Infrastructure security in Amazon FinSpace - Amazon FinSpace

Infrastructure security in Amazon FinSpace

As a managed service, Amazon FinSpace is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see AWS Cloud Security. To design your AWS environment using the best practices for infrastructure security, see Infrastructure Protection in Security Pillar AWS Well‐Architected Framework.

You use AWS published API calls to access FinSpace through the network. Clients must support the following:

  • Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

  • Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.

Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests.

FinSpace is architected so that your traffic is isolated to the specific AWS Region that your FinSpace environment resides in.

Connect to FinSpace using an interface VPC endpoint

You can connect to FinSpace APIs using an interface VPC endpoint (AWSPrivateLink) instead of connecting over the internet. When you use an interface VPC endpoint, communication between your VPC and FinSpace is conducted entirely within the AWS network. Each VPC endpoint is represented by one or more Elastic network interfaces (ENIs) with private IP addresses in your VPC subnets.

Note

You can only connect to FinSpace web application over the internet.

To use FinSpace through your VPC, you must connect from an instance that is inside the VPC or connect your private network to your VPC by using an Amazon Virtual Private Network (VPN) or AWS Direct Connect. For information about Amazon VPN, see VPN connections in the Amazon Virtual Private Cloud User Guide. For information about AWS Direct Connect, see Creating a connection in the AWS Direct Connect User Guide.

FinSpace supports VPC endpoints in all AWS Regions where both Amazon VPC and FinSpace are available.

You can create an interface VPC endpoint to connect to FinSpace using the AWS console or AWS Command Line Interface (AWS CLI) commands. For more information, see Creating an interface endpoint.

You will need to create separate endpoints for using FinSpace management APIs and Data APIs:

  • Management APIs – com.amazonaws.<Region>.finspace

  • Data APIs – com.amazonaws.<Region>.finspace-api

After you create an interface VPC endpoint, if you enable private DNS hostnames for the endpoint, the default FinSpace endpoint resolves to your VPC endpoint.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Create a VPC endpoint policy for FinSpace

You can create a policy for Amazon VPC endpoints for FinSpace to specify the following:

  • The principal that can perform actions.

  • The actions that can be performed.

  • The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide. Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the AWS Identity and Access Management User Guide.