Security - Application Pattern Orchestrator on AWS


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, refer to the AWS Cloud Security page.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users in the AWS Cloud. This solution creates IAM roles that grant the solution’s automated functions access to perform remediation actions within a narrow scope set of permissions specific to each remediation.

Amazon S3 bucket configuration and policy

By default, all Amazon S3 buckets for the solution have the following configuration:

  • Blocked all public access

  • Versioning enabled

  • Access log enabled

  • Encryption at rest by an AWS KMS customer managed key

Additionally, the Amazon S3 buckets are also configured with a default buckets policy that deny all non-HTTPS requests to ensure data in transit encryption.

AWS Key Management Service (AWS KMS) keys

The Application Pattern Orchestrator on AWS solution allows you to provide your own AWS KMS keys to encrypt stored data. We recommend referring to the security best practices for AWS Key Management Service to enhance the protection of your encryption keys.

Amazon CloudFront

This solution deploys a web application hosted in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes an Amazon CloudFront distribution with an Origin Access Identity (OAI), which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting access to an Amazon S3 origin section in the Amazon CloudFront Developer Guide.

Network configuration

The Application Pattern Orchestrator on AWS solution is deployed in Amazon VPC, with the Lambda functions in a private subnet. All traffic in and out of the isolated subnet is controlled by security groups.

User authorization

By default, the solution creates two user groups in the Amazon Cognito user pool for user authorization:

  • SYSTEM_ADMIN: This user group has permissions to access all pages in the web UI. By default, any user created by the solution is automatically added to this group when the solution is deployed.

  • PATTERN_PUBLISHER: This group has permissions to create, update, and view patterns. The group also allows you to view pattern attributes.


To update or delete pattern attributes, you must be in the SYSTEM_ADMIN group.

Federating solution user groups through an Identity provider (IdP)

You can federate the solution user groups using a third-party identity provider via OpenID Connect (OIDC). To configure this:

  1. Deploy the solution using AWS CDK by following the instructions in the solution README.

  2. In your IdP settings, add a claim type group and map the roles that will relate to the SYSTEM_ADMIN and PATTERN_PUBLISHER roles in Amazon Cognito user pool. In absence of this mapping, a federated user would only have read-only access to the solution web UI.

Data protection

All data committed to Application Pattern Orchestrator on AWS is encrypted at rest; this includes data stored in:

  • Amazon S3

  • Amazon DynamoDB

  • AWS CodeArtifact

  • Service Catalog

  • Amazon SQS

Communication between the solution’s different components is over HTTPS to ensure data encryption in transit.