Security - AWS Trusted Advisor Explorer


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Amazon S3

The Amazon Simple Storage Service (Amazon S3) buckets created in the solution is private and has server-side encryption enabled. We recommend that you review the Amazon S3 buckets and further restrict access as needed after the deployment is up and running.

Lambda Logs

By default, Account ID, Account Name, and Account Email are masked while storing AWS Lambda logs in CloudWatch. To unmask this information, set the MaskAccountInformation template parameter to FALSE.

IAM Roles

AWS Identity and Access Management (IAM) roles enable customers to assign granular access policies and permissions to services and users on the AWS Cloud. The solution creates IAM roles and sets permissions in the respective accounts to allow the solution to assume a defined role in the member account and extract data when necessary.

Additional Security Enhancements (Optional)

Glue Catalog

You can encrypt the metadata stored in the Glue Data Catalog using keys that you manage with AWS Key Management Service (AWS KMS). For more information, see Encrypting Your Data Catalog in the AWS Glue Developer Guide.


You can enable server-side encryption (SSE) for the topic created by the solution to protect its data. To learn more, refer to the Enabling server-side encryption (SSE) for an Amazon SNS topic with an encrypted Amazon SQS queue subscribed topic in the Amazon Simple Notification Service Developer Guide.

Amazon SNS uses AWS Key Management Service (AWS KMS) to provide encryption at rest. Messages published to the Amazon SNS encrypted topic must have access permissions to execute the AWS KMS operation GenerateDataKey and Decrypt. For more information, see Encrypting Messages Published to Amazon SNS with AWS KMS blog post.

CloudWatch Logs Logs

You can enable encryption for the log groups created when running the solution. To learn more, refer to the CloudWatch Logs documentation.