Security - Account Assessment for AWS Organizations
IAM rolesAmazon CloudFrontAmazon DynamoDBAWS WAF

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit AWS Cloud Security.

IAM roles

IAM roles allow you to assign granular access policies and permissions to services and users on the AWS Cloud. This solution creates IAM roles that grant the solution’s Lambda functions access to create Regional resources.

Amazon CloudFront

This solution deploys a web console hosted in an Amazon S3 bucket. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, refer to Restricting access to an Amazon S3 origin in the Amazon CloudFront Developer Guide.

Note

If you require Transport Layer Security (TLS) 1.2, you can configure a custom domain (also called an alternate domain name) in CloudFront and API Gateway.

Amazon DynamoDB

All user data stored in DynamoDB is encrypted at rest using encryption keys stored in AWS KMS. We recommend enforcing AWS Managed Keys because they will allow you to audit key usage. Refer to Managing encrypted tables in DynamoDB for more information.

AWS WAF

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a web ACL that allows, blocks, or counts web requests based on configurable web security rules and conditions that you define. For more information, refer to How AWS WAF Works.

You can use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and XSS attacks. These types of attacks could affect API availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from Classless Inter-Domain Routing (CIDR) blocks, requests that originate from a specific country or Region, requests that contain malicious SQL code, or requests that contain malicious script.