Security - Amazon S3 Glacier Re:Freezer


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the AWS Cloud Security.

This solution does not expose any APIs or a user interface for interaction. The permissions and roles created by the solution are only used to copy data from an existing source Amazon S3 Glacier vault to a destination Amazon S3 bucket within the same account.

Amazon Simple Storage Service (Amazon S3)

This solution uses Amazon S3 server-side encryption (SSE-S3) to encrypt the data stored in the staging S3 bucket.

Amazon DynamoDB

This solution uses the default Amazon DynamoDB encryption at rest option for DynamoDB tables.

AWS Identity and Access Management (IAM) roles

AWS IAM roles enable customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to create Regional resources.

In order to reduce the impact of a compromised asset, each operation (for example, AWS Lambda, AWS Glue, and AWS Step Functions) is provisioned with a dedicated role, following the principles of separation. For a full list of IAM roles and policies, refer to the solution’s GitHub repository.