Security in Amazon Cloud Control API - Cloud Control API
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security in Amazon Cloud Control API

Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that's built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between Amazon and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

  • Security of the cloud – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Web Services Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the Amazon Compliance Programs. To learn about the compliance programs that apply to Cloud Control API, see Amazon Services in Scope by Compliance Program.

  • Security in the cloud – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

Cloud Control API inherits its security architecture from Amazon CloudFormation and operates within the Amazon shared responsibility model. To meet your security and compliance objectives when using Cloud Control API, you must configure CloudFormation security controls. For guidance on applying the shared responsibility model with CloudFormation, see the Security section in the Amazon CloudFormation User Guide. You can also learn how to use other Amazon services that help you to monitor and secure your CloudFormation and Cloud Control API resources.

IAM policy actions for Cloud Control API

You must create and assign Amazon Identity and Access Management (IAM) policies that give an IAM identity (such as a user or role) permission to call the Cloud Control API API actions they need.

In the Action element of your IAM policy statement, you can specify any API action that Cloud Control API offers. You must prefix the action name with the lowercase string cloudformation:, as shown in the following example.

"Action": "cloudformation:CreateResource"

To see a list of Cloud Control API actions, see Actions, resources, and condition keys for Amazon Cloud Control API in the Service Authorization Reference.

Example policy to manage Cloud Control API resources

The following shows an example of a policy that grants create, read, update, and list (but not delete) resource actions.

{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "cloudformation:CreateResource", "cloudformation:GetResource", "cloudformation:UpdateResource", "cloudformation:ListResources" ], "Resource":"*" }] }

Cloud Control API differences

Cloud Control API and CloudFormation have several important differences:

For IAM:

  • Cloud Control API doesn't currently support resource-level permissions, which is the ability to use ARNs to specify individual resources in IAM policies.

  • Cloud Control API doesn't currently support the use of service-specific condition keys in the IAM policies that control access to Cloud Control API resources.

For more information, see Actions, resources, and condition keys for Amazon Cloud Control API in the Service Authorization Reference.

Additional differences:

Account scope limitation

Cloud Control API provides a set of APIs for performing CRUDL (Create, Read, Update, Delete, List) operations on Amazon resources. When using the Cloud Control API, you can only perform CRUDL operations on Amazon resources within your own Amazon Web Services account. You cannot perform these operations on Amazon resources that belong to other Amazon Web Services accounts.