IAM roles Amazon S3 bucket configuration and policy AWS Key Management Service (AWS KMS) keys Amazon CloudFront Network configuration User authorization Data protection

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, refer to the AWS Cloud Security page.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users in the AWS Cloud. This solution creates IAM roles that grant the solution’s automated functions access to perform remediation actions within a narrow scope set of permissions specific to each remediation.

Amazon S3 bucket configuration and policy

By default, all Amazon S3 buckets for the solution have the following configuration:

Blocked all public access
Versioning enabled
Access log enabled
Encryption at rest by an AWS KMS customer managed key

Additionally, the Amazon S3 buckets are also configured with a default buckets policy that deny all non-HTTPS requests to ensure data in transit encryption.

AWS Key Management Service (AWS KMS) keys

The Application Pattern Orchestrator on AWS solution allows you to provide your own AWS KMS keys to encrypt stored data. We recommend referring to the security best practices for AWS Key Management Service to enhance the protection of your encryption keys.

Amazon CloudFront

This solution deploys a web application hosted in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes an Amazon CloudFront distribution with an Origin Access Identity (OAI), which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting access to an Amazon S3 origin section in the Amazon CloudFront Developer Guide.

Network configuration

The Application Pattern Orchestrator on AWS solution is deployed in Amazon VPC, with the Lambda functions in a private subnet. All traffic in and out of the isolated subnet is controlled by security groups.

User authorization

By default, the solution creates two user groups in the Amazon Cognito user pool for user authorization:

SYSTEM_ADMIN: This user group has permissions to access all pages in the web UI. By default, any user created by the solution is automatically added to this group when the solution is deployed.
PATTERN_PUBLISHER: This group has permissions to create, update, and view patterns. The group also allows you to view pattern attributes.

Note

To update or delete pattern attributes, you must be in the SYSTEM_ADMIN group.

Federating solution user groups through an Identity provider (IdP)

You can federate the solution user groups using a third-party identity provider via OpenID Connect (OIDC). To configure this:

Deploy the solution using AWS CDK by following the instructions in the solution README.
In your IdP settings, add a claim type group and map the roles that will relate to the SYSTEM_ADMIN and PATTERN_PUBLISHER roles in Amazon Cognito user pool. In absence of this mapping, a federated user would only have read-only access to the solution web UI.

Data protection

All data committed to Application Pattern Orchestrator on AWS is encrypted at rest; this includes data stored in:

Amazon S3
Amazon DynamoDB
AWS CodeArtifact
Service Catalog
Amazon SQS

Communication between the solution’s different components is over HTTPS to ensure data encryption in transit.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cost

Design considerations