Security in Amazon Cloud Control API
Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that's built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between Amazon and you. The shared responsibility model describes this as security of the cloud and security in the cloud:
-
Security of the cloud – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Web Services Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the Amazon Compliance Programs
. To learn about the compliance programs that apply to Cloud Control API, see Amazon Services in Scope by Compliance Program . -
Security in the cloud – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
Cloud Control API inherits its security architecture from Amazon CloudFormation and operates within the Amazon shared responsibility model. To meet your security and compliance objectives when using Cloud Control API, you must configure CloudFormation security controls. For guidance on applying the shared responsibility model with CloudFormation, see the Security section in the Amazon CloudFormation User Guide. You can also learn how to use other Amazon services that help you to monitor and secure your CloudFormation and Cloud Control API resources.
IAM policy actions for Cloud Control API
You must create and assign Amazon Identity and Access Management (IAM) policies that give an IAM identity (such as a user or role) permission to call the Cloud Control API API actions they need.
In the Action
element of your IAM policy statement, you can specify
any API action that Cloud Control API offers. You must prefix the action name with the lowercase string
cloudformation:
, as shown in the following example.
"Action": "cloudformation:CreateResource"
To see a list of Cloud Control API actions, see Actions, resources, and condition keys for Amazon Cloud Control API in the Service Authorization Reference.
Example policy to manage Cloud Control API resources
The following shows an example of a policy that grants create, read, update, and list (but not delete) resource actions.
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "cloudformation:CreateResource", "cloudformation:GetResource", "cloudformation:UpdateResource", "cloudformation:ListResources" ], "Resource":"*" }] }
Cloud Control API differences
Cloud Control API and CloudFormation have several important differences:
For IAM:
-
Cloud Control API doesn't currently support resource-level permissions, which is the ability to use ARNs to specify individual resources in IAM policies.
-
Cloud Control API doesn't currently support the use of service-specific condition keys in the IAM policies that control access to Cloud Control API resources.
For more information, see Actions, resources, and condition keys for Amazon Cloud Control API in the Service Authorization Reference.
Additional differences:
-
Cloud Control API doesn't currently support custom resources. For information about CloudFormation custom resources, see Create custom provisioning logic with custom resources in the Amazon CloudFormation User Guide.
-
When activity occurs in Cloud Control API and is recorded in Amazon CloudTrail, the event source is listed as
cloudcontrolapi.amazonaws.com
. For information about CloudTrail logging for Cloud Control API operations, see Logging Amazon CloudFormation API calls with Amazon CloudTrail in the Amazon CloudFormation User Guide.
Account scope limitation
Cloud Control API provides a set of APIs for performing CRUDL (Create, Read, Update, Delete, List) operations on Amazon resources. When using the Cloud Control API, you can only perform CRUDL operations on Amazon resources within your own Amazon Web Services account. You cannot perform these operations on Amazon resources that belong to other Amazon Web Services accounts.