Gaming Analytics Pipeline
Gaming Analytics Pipeline

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Security Groups

This solution creates security groups that control and isolate network traffic between the applications running on AWS Elastic Beanstalk and Amazon Redshift. But, the Amazon Kinesis stream can access the internet. We recommend that you review the security group and further restrict access as needed once the deployment is up and running.

IAM Roles

AWS Identity and Access Management (IAM) roles enable customers to assign granular access policies and permissions to services and users on the AWS Cloud. The Gaming Analytics Pipeline creates three IAM roles. The solution creates the following roles:

  • A role for the S3Connector application. This role grants the application least-privilege permissions to read events from the telemetry Amazon Kinesis stream, write event batches to Amazon Simple Storage Service (Amazon S3), write S3 file pointers for event batches to the file Kinesis stream, write metrics and logs to Amazon CloudWatch, and write KCL lease information to Amazon DynamoDB.

  • A role for the RedshiftConnector application. This role grants the application least-privilege permissions to read configuration and events from Amazon S3, read the S3 file pointers from the file Amazon Kinesis stream, pull temporary credentials from Amazon Redshift, write metrics and logs to CloudWatch, and write KCL lease information to DynamoDB.

  • A role for the CronConnector application. This role grants the application least-privilege permissions to perform Amazon Redshift maintenance, send anonymous data, and write metrics and logs to CloudWatch.

  • A role that allows writing to the telemetry stream using the Amazon Kinesis PutRecord and/or PutRecords operations.

On this page: