Security
When you build systems on AWS infrastructure, security
responsibilities are shared between you and AWS. This
shared
model
Elasticache (Redis OSS) is assigned a network interface inside the private VPC. The Lambda functions that interact with Elasticache (Redis OSS) are also assigned network interfaces within a VPC. All other resources have network connectivity in the shared AWS network space. Lambda functions with VPC interfaces that interact with other AWS services use VPC endpoints to connect to these services.
The public and private keys used for creating and validating JSON web tokens are generated at deployment time and stored in Secrets Manager. The password used to connect to Elasticache (Redis OSS) is also generated at deployment time and stored in Secrets Manager. The private key and Elasticache (Redis OSS) password are not accessible via any solution API.
The public API must be accessed through CloudFront. The solution generates an API key for API Gateway,
which is used as the value of a custom header, x-api-key, in CloudFront. CloudFront includes
this header when making origin requests. For additional details, refer to Adding custom headers to origin requests in the Amazon CloudFront Developer
Guide.
The private APIs are configured to require AWS IAM authorization for invocation. The
solution creates the ProtectedAPIGroup IAM user group with the appropriate
permissions to invoke the private APIs. An IAM user added to this group are authorized to
invoke the private APIs.
IAM policies used in roles and permissions that are attached to various resources created by the solution grant only the permissions required to perform the necessary tasks.
For resources such as S3 buckets, SQS queues, and SNS topics generated by the solution, encryption at rest and during transit is activated wherever possible.
Monitoring
The core API stack includes several CloudWatch alarms that can be monitored to detect problems
while the solution is operating. The stack creates an alarm for Lambda function errors and
throttle conditions, and changes the state of the alarm from OK to
ALARM if an error or throttle condition occurs in a one-minute period.
The stack also creates alarms for each API Gateway deployment for 4XX and 5XX status codes. The
alarm changes state from OK to ALARM if a 4XX or 5XX status code is
returned from the API within a one-minute period.
These alarms return to an OK state after one minute of no errors or
throttles.
IAM roles
AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s AWS Lambda functions access to create Regional resources.
Amazon CloudFront
The virtual-waiting-room-on-aws.template CloudFormation template, which creates
the core public and private APIs of the waiting room, also deploys a CloudFront distribution for the
public API. CloudFront caches the responses from the public API, thereby reducing load on API Gateway and
the Lambda functions performing work.
This solution also has an optional sample waiting room template that deploys a simple web application hosted in an Amazon Simple Storage Service (Amazon S3) bucket. To help reduce latency and improve security, an Amazon CloudFront distribution is deployed with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.
Security groups
The VPC security groups created in this solution are designed to control and isolate network traffic to the Elasticache (Redis OSS). Lambdas that need to communicate with the Elasticache (Redis OSS) are placed in the same Security Group as that of the Elasticache (Redis OSS). We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.
