Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to create regional resources.

Amazon CloudFront

This solution deploys an Amazon CloudFront distribution and uses the default CloudFront domain name and SSL certificate. The default CloudFront SSL certificate only supports TLSv1. To use a later TLS version (TLS1.2 and above), use your own domain name and custom SSL certificate. For more information, refer to Using alternate domain names and HTTPS in the Amazon CloudFront Developer Guide.

This solution deploys a web client hosted in an Amazon Simple Storage Service (Amazon S3) bucket. To help reduce latency and improve security, this solution includes an Amazon CloudFront distribution with an origin access identity, which is an Amazon CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting access to an Amazon S3 origin in the Amazon CloudFront Developer Guide.

AWS Secrets Manager

This solution uses AWS Secrets Manager to securely store user-specified OAuth credentials.

AWS CloudTrail

If your company must comply with SOC (Systems and Organization Controls), PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Healthcare Information Portability and Accountability Act), or any other regulation, it is your responsibility to ensure compliance by activating AWS CloudTrail for secure logging as required by your organization’s security policy.

Multi-factor authentication (MFA) in Amazon Cognito user pools

This solution creates only one user in its Amazon Cognito user pool. MFA is not activated by default; however, we recommend using MFA for users in Amazon Cognito for a stronger security posture in production workloads. For more information about setting up MFA in Amazon Cognito, refer to Adding MFA to a user pool and Adding advanced security to a user pool in the Amazon Cognito Developer Guide.

AWS Web Application Firewall (WAF) in Amazon API Gateway

We recommend activating AWS WAF for the Amazon API Gateway for this solution when the application is open to public in production environment. For guidance about setting up WAF, refer to Using AWS WAF to protect your APIs in the Amazon API Gateway Developer Guide. We also recommend reviewing the AWS Best Practices for DDoS Resiliency whitepaper for information about protecting your AWS applications from Distributed Denial of Service (DDoS) attacks.