Security in Amazon Cloud Control API - Cloud Control API
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security in Amazon Cloud Control API

Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that's built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between Amazon and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

  • Security of the cloud – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Web Services Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the Amazon Compliance Programs. To learn about the compliance programs that apply to Cloud Control API, see Amazon Services in Scope by Compliance Program.

  • Security in the cloud – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

Amazon CloudFormation provides the security architecture for Cloud Control API; because of this, you will need to configure CloudFormation to meet your security and compliance objectives when using Cloud Control API. Refer to the Security section in the Amazon CloudFormation User Guide to help you understand how to apply the shared responsibility model when using Amazon CloudFormation. You can also learn how to use other Amazon services that help you to monitor and secure your Amazon CloudFormation and Cloud Control API resources.

Note the following areas where Cloud Control API differs from CloudFormation when addressing security and compliance concerns:

  • For Amazon Identity and Access Management (IAM) integration:

    • In IAM policies, Cloud Control API actions are specified with the "cloudformation" prefix.

      For example, the following policy grants create, read, update, and list (but not delete) resource actions.

      {
    "Version":"2012-10-17",
    "Statement":[{
        "Effect":"Allow",
        "Action":[
            "cloudformation:CreateResource",
            "cloudformation:GetResource",
            "cloudformation:UpdateResource",
            "cloudformation:ListResources"
        ],
        "Resource":"*"
    }]
}

    • Cloud Control API does not currently support CloudFormation resource-level permissions.

    • Cloud Control API does not currently support use of CloudFormation conditions.

    For more information, see Controlling access with Amazon Identity and Access Management in the Amazon CloudFormation User Guide.

  • Cloud Control API does not currently support Custom resources.

  • When activity occurs in Cloud Control API and is recorded in Amazon CloudTrail, the event source is listed as cloudcontrolapi.amazonaws.com.

    For more information, see Logging Amazon CloudFormation API calls with Amazon CloudTrail in the Amazon CloudFormation User Guide.