Security - Landing Zone Accelerator on AWS

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s CodePipeline pipelines read/write access to their respective artifact S3 buckets, source code repositories, and run CodeBuild projects. Additional IAM roles are created that grant CodeBuild projects to write to Amazon CloudWatch Logs log groups and create Regional resources.

AWS KMS keys

AWS KMS helps you create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. This solution uses AWS KMS keys to turn on encryption at rest for the applicable services it deploys. In a default installation, these keys will rotate automatically once per year. More information about the key management infrastructure for this solution is outlined in Architecture details.