Data Protection in AWS OpsWorks CM - AWS OpsWorks

Data Protection in AWS OpsWorks CM

AWS OpsWorks CM conforms to the AWS shared responsibility model, which includes regulations and guidelines for data protection. AWS is responsible for protecting the global infrastructure that runs all the AWS services. AWS maintains control over data hosted on this infrastructure, including the security configuration controls for handling customer content and personal data. AWS customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data that they put in the AWS Cloud.

For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM), so that each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

  • Use multi-factor authentication (MFA) with each account.

  • Use SSL/TLS to communicate with AWS resources.

  • Set up API and user activity logging with AWS CloudTrail. For more information about creating a trail in CloudTrail, see Creating a Trail For Your AWS Account in the AWS CloudTrail User Guide.

  • Use AWS encryption solutions, along with all default security controls within AWS services.

  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

AWS OpsWorks CM collects the following customer data in the course of creating and maintaining your AWS OpsWorks for Chef Automate and AWS OpsWorks for Puppet Enterprise servers.

  • For OpsWorks for Puppet Enterprise, we collect private keys that Puppet Enterprise uses to enable communication between your Puppet master and managed nodes.

  • For AWS OpsWorks for Chef Automate, we collect private keys for certificates that you attach to the service if you are using a custom domain. The private key that you provide when you are creating a Chef Automate server with a custom domain is passed through to your server.

AWS OpsWorks CM servers store your configuration code, such as Chef cookbooks or Puppet Enterprise modules. Though this code is stored in server backups, AWS does not have access to it. This content is encrypted, and only administrators in your AWS account can access it. We recommend that you secure your Chef or Puppet configuration code using recommended protocols for your source repositories. For example, you can restrict permissions to repositories in AWS CodeCommit, or follow guidelines on the GitHub website for securing GitHub repositories.

AWS OpsWorks CM does not use customer-provided content to maintain the service, or keep customer logs. Logs about your AWS OpsWorks CM servers are stored in your account, in Amazon S3 buckets. IP addresses of users who connect to your AWS OpsWorks CM servers are logged by AWS.

We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free-form fields such as a Name field. Do not include sensitive data in server names, tags, or unencrypted fields. Do not include the names or IP addresses of managed nodes in unencrypted fields. This includes when you work with AWS OpsWorks CM or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into AWS OpsWorks CM or other services might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don't include credentials information in the URL to validate your request to that server. The names of AWS OpsWorks CM servers are not encrypted.

For more information about data protection, see the AWS Shared Responsibility Model and GDPR blog post on the AWS Security Blog.