Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to create Regional resources.

Amazon S3

All Amazon S3 buckets are encrypted with SSE-S3 managed encryption. None of the Amazon S3 buckets are available publicly. The Amazon S3 buckets are configured with the retention policy set to Retain.

AWS CI/CD pipeline deployment

This solution must be launched in the same Region and account where your AWS CI/CD pipeline is deployed. Refer to Set Up a CI/CD Pipeline on AWS if you do not currently have a pipeline set up on AWS.

Amazon QuickSight deployment

This solution requires Amazon QuickSight resources to be deployed in an Amazon QuickSight Enterprise edition account in the same Region. If you plan to use the Amazon QuickSight dashboard feature, you must subscribe to Amazon QuickSight Enterprise edition in the account where you deploy the solution. Refer to Signing Up for An Amazon QuickSight Subscription if you do not have an Amazon QuickSight Enterprise account set up. Ensure that you have the QuickSight Principal ARN, as you will need it later when you deploy the solution. For information, refer to Retrieve the Amazon QuickSight Principal ARN.

Amazon CloudWatch alarm for Amazon CloudWatch Synthetics canary deployment

A REST application can be monitored with an Amazon CloudWatch Synthetics canary job. The solution provides an additional canary-alarm.template separate from the main CloudFormation template to provision a CloudWatch alarm and other resources to collect data required for calculating MTTR metric for applications. For more information, refer to Set up Amazon CloudWatch Synthetics canary and Amazon CloudWatch alarm.

Amazon CloudWatch alarm for AWS CodePipeline deployment

An Amazon CloudWatch alarm is used to monitor the state (FAILED or SUCCEEDED) of an AWS CodePipeline. The solution provides an additional pipeline-alarm.template separate from the main CloudFormation template to provision a CloudWatch alarm and other resources to collect data required for calculating MTTR metrics for pipelines. For more information, refer to Set up Amazon CloudWatch Alarm for AWS CodePipeline.

Multi-account multi-Region deployment

Data can be sent from multiple AWS accounts and Regions to the monitoring account. The solution provides an additional sharing-account-stack.template separate from the main CloudFormation template to provision Amazon EventBridge events rules and other resources required to collect data from sharing accounts. For more information, refer to the Set up multi-account multi-Region data ingestion section.