# Security in Amazon Cloud Control API Security Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that's built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between Amazon and you. The [shared responsibility model]() describes this as security *of* the cloud and security *in* the cloud: + **Security of the cloud** – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Web Services Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [Amazon Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Cloud Control API, see [Amazon Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). + **Security in the cloud** – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations. Cloud Control API inherits its security architecture from Amazon CloudFormation and operates within the Amazon shared responsibility model. To meet your security and compliance objectives when using Cloud Control API, you must configure CloudFormation security controls. For guidance on applying the shared responsibility model with CloudFormation, see the [Security](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/security.html) section in the *Amazon CloudFormation User Guide*. You can also learn how to use other Amazon services that help you to monitor and secure your CloudFormation and Cloud Control API resources. ## IAM policy actions for Cloud Control API You must create and assign Amazon Identity and Access Management (IAM) policies that give an IAM identity (such as a user or role) permission to call the Cloud Control API API actions they need. In the `Action` element of your IAM policy statement, you can specify any API action that Cloud Control API offers. You must prefix the action name with the lowercase string `cloudformation:`, as shown in the following example. ``` "Action": "cloudformation:CreateResource" ``` To see a list of Cloud Control API actions, see [Actions, resources, and condition keys for Amazon Cloud Control API](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awscloudcontrolapi.html) in the *Service Authorization Reference*. **Example policy to manage Cloud Control API resources** The following shows an example of a policy that grants create, read, update, and list (but not delete) resource actions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "cloudformation:CreateResource", "cloudformation:GetResource", "cloudformation:UpdateResource", "cloudformation:ListResources" ], "Resource":"*" }] } ``` ------ ## Cloud Control API differences Cloud Control API and CloudFormation have several important differences: For IAM: + Cloud Control API doesn't currently support resource-level permissions, which is the ability to use ARNs to specify individual resources in IAM policies. + Cloud Control API doesn't currently support the use of service-specific condition keys in the IAM policies that control access to Cloud Control API resources. For more information, see [Actions, resources, and condition keys for Amazon Cloud Control API](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awscloudcontrolapi.html) in the *Service Authorization Reference*. Additional differences: + Cloud Control API doesn't currently support custom resources. For information about CloudFormation custom resources, see [Create custom provisioning logic with custom resources](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/template-custom-resources.html) in the *Amazon CloudFormation User Guide*. + When activity occurs in Cloud Control API and is recorded in Amazon CloudTrail, the event source is listed as `cloudcontrolapi.amazonaws.com`. For information about CloudTrail logging for Cloud Control API operations, see [Logging Amazon CloudFormation API calls with Amazon CloudTrail](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/cfn-api-logging-cloudtrail.html) in the *Amazon CloudFormation User Guide*. ## Account scope limitation Cloud Control API provides a set of APIs for performing CRUDL (Create, Read, Update, Delete, List) operations on Amazon resources. When using the Cloud Control API, you can only perform CRUDL operations on Amazon resources within your own Amazon Web Services account. You cannot perform these operations on Amazon resources that belong to other Amazon Web Services accounts. # Cloud Control API and interface VPC endpoints (Amazon PrivateLink) VPC endpoints (Amazon PrivateLink) You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Cloud Control API. You can access Cloud Control API as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to access Cloud Control API. You establish this private connection by creating an *interface endpoint*, powered by Amazon PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for Cloud Control API. Cloud Control API supports making calls to all of its API actions through the interface endpoint. ## Considerations for Cloud Control API VPC endpoints Before you set up an interface VPC endpoint for Cloud Control API, first make sure you have met the prerequisites in the [Access an Amazon service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html) topic in the *Amazon PrivateLink Guide*. ## Creating an interface VPC endpoint for Cloud Control API You can create a VPC endpoint for Cloud Control API using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see [Create a VPC endpoint](https://docs.amazonaws.cn/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *Amazon PrivateLink Guide*. Create an interface endpoint for Cloud Control API using the following service name: + cn.com.amazonaws.*region*.cloudcontrolapi If you enable private DNS for the endpoint, you can make API requests to Cloud Control API using its default DNS name for the Region. For more information, see [Access an Amazon service using an interface VPC endpoint](https://docs.amazonaws.cn/vpc/latest/userguide/vpce-interface.html#access-service-though-endpoint) in the *Amazon VPC User Guide*. ## Creating a VPC endpoint policy for Cloud Control API You can attach an endpoint policy to your VPC endpoint that controls access to Cloud Control API. The policy specifies the following information: + The principal that can perform actions. + The actions that can be performed. + The resources on which actions can be performed. For more information, see [Control access to VPC endpoints using endpoint policies](https://docs.amazonaws.cn/vpc/latest/privatelink/vpc-endpoints-access.html) in the *Amazon PrivateLink Guide*. **Important** VPCE endpoint policy details are not passed to any downstream services invoked by Cloud Control API for evaluation. Because of this, policies specifying actions or resources that belong to downstream services are not enforced. For example, suppose you created an Amazon EC2 instance in a VPC instance with a VPC endpoint for Cloud Control API in a subnet with no Internet access. Next, you attach the following VPC endpoint policy to the VPCE: ``` { "Statement": [ { "Action": [ "cloudformation:*", "ec2:*", "lambda:*" ] "Effect": "Allow", "Principal": "*", "Resource": "*" } ] } ``` If a user with administrator access then sends a request to access an Amazon S3 bucket in the instance, no service error would be returned, even though Amazon S3 access is not granted in the VPCE policy. **Example: VPC endpoint policy for Cloud Control API actions** The following is an example of an endpoint policy for Cloud Control API. When attached to an endpoint, this policy grants access to the listed Cloud Control API actions for all principals on all resources. The following example denies all users the permission to create resources through the VPC endpoint, and allows full access to all other actions on the Cloud Control API service. ``` { "Statement": [ { "Action": "cloudformation:*", "Effect": "Allow", "Principal": "*", "Resource": "*" }, { "Action": "cloudformation:CreateResource", "Effect": "Deny", "Principal": "*", "Resource": "*" } ] } ``` ## See also + [Amazon services that integrate with Amazon PrivateLink](https://docs.amazonaws.cn/vpc/latest/privatelink/aws-services-privatelink-support.html) # CloudFormation Hooks Amazon CloudFormation Hooks is a feature that you can use to ensure that your Amazon Cloud Control API resources are compliant with your organization's security, operational, and cost optimization best practices. With Hooks, you can provide code that proactively inspects the configuration of your resources before provisioning. If non-compliant resources are found, Cloud Control API either fails the operation and prevents the resources from being provisioned, or emits a warning and allows the provisioning operation to continue. You can use Hooks to evaluate your Cloud Control API resource configurations prior to create and update operations. ## Creating a Hook to validate Cloud Control API resource configurations You can create a Hook to validate your Cloud Control API resource configuration using either the CloudFormation console, the Amazon Command Line Interface (Amazon CLI), or CloudFormation. For more information, see [Creating and managing Amazon CloudFormation Hooks](https://docs.amazonaws.cn/cloudformation-cli/latest/hooks-userguide/creating-and-managing-hooks.html). ## Targeting Cloud Control API for validation You can configure your CloudFormation Hooks to target `CLOUD_CONTROL` operations in your Hook’s `TargetOperations` configuration. For more information on using `TargetOperations` with Guard Hooks, see [Write Guard rules to evaluate resources for Guard Hooks](https://docs.amazonaws.cn/cloudformation-cli/latest/hooks-userguide/guard-hooks-write-rules.html). For more information on using `TargetOperations` with Lambda Hooks, see [Create Lambda functions to evaluate resources for Lambda Hooks](https://docs.amazonaws.cn/cloudformation-cli/latest/hooks-userguide/lambda-hooks-create-lambda-function.html). ## Reviewing Hook invocation results You can view the results of your invocation by calling `GetResourceRequestStatus` using the `RequestToken`.