Security - AWS Perspective

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the AWS Security Center.

AWS Perspective has been architected and configured to be secure. These include the following best practices for AWS Perspective and its component parts:

  • Access is configured to grant least privilege and scoped down to only required resources where possible.

  • Data at rest and transit is encrypted using keys stored in AWS Key Management Service (AWS KMS)—a dedicated key management store.

  • When credentials are used, they are short-lived and implement a strong password policy.

  • Logging, tracing, and versioning is turned on where applicable.

  • Automatic patching (minor-version) and snapshot creation is turned on where applicable.

  • Network access is private by default with Amazon Virtual Private Cloud (Amazon VPC) endpoints being turned on where available.

Resource access

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. Multiple roles are required to run AWS Perspective and discover resources in AWS accounts. Refer to IAM roles for details.

Amazon Cognito

Amazon Cognito is used to authenticate access with short-lived strong credentials granting access to components needed by AWS Perspective.

Network access

Amazon Virtual Private Cloud (Amazon VPC)

AWS Perspective is deployed within an Amazon VPC and configured according to best practices to deliver security and high availability. For additional details, refer to Security best practices for your VPC. VPC endpoints allow non-internet transit between services and are configured where available.

Security groups are used to control and isolate network traffic between the components needed to run AWS Perspective.

We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.

Amazon CloudFront

This solution deploys a web console hosted in an Amazon Simple Storage Service (Amazon S3) bucket which is distributed by Amazon CloudFront. The contents of this Amazon S3 bucket are accessible only via CloudFront. This is activated using the Origin Access Identity feature. For more information, refer to Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.

Additional Security mitigations are activated with CloudFront Functions appending HTTP security headers to each origin request. For additional details, refer to Add HTTP Security Headers. This solution uses the default CloudFront certificate which supports TLS v1.0 only. To use TLS v1.1 or TLS v1.2, you must use a custom SSL certificate instead of the default CloudFront certificate. For more information, refer to How do I configure my CloudFront distribution to use an SSL/TLS certificate.

Application configuration

Amazon API Gateway

AWS Perspective APIs have basic request validation activated with deeper input validation implemented within integrations, including AWS Lambda. Furthermore, authentication and authorization are implemented using IAM and Cognito, which use the JSON Web Token (JWT) provided by Cognito when a user authenticates successfully in the web UI.

AWS AppSync

AWS Perspective GraphQL APIs have request validation provided by AWS AppSync as per the GraphQL specification. Furthermore, authentication and authorization are implemented using IAM and Cognito, which use the JSON Web Token (JWT) provided by Cognito when a user authenticates successfully in the web UI.

AWS Lambda

By default, the Lambda functions are configured with the most recent stable version of the language runtime. No sensitive data or secrets are logged. Service interactions are carried out with the least required privilege. Roles that define these privileges are not shared between functions. Furthermore, sensitive environment variables are stored as secure parameters in a dedicated vault.

Amazon OpenSearch Service

Amazon OpenSearch Service domains are configured with an access policy that restricts access in order to stop any unsigned requests made to the OpenSearch Service cluster This is restricted to a single Lambda function.

The OpenSearch Service cluster is built with node-to-node encryption activated to add an extra layer of data protection on top of the existing OpenSearch Service security features.