# Security in Amazon Location Service
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon Location Service, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Location. The following topics show you how to configure Amazon Location to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon Location resources.
**Topics**
+ [Data protection in Amazon Location Service](data-protection.md)
+ [Incident Response in Amazon Location Service](incident-response.md)
+ [Compliance validation for Amazon Location Service](compliance-validation.md)
+ [Resilience in Amazon Location Service](disaster-recovery-resiliency.md)
+ [Infrastructure security in Amazon Location Service](infrastructure-security.md)
+ [AWS PrivateLink for Amazon Location](privatelink-interface-endpoints.md)
+ [Configuration and vulnerability analysis in Amazon Location](vulnerability-analysis-and-management.md)
+ [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md)
+ [Best practices for Amazon Location Service](best-practices.md)
# Data protection in Amazon Location Service
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Location Service. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Location or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
# Data privacy
With Amazon Location Service, you retain control of your organization’s data. Amazon Location anonymizes all queries sent to data providers by removing customer metadata and account information.
Amazon Location doesn't use data providers for tracking and geofencing. This means your sensitive data remains in your AWS account. This helps shield sensitive location information, such as facility, asset, and personnel location, from third parties, protect user privacy, and reduce your application's security risk.
For additional information, see the [AWS Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/).
# Data retention in Amazon Location
The following characteristics relate to how Amazon Location collects and stores data for the service:
+ **Amazon Location Service Trackers** – When you use the Trackers APIs to track the location of entities, their coordinates can be stored. Device locations are stored for 30 days before being deleted by the service.
+ **Amazon Location Service Geofences** – When you use the Geofences APIs to define areas of interest, the service stores the geometries you provided. They must be explicitly deleted.
**Note**
Deleting your AWS account delete all resources within it. For additional information, see the [AWS Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/).
# Data encryption at rest for Amazon Location Service
Amazon Location Service provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys.
+ **AWS owned keys** — Amazon Location uses these keys by default to automatically encrypt personally identifiable data. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*.
Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.
While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer managed key when you create your tracker and geofence collection resources:
+ **Customer managed keys** — Amazon Location supports the use of a symmetric customer managed key that you create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. Because you have full control of this layer of encryption, you can perform such tasks as:
+ Establishing and maintaining key policies
+ Establishing and maintaining IAM policies and grants
+ Enabling and disabling key policies
+ Rotating key cryptographic material
+ Adding tags
+ Creating key aliases
+ Scheduling keys for deletion
For more information, see [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
The following table summarizes how Amazon Location encrypts personally identifiable data.
| Data type | AWS owned key encryption | Customer managed key encryption (Optional) |
| --- | --- | --- |
| PositionA point geometry containing [the device position details](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointTracking_DevicePosition.html). | Enabled | Enabled |
| PositionPropertiesA set of key-value pairs [associated with the position update](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointTracking_DevicePosition.html). | Enabled | Enabled |
| GeofenceGeometryA polygon [geofence geometry](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointGeofencing_GeofenceGeometry.html) representing the geofenced area. | Enabled | Enabled |
| DeviceIdThe device identifier specified when [uploading a device position update](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointTracking_DevicePositionUpdate.html) to a tracker resource. | Enabled | Not supported |
| GeofenceIdAn identifier specified when [storing a geofence geometry](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointGeofencing_PutGeofence.html), or a [batch of geofences](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointGeofencing_BatchPutGeofence.html) in a given geofence collection. | Enabled | Not supported |
**Note**
Amazon Location automatically enables encryption at rest using AWS owned keys to protect personally identifiable data at no charge.
However, AWS KMS charges apply for using a customer managed key. For more information about pricing, see the [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
For more information on AWS KMS, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)
## How Amazon Location Service uses grants in AWS KMS
Amazon Location requires a [grant](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to use your customer managed key.
When you create a [tracker resource](https://docs.aws.amazon.com/location/latest/developerguide/trackers.html) or [geofence collection](https://docs.aws.amazon.com/location/latest/developerguide/geofences.html) encrypted with a customer managed key, Amazon Location creates a grant on your behalf by sending a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS. Grants in AWS KMS are used to give Amazon Location access to a KMS key in a customer account.
Amazon Location requires the grant to use your customer managed key for the following internal operations:
+ Send [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) requests to AWS KMS to verify that the symmetric customer managed KMS key ID entered when creating a tracker or geofence collection is valid.
+ Send [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) requests to AWS KMS to generate data keys encrypted by your customer managed key.
+ Send [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) requests to AWS KMS to decrypt the encrypted data keys so that they can be used to encrypt your data.
You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Amazon Location won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data. For example, if you attempt to [get device positions](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointTracking_GetDevicePosition.html) from an encrypted tracker that Amazon Location can't access, then the operation would return an `AccessDeniedException` error.
## Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.
**To create a symmetric customer managed key**
Follow the steps for [Creating symmetric customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.
**Key policy**
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
To use your customer managed key with your Amazon Location resources, the following API operations must be permitted in the key policy:
+ `[kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)` – Adds a grant to a customer managed key. Grants control access to a specified KMS key, which allows access to [grant operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) Amazon Location requires. For more information about [Using Grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html), see the *AWS Key Management Service Developer Guide*.
This allows Amazon Location to do the following:
+ Call `GenerateDataKeyWithoutPlainText` to generate an encrypted data key and store it, because the data key isn't immediately used to encrypt.
+ Call `Decrypt` to use the stored encrypted data key to access encrypted data.
+ Set up a retiring principal to allow the service to `RetireGrant`.
+ `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)` – Provides the customer managed key details to allow Amazon Location to validate the key.
The following are policy statement examples you can add for Amazon Location:
```
"Statement" : [
{
"Sid" : "Allow access to principals authorized to use Amazon Location",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:ViaService" : "geo.region.amazonaws.com",
"kms:CallerAccount" : "111122223333"
}
},
{
"Sid": "Allow access for key administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:*"
],
"Resource": "arn:aws:kms:region:111122223333:key/key_ID"
},
{
"Sid" : "Allow read-only access to key metadata to the account",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:root"
},
"Action" : [
"kms:Describe*",
"kms:Get*",
"kms:List*",
"kms:RevokeGrant"
],
"Resource" : "*"
}
]
```
For more information about [specifying permissions in a policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), see the *AWS Key Management Service Developer Guide*.
For more information about [troubleshooting key access](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html#example-no-iam), see the *AWS Key Management Service Developer Guide*.
## Specifying a customer managed key for Amazon Location
You can specify a customer managed key as a second layer encryption for the following resources:
+ [Create a tracker](start-create-tracker.md)
+ [Get started with Amazon Location Service Geofences](geofence-gs.md)
When you create a resource, you can specify the data key by entering a **KMS ID**, which Amazon Location uses to encrypt the identifiable personal data stored by the resource.
+ **KMS ID** — A [key identifier](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) for an AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN.
## Amazon Location Service encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is an optional set of key-value pairs that contain additional contextual information about the data.
AWS KMS uses the encryption context as [additional authenticated data](https://docs.aws.amazon.com/kms/latest/cryptographic-details/crypto-primitives.html) to support [authenticated encryption](https://docs.aws.amazon.com/kms/latest/cryptographic-details/crypto-primitives.html). When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request.
**Amazon Location Service encryption context**
Amazon Location uses the same encryption context in all AWS KMS cryptographic operations, where the key is `aws:geo:arn` and the value is the resource [Amazon Resource Name](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) (ARN).
**Example**
```
"encryptionContext": {
"aws:geo:arn": "arn:aws:geo:us-west-2:111122223333:geofence-collection/SAMPLE-GeofenceCollection"
}
```
**Using encryption context for monitoring**
When you use a symmetric customer managed key to encrypt your tracker or geofence collection, you can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in [logs generated by AWS CloudTrail or Amazon CloudWatch Logs](#example-custom-encryption).
**Using encryption context to control access to your customer managed key**
You can use the encryption context in key policies and IAM policies as `conditions` to control access to your symmetric customer managed key. You can also use encryption context constraints in a grant.
Amazon Location uses an encryption context constraint in grants to control access to the customer managed key in your account or region. The grant constraint requires that the operations that the grant allows use the specified encryption context.
**Example**
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context.
```
{
"Sid": "Enable DescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Enable CreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:geo:arn": "arn:aws:geo:us-west-2:111122223333:tracker/SAMPLE-Tracker"
}
}
}
```
## Monitoring your encryption keys for Amazon Location Service
When you use an AWS KMS customer managed key with your Amazon Location Service resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that Amazon Location sends to AWS KMS.
The following examples are AWS CloudTrail events for `CreateGrant`, `GenerateDataKeyWithoutPlainText`, `Decrypt`, and `DescribeKey` to monitor KMS operations called by Amazon Location to access data encrypted by your customer managed key:
------
#### [ CreateGrant ]
When you use an AWS KMS customer managed key to encrypt your tracker or geofence collection resources, Amazon Location sends a `CreateGrant` request on your behalf to access the KMS key in your AWS account. The grant that Amazon Location creates are specific to the resource associated with the AWS KMS customer managed key. In addition, Amazon Location uses the `RetireGrant` operation to remove a grant when you delete a resource.
The following example event records the `CreateGrant` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-04-22T17:02:00Z"
}
},
"invokedBy": "geo.amazonaws.com"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"retiringPrincipal": "geo.region.amazonaws.com",
"operations": [
"GenerateDataKeyWithoutPlaintext",
"Decrypt",
"DescribeKey"
],
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"granteePrincipal": "geo.region.amazonaws.com"
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
------
#### [ GenerateDataKeyWithoutPlainText ]
When you enable an AWS KMS customer managed key for your tracker or geofence collection resource, Amazon Location creates a unique table key. It sends a `GenerateDataKeyWithoutPlainText` request to AWS KMS that specifies the AWS KMS customer managed key for the resource.
The following example event records the `GenerateDataKeyWithoutPlainText` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "geo.amazonaws.com"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"encryptionContext": {
"aws:geo:arn": "arn:aws:geo:us-west-2:111122223333:geofence-collection/SAMPLE-GeofenceCollection"
},
"keySpec": "AES_256",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"sharedEventID": "57f5dbee-16da-413e-979f-2c4c6663475e"
}
```
------
#### [ Decrypt ]
When you access an encrypted tracker or geofence collection,Amazon Location calls the `Decrypt` operation to use the stored encrypted data key to access the encrypted data.
The following example event records the `Decrypt` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "geo.amazonaws.com"
},
"eventTime": "2021-04-22T17:10:51Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"encryptionContext": {
"aws:geo:arn": "arn:aws:geo:us-west-2:111122223333:geofence-collection/SAMPLE-GeofenceCollection"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"sharedEventID": "dc129381-1d94-49bd-b522-f56a3482d088"
}
```
------
#### [ DescribeKey ]
Amazon Location uses the `DescribeKey` operation to verify if the AWS KMS customer managed key associated with your tracker or geofence collection exists in the account and region.
The following example event records the `DescribeKey` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-04-22T17:02:00Z"
}
},
"invokedBy": "geo.amazonaws.com"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"keyId": "00dd0db0-0000-0000-ac00-b0c000SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
------
## Learn more
The following resources provide more information about data encryption at rest.
+ For more information about [AWS Key Management Service basic concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html), see the *AWS Key Management Service Developer Guide*.
+ For more information about [Security best practices for AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/kms-security.html), see the *AWS Key Management Service Developer Guide*.
# Data in transit encryption for Amazon Location Service
Amazon Location protects data in transit, as it travels to and from the service, by automatically encrypting all inter-network data using the Transport Layer Security (TLS) 1.2 encryption protocol. Direct HTTPS requests sent to the Amazon Location Service APIs are signed by using the [AWS Signature Version 4 Algorithm](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html) to establish a secure connection.
# Incident Response in Amazon Location Service
Security is the highest priority at AWS. As part of the AWS Cloud [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/), AWS manages a data center and network architecture that meets the requirements of the most security-sensitive organizations. As an AWS customer, you share a responsibility for maintaining security in the cloud. This means you control the security you choose to implement from the AWS tools and features you have access to.
By establishing a security baseline that meets the objectives for your applications running in the cloud, you're able to detect deviations that you can respond to. Since security incident response can be a complex topic, we encourage you to review the following resources so that you are better able to understand the impact that incident response (IR) and your choices have on your corporate goals: [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.html), [AWS Security Best Practices](https://aws.amazon.com/architecture/security-identity-compliance/?cards-all.sort-by=item.additionalFields.sortDate&cards-all.sort-order=desc) whitepaper, and the [AWS Cloud Adoption Framework (AWS CAF)](https://aws.amazon.com/cloud-adoption-framework/#Security_Perspective).
# Logging and Monitoring in Amazon Location Service
Logging and monitoring are an important part of incident response. It lets you establish a security baseline to detect deviations that you can investigate and respond to. By implementing logging and monitoring for Amazon Location Service, you're able to maintain the reliability, availability, and performance for your projects and resources.
AWS provides several tools that can help you log and collect data for incident response:
**AWS CloudTrail**
Amazon Location Service integrates with AWS CloudTrail, which is a service that provides a record of actions taken by a user, role or AWS service. This includes actions from the Amazon Location Service console, and programmatic calls to Amazon Location API operations. These records of action are called events. For more information, see [Logging and monitoring Amazon Location Service with AWS CloudTrail](https://docs.aws.amazon.com/location/latest/developerguide/cloudtrail.html).
**Amazon CloudWatch**
You can use Amazon CloudWatch to collect and analyze metrics related to your Amazon Location Service account. You can enable CloudWatch alarms to notify you if a metric meets certain conditions, and has reached a specified threshold. When you create an alarm, CloudWatch sends a notification to an Amazon Simple Notification Service that you define. For more information, see the [Monitoring Amazon Location Service with Amazon CloudWatch](https://docs.aws.amazon.com/location/latest/developerguide/cloudwatch.html).
**AWS Health Dashboards**
Using [AWS Health Dashboards](https://status.aws.amazon.com/), you can verify the status of the Amazon Location Service service. You can also monitor and view historical data about any events or issues that might affect your AWS environment. For more information, see the [AWS Health User Guide](https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html).
# Compliance validation for Amazon Location Service
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in Amazon Location Service
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
In addition to the AWS global infrastructure, Amazon Location offers several features to help support your data resiliency and backup needs.
# Infrastructure security in Amazon Location Service
As a managed service, Amazon Location Service is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Amazon Location through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# AWS PrivateLink for Amazon Location
With AWS PrivateLink for Amazon Location, you can provision *interface Amazon VPC endpoints* (interface endpoints) in your virtual private cloud (Amazon VPC). These endpoints are directly accessible from applications that are on premises over VPN and Direct Connect, or in a different AWS Region over [Amazon VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html). Using AWS PrivateLink and interface endpoints, you can simplify private network connectivity from your applications to Amazon Location.
Applications in your VPC don't need public IP addresses to communicate with Amazon Location interface VPC endpoints for Amazon Location operations. Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your Amazon VPC. Requests to Amazon Location over interface endpoints stay on the Amazon network. You can also access interface endpoints in your Amazon VPC from on-premises applications through Direct Connect or AWS Virtual Private Network (Site-to-Site VPN). For more information about how to connect your Amazon VPC with your on-premises network, see the [Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html) and the [AWS Site-to-Site VPN User Guide](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html).
For general information about interface endpoints, see [Interface Amazon VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *AWS PrivateLink Guide*.
**Topics**
+ [Types of Amazon VPC endpoints for Amazon Location Service](#types-of-vpc-endpoints-for-al)
+ [Considerations when using AWS PrivateLink for Amazon Location Service](#privatelink-considerations)
+ [Create an interface endpoint for Amazon Location Service](#al-creating-vpc)
+ [Access Amazon Location API operations from Amazon Location interface endpoints](#accessing-apis-from-interface-endpoints)
+ [Update an on-premises DNS configuration](#updating-on-premises-dns-config)
+ [Create an Amazon VPC endpoint policy for Amazon Location](#creating-vpc-endpoint-policy)
## Types of Amazon VPC endpoints for Amazon Location Service
You can use one type of Amazon VPC endpoint to access Amazon Location Service: *interface endpoints* (by using AWS PrivateLink). *Interface endpoints* use private IP addresses to route requests to Amazon Location from within your Amazon VPC, on premises, or from an Amazon VPC in another AWS Region by using Amazon VPC peering. For more information, see [What is Amazon VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) and [Transit Gateway vs Amazon VPC peering](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html).
Interface endpoints are compatible with gateway endpoints. If you have an existing gateway endpoint in the Amazon VPC, you can use both types of endpoints in the same Amazon VPC.
Interface endpoints for Amazon Location have the following properties:
+ Your network traffic remains on the AWS network
+ Use private IP addresses from your Amazon VPC to access Amazon Location Service
+ Allows access from on premises
+ Allows access from an Amazon VPC endpoint in another AWS Region by using Amazon VPC peering or AWS Transit Gateway
+ Interface endpoints are billed
## Considerations when using AWS PrivateLink for Amazon Location Service
Amazon VPC considerations apply to AWS PrivateLink for Amazon Location Service. For more information, see [Interface endpoint considerations](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) and [AWS PrivateLink quotas](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-limits-endpoints.html) in the *AWS PrivateLink Guide*. In addition, the following restrictions apply.
AWS PrivateLink for Amazon Location Service doesn't support the following:
+ Transport Layer Security (TLS) 1.1
+ Private and Hybrid Domain Name System (DNS) services
Amazon VPC endpoints:
+ Don't support [Amazon Location Service Maps API](https://docs.aws.amazon.com/location/latest/APIReference/API_Operations_Amazon_Location_Service_Maps_V2.html) operations, including: `GetGlyphs`, `GetSprites`, and `GetStyleDescriptor`
+ Don't support cross-region requests. Ensure that you create your endpoint in the same region where you plan to issue your API calls to Amazon Location Service.
+ Only support Amazon-provided DNS through Amazon Route 53. If you want to use your own DNS, use conditional DNS forwarding. For more information, see [DHCP Options Sets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) in the *Amazon VPC User Guide*.
+ Must allow incoming connections on port 443 from the private subnet of the VPC through the security group attached to the VPC endpoint
You can submit up to 50,000 requests per second for each AWS PrivateLink endpoint that you enable.
**Note**
Network connectivity timeouts to AWS PrivateLink endpoints are not within the scope of Amazon Location error responses and need to be appropriately handled by your applications connecting to the AWS PrivateLink endpoints.
## Create an interface endpoint for Amazon Location Service
You can create an interface endpoint for Amazon Location Service using either the Amazon VPC Console or the AWS Command Line Interface (AWS CLI). For more information, see [Create an interface endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *AWS PrivateLink Guide*.
There are six different VPC endpoints, one for each feature offered by Amazon Location Service.
| Category | Endpoint |
| --- | --- |
| Maps | `com.amazonaws.region.geo.maps` |
| Places | `com.amazonaws.region.geo.places` |
| Routes | `com.amazonaws.region.geo.routes` |
| Geofences | `com.amazonaws.region.geo.geofencing` |
| Trackers | `com.amazonaws.region.geo.tracking` |
| Metadata | `com.amazonaws.region.geo.metadata` |
**For example: **
```
com.amazonaws.us-east-2.geo.maps
```
After you create the endpoint, you have the option to enable a private DNS hostname. To enable, select **Enable Private DNS Name** in the Amazon VPC Console when you create the VPC endpoint.
If you enable private DNS for the interface endpoint, you can make API requests to Amazon Location Service service using its default Regional DNS name. The following examples show the default Regional DNS names format.
+ `maps.geo.region.amazonaws.com`
+ `places.geo.region.amazonaws.com`
+ `routes.geo.region.amazonaws.com`
+ `tracking.geo.region.amazonaws.com`
+ `geofencing.geo.region.amazonaws.com`
+ `metadata.geo.region.amazonaws.com`
The previous DNS names are for IPv4 domains. The following IPV6 DNS names can also be used for interface endpoints.
+ `maps.geo.region.api.aws`
+ `places.geo.region.api.aws`
+ `routes.geo.region.api.aws`
+ `tracking.geo.region.api.aws`
+ `geofencing.geo.region.api.aws`
+ `metadata.geo.region.api.aws`
## Access Amazon Location API operations from Amazon Location interface endpoints
You can use the [AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/location/) or [AWS SDKs](https://docs.aws.amazon.com/location/latest/developerguide/dev-sdks.html) to access Amazon Location API operations through Amazon Location interface endpoints.
**Example: Create a VPC endpoint**
```
aws ec2 create-vpc-endpoint \
--region us-east-1 \
--service-name location-service-name \
--vpc-id client-vpc-id \
--subnet-ids client-subnet-id \
--vpc-endpoint-type Interface \
--security-group-ids client-sg-id
```
**Example: Modify a VPC endpoint**
```
aws ec2 modify-vpc-endpoint \
--region us-east-1 \
--vpc-endpoint-id client-vpc-endpoint-id \
--policy-document policy-document \ #example optional parameter
--add-security-group-ids security-group-ids \ #example optional parameter
# any additional parameters needed, see PrivateLink documentation for more details
```
## Update an on-premises DNS configuration
When using endpoint-specific DNS names to access the interface endpoints for Amazon Location, you don't have to update your on-premises DNS resolver. You can resolve the endpoint-specific DNS name with the private IP address of the interface endpoint from the public Amazon Location DNS domain.
Use interface endpoints to access Amazon Location without a gateway endpoint or an internet gateway in the Amazon VPC
Interface endpoints in your Amazon VPC can route both in-Amazon VPC applications and on-premises applications to Amazon Location over the Amazon network.
## Create an Amazon VPC endpoint policy for Amazon Location
You can attach an endpoint policy to your Amazon VPC endpoint that controls access to Amazon Location. The policy specifies the following information:
+ The AWS Identity and Access Management (IAM) principal that can perform actions
+ The actions that can be performed
+ The resources on which actions can be performed
**Example:** Sample VPCe policy for accessing Amazon Location Service Places APIs:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-location-service-places-opeartions",
"Effect": "Allow",
"Action": [
"geo-places:*",
"geo:*"
],
"Resource": [
"arn:aws:geo-places:us-east-1::provider/default",
"arn:aws:geo:us-east-1:*:place-index/*"
]
}
]
}
```
# Configuration and vulnerability analysis in Amazon Location
Configuration and IT controls are a shared responsibility between AWS and you, our customer. For more information, see the AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/).
# Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
Amazon Location Service does not act as a calling service on your behalf to other AWS services, so you do not need to add these protections in this case. To learn more about confused deputy, see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the *AWS Identity and Access Management User Guide*.
# Best practices for Amazon Location Service
This topic provides best practices to help you use Amazon Location Service. While these best practices can help you take full advantage of the Amazon Location Service, they do not represent a complete solution. You should follow only the recommendations that are applicable for your environment.
**Topics**
+ [Security](#security-best-practice)
## Security
To help manage or even avoid security risks, consider the following best practices:
+ Use identity federation and IAM roles to manage, control, or limit access to your Amazon Location resources. For more information, see [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
+ Follow the Principle of Least Privilege to grant only the minimum required access to your Amazon Location Service resources.
+ For Amazon Location Service resources used in web applications, restrict access using an `aws:referer` IAM condition, limiting use by sites other than those included in the allow-list.
+ Use monitoring and logging tools to track resource access and usage. For more information, see [Logging and Monitoring in Amazon Location Service](security-logging-and-monitoring.md) and [Logging Data Events for Trails ](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the AWS CloudTrail User Guide.
+ Use secure connections, such as those that begin with `https://` to add security and protect users against attacks while data is being transmitted between the server and browser.
### Detective security best practices for Amazon Location Service
The following best practices for Amazon Location Service can help detect security incidents:
**Implement AWS monitoring tools**
Monitoring is critical to incident response and maintains the reliability and security of Amazon Location Service resources and your solutions. You can implement monitoring tools from the several tools and services available through AWS to monitor your resources and your other AWS services.
For example, Amazon CloudWatch allows you to monitor metrics for Amazon Location Service and enables you to setup alarms to notify you if a metric meets certain conditions you've set and has reached a threshold you've defined. When you create an alarm, you can set CloudWatch to sent a notification to alert using Amazon Simple Notification Service. For more information, see [Logging and Monitoring in Amazon Location Service](security-logging-and-monitoring.md).
**Enable AWS logging tools**
Logging provides a record of actions taken by a user, role or an AWS service in Amazon Location Service. You can implement logging tools such as AWS CloudTrail to collect data on actions to detect unusual API activity.
When you create a trail, you can configure CloudTrail to log events. Events are records of resource operations performed on or within a resource such as the request made to Amazon Location, the IP address from which the request was made, who made the request, when the request was made, along with additional data. For more information, see [Logging Data Events for Trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) in the AWS CloudTrail User Guide.
### Preventive security best practices for Amazon Location Service
The following best practices for Amazon Location Service can help prevent security incidents:
**Use secure connections**
Always use encrypted connections, such as those that begin with `https://` to keep sensitive information secure in transit.
**Implement least privilege access to resources**
When you create custom policies to Amazon Location resources, grant only the permissions required to perform a task. It's recommended to start with a minimum set of permissions and grant additional permissions as needed. Implementing least privilege access is essential to reducing the risk and impact that could result from errors or malicious attacks. For more information, see [Use AWS Identity and Access Management to authenticate](security-iam.md).
**Use globally-unique IDs as device IDs**
Use the following conventions for device IDs.
+ Device IDs must be unique.
+ Device IDs should not be secret, because they can be used as foreign keys to other systems.
+ Device IDs should not contain personally-identifiable information (PII), such as phone device IDs or email addresses.
+ Device IDs should not be predictable. Opaque identifiers like UUIDs are recommended.
**Do not include PII in device position properties**
When sending device updates (for example, using [DevicePositionUpdate](https://docs.aws.amazon.com/location/latest/APIReference/API_WaypointTracking_DevicePositionUpdate.html)), do not include personally-identifiable information (PII) such as phone number or email address in the `PositionProperties`.