Security Best Practices - Spatial Data Management on AWS
Detective ControlsContent Derivation

Security Best Practices

The solution provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Detective Controls

Built-in Monitoring Dashboard

The solution deploys a CloudWatch dashboard (SpatialDataManagementDashboard) that provides visibility into operational and security metrics. Regularly review the following security-relevant metrics:

Authentication Metrics:

  • Cognito Authentication Failures - Spikes may indicate brute force attacks or credential issues

  • Cognito Authentication Success - Establish baseline for normal authentication patterns

API Error Rates:

  • Response By Status Code (4xx/5xx errors) - High 4xx rates may indicate unauthorized access attempts

  • Operation-specific 5xx Errors (Create, Read, Update, Delete) - May indicate service issues or attacks

  • Operation Success Rate (%) - Should remain consistently high (>99%)

Access Patterns:

  • Total Requests - Unusual spikes may indicate automated attacks or data exfiltration

  • Client Files Downloaded/Uploaded - Monitor for abnormal data transfer patterns

  • Client Bytes Downloaded/Uploaded - Large unexpected transfers may indicate data exfiltration

Performance Anomalies:

  • Operation Latency (ms) for each operation type - Sudden increases may indicate resource exhaustion attacks

  • Search Operation Latency - Unusually complex queries may indicate reconnaissance

Recommended Actions

  1. Review the dashboard daily during initial deployment, then weekly for established deployments

  2. Establish baseline metrics for normal operation to identify anomalies

  3. Configure CloudWatch alarms for critical security metrics (see recommendations below)

  4. Export dashboard data to S3 for long-term trend analysis and compliance reporting

Monitoring and Logging

  1. Configure CloudWatch Logs retention to meet compliance requirements (default: 90 days)

  2. Set up CloudWatch alarms for security-relevant metrics:

  3. Failed authentication attempts

  4. Unauthorized API calls (403 errors)

  5. KMS key usage anomalies

  6. S3 bucket policy changes

  7. IAM policy changes

Content Derivation

AWS Deadline Cloud

When using AWS Deadline Cloud for content derivation jobs, the solution uses service-managed fleets. For security details on Deadline Cloud, see AWS Deadline Cloud Documentation.