires domain administrator credentials to be added to Secrets Manager in order to join your domain controllers to Active Directory and promote them. In addition, the following resource policy must be attached to the secret so that Launch Wizard can access the secret. Launch Wizard guides you through the process of attaching the required policy to your secret.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:role/service-role/AmazonEC2RoleForLaunchWizard" }, "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:GetRandomPassword" ], "Resource": "*" }] }
Update management in Launch Wizard
We recommend that you regularly patch, update, and secure the operating system and applications on your EC2 instances. You can use AWS Systems Manager Patch Manager to automate the process of installing security-related updates for both the operating system and applications. Alternatively, you can use any automatic update services or recommended processes for installing updates that are provided by the application vendor.