Security
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared responsibility model
IAM roles
This solution creates IAM roles that grant the solution’s Lambda functions access to create Regional resources. These Lambda functions are invoked when:
-
The solution creates custom resources during stack deployments
-
The MCS API is called
-
AWS Step Functions run when registering and de-registering modules
A stack set execution IAM role is required to provision and terminate Service Catalog products when enabling and disabling modules. This role has PowerUserAccess, allowing it to create and update IAM roles as needed for modules.
Amazon CloudFront
This solution deploys a web console hosted in an S3 bucket. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution’s website bucket contents. For more information, see Restricting Access to Amazon S3 Content by Using an Origin Access Identity in the Amazon CloudFront Developer Guide.
CloudFront and API Gateway minimum TLS version
The solution uses a default CloudFront domain, which sets the minimum allowed TLS version to v1.0 by default. For enhanced security, we recommend to configuring the minimum TLS version to v1.2. To achieve this, you must set up a custom CloudFront domain. Follow the instructions provided in Set up a custom CloudFront domain in the Amazon CloudFront Developer Guide.
The solution also uses a default API Gateway domain, which sets the minimum allowed TLS version to v1.0 by default. For more information, see Choose a security policy for your REST API custom domain in API Gateway in the Amazon API Gateway Developer Guide.
Security groups
The solution creates security groups designed to control and isolate network traffic between the module resources and the VPC created or imported in the Network modules.
We recommend that you review the security groups and further restrict access as needed after deployment. See Control traffic to your AWS resources using security groups for more information.
The following modules create security groups to allow traffic to/from the VPC:
-
Managed Active Directory module - Allow the default virtual private network (VPN) Domain Name System (DNS) to resolve names from Microsoft Active Directory
-
Leostream Broker module - Environment configuration and AMI pipelines
-
Leostream Gateway module - Automation and Application Load Balancers
-
FSx for Windows File Server module - FSx file system
Secrets Manager
AWS Secrets Manager securely stores and manages sensitive credentials generated by MCS modules. This service provides automatic encryption, access control, and audit logging for all stored secrets.
Secrets created by modules
The following modules automatically create and manage secrets in AWS Secrets Manager:
Identity Module (AWS Managed Microsoft AD)
-
StudioAdmin user credentials - Default admin user for end-user access
-
SA_AdConnectorUser credentials - Service account for cross-region AD communication
-
SA_McsModulesUser credentials - General service account for module integrations
Leostream Broker Module
-
API service user credentials - Authentication for Leostream API operations
-
Amazon RDS database credentials - Database connection credentials for the Leostream broker
Password Management
-
This solution does not provide automatic secrets rotation. Depending on your security requirements, you may consider manually rotating the credentials for your Leostream Connection Broker database.
-
AWS Managed Microsoft AD passwords expire every 90 days and require manual rotation.
-
Follow the steps in Password Rotation to update passwords across all dependent services.
Security.txt
The solution does not include a security.txt file in the website files. This file is intended to provide information about the owner or operator of a publicly accessible website, such as security contacts and responsible disclosure policies.
Since the Modular Cloud Studio on AWS website is a private, login-protected application that you control, a security.txt file isn’t necessary or applicable. The frontend application is only accessible to authorized users of your organization, so there is no need to publicly disclose security information.
If you have specific security or responsible disclosure needs for your Modular Cloud Studio on AWS deployment, we recommend managing that information separately from the frontend application. This solution is designed to provide you the flexibility to configure and extend it as needed for your specific requirements.
Denial-of-service protections
The API exposed by the solution has throttling settings configured to limit requests. The maximum number of requests per second is set to 50, with a burst rate of 10 requests. This helps protect the API from abuse or unintended high traffic. For more details on the API throttling configuration, see Throttle requests to your REST APIs for better throughput in API Gateway in the Amazon API Gateway Developer Guide.
AWS Global Accelerator is protected by AWS Shield Standard by default. This means AWS Shield automatically enforces rate limiting on resources the Global Accelerator sends traffic to. For more details, see AWS Shield mitigation logic for AWS Global Accelerator standard accelerators in the AWS WAF Developer Guide.
Configuring Amazon EBS snapshot encryption
Before deploying the solution, you must configure your AWS account to encrypt Amazon Elastic Block Store
For detailed instructions on how to enable default encryption for Amazon EBS snapshots in your account, see Encrypt EBS snapshots by default in the Amazon EBS User Guide.
Leostream database user
When you deploy the solution, the Leostream Broker module creates and then connects to a dedicated Amazon RDS database cluster. The Leostream Broker process uses the default postgres database user to access this Amazon RDS cluster.
Important
The default postgres user has superuser privileges, which grants it full administrative access to the database.
We recommend reviewing your security and compliance requirements to determine if using the default postgres superuser account is appropriate for your environment. This database is only used by the Leostream Broker, and many actions a superuser can normally take against a PostgreSQL database aren’t possible in a managed database on Amazon RDS.
API Gateway Security
The API Gateway used in this solution defaults to allowing TLS 1.0 and above. For enhanced security, we recommend configuring a custom domain with a higher minimum TLS version. See the Enhanced TLS Security section in the "Use the solution" chapter for guidance on setting up a custom domain with TLS 1.2+.
Content Security Policy
The solution deploys a CloudFront Distribution with preset Content Security Policies. One of these policies has the value https://*.amazonaws.com, which is used to connect with the solution’s resources. If this policy grants broader permissions than required for your use case, consider restricting access to specific domains by configuring CloudFront distribution settings through the AWS Management Console.
