Security - Data Transfer from Amazon S3 Glacier Vaults to Amazon S3


When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

Amazon DynamoDB

All user data stored in DynamoDB is encrypted at rest using encryption keys stored in AWS Key Management Service (AWS KMS). We recommend enforcing AWS managed keys because you have permission to audit their use in AWS CloudTrail logs. Refer to Managing encrypted tables in DynamoDB for more information.

Consider enabling DynamoDB Data Plane Events for CloudTrail logging to gain insights into the data operations in DynamoDB tables, according to your use cases and your regulatory and compliance requirements. Refer to Logging DynamoDB operations by using AWS CloudTrail for more information. Additionally, consider implementing AWS Config to actively monitor DynamoDB configuration changes

CloudWatch Logs

We recommend changing the retention period of your CloudWatch Logs according to your use cases and your regulatory and compliance requirements.

IAM roles

IAM roles allow you to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution's resources permission to access the S3 Glacier vault, write logs, and create EventBridge targets.