Amazon Simple Storage Service (Amazon S3)Amazon DynamoDB AWS Identity and Access Management (IAM) roles

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the AWS Cloud Security.

This solution does not expose any APIs or a user interface for interaction. The permissions and roles created by the solution are only used to copy data from an existing source Amazon S3 Glacier vault to a destination Amazon S3 bucket within the same account.

Amazon Simple Storage Service (Amazon S3)

This solution uses Amazon S3 server-side encryption (SSE-S3) to encrypt the data stored in the staging S3 bucket.

Amazon DynamoDB

This solution uses the default Amazon DynamoDB encryption at rest option for DynamoDB tables.

AWS Identity and Access Management (IAM) roles

AWS IAM roles enable customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to create Regional resources.

In order to reduce the impact of a compromised asset, each operation (for example, AWS Lambda, AWS Glue, and AWS Step Functions) is provisioned with a dedicated role, following the principles of separation. For a full list of IAM roles and policies, refer to the solution’s GitHub repository.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Architecture overview

Design considerations