Amazon Launch Wizard security
Cloud security at Amazon is the highest priority. As an Amazon customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between Amazon and you. The shared responsibility model
-
Security of the cloud – Amazon is responsible for protecting the infrastructure that runs Amazon services in the Amazon Cloud. Amazon also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the Amazon Compliance Programs
. To learn about the compliance programs that apply to Amazon Launch Wizard, see Amazon Services in Scope by Compliance Program . -
Security in the cloud – Your responsibility is determined by the Amazon service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Launch Wizard. The following topics show you how to configure Launch Wizard to meet your security and compliance objectives. You also learn how to use other Amazon services that help you to monitor and secure your Launch Wizard resources.
Amazon Launch Wizard deploys Amazon EC2 instances into Amazon VPCs. For security information for Amazon EC2 and Amazon VPC, see the security sections in the Amazon EC2 Getting Started Guide and the Amazon VPC User Guide.
This section of the Launch Wizard User Guide provides security information that pertains to Amazon Launch Wizard. For security topics specific to Amazon Launch Wizard for SQL Server, see Security groups and firewalls. For security topics specific to Amazon Launch Wizard for SAP, see Security groups in Amazon Launch Wizard for SAP.
Launch Wizard security topics
Infrastructure security in Launch Wizard
As a managed service, Amazon Launch Wizard is protected by the Amazon global network security.
For information about Amazon security services and how Amazon protects infrastructure, see
Amazon Cloud Security
Resilience in Launch Wizard
The Amazon global infrastructure is built around Amazon Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about Amazon Regions and Availability Zones, see Amazon Global
Infrastructure
Amazon Launch Wizard sets up an application across multiple Availability Zones to ensure automatic failover between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple datacenter infrastructures.
Data protection in Launch Wizard
The Amazon shared
responsibility model
For data protection purposes, we recommend that you protect Amazon Web Services account credentials and set up individual users with Amazon IAM Identity Center or Amazon Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
-
Use multi-factor authentication (MFA) with each account.
-
Use SSL/TLS to communicate with Amazon resources. We require TLS 1.2 and recommend TLS 1.3.
-
Set up API and user activity logging with Amazon CloudTrail.
-
Use Amazon encryption solutions, along with all default security controls within Amazon Web Services.
-
Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
-
If you require FIPS 140-2 validated cryptographic modules when accessing Amazon through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2
.
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a Name field. This includes when you work with Launch Wizard or other Amazon Web Services using the console, API, Amazon CLI, or Amazon SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
Encryption with Amazon managed keys and customer managed keys
Amazon Launch Wizard for Active Directory, SQL Server, and SAP use the default Amazon managed keys to encrypt Amazon EBS volumes. Launch Wizard for SAP also supports the use of customer managed keys that you have already created.
If you don't specify a customer managed key, Launch Wizard for SAP automatically creates an Amazon managed key in your Amazon Web Services account.
If you want to use a customer managed key for Launch Wizard for SAP, see the steps for adding permissions to your KMS key policy for Launch Wizard to use your KMS key at Add permissions to use Amazon KMS keys in the Launch Wizard for SAP User Guide.
Creating your own customer managed CMK gives you more flexibility and control. For example, you can create, rotate, and disable customer managed keys. You can also define access controls and audit the customer managed keys that you use to protect your data. For more information about customer managed keys and Amazon managed keys, see Amazon KMS concepts in the Amazon Key Management Service Developer Guide.
Identity and Access Management for Amazon Launch Wizard
Amazon Launch Wizard uses the following Amazon managed policies to grant permissions to users and services.
-
AmazonEC2RolePolicyForLaunchWizard
Amazon Launch Wizard creates an IAM role with the name AmazonEC2RoleForLaunchWizard in your account if the role already does not already exist in your account. If the role exists, the role is attached to the instance profile for the Amazon EC2 instances that Launch Wizard will launch into your account. This role is comprised of two IAM managed policies: AmazonSSMManagedInstanceCore and AmazonEC2RolePolicyForLaunchWizard.
When you choose to deploy your SAP application with Amazon Backint Agent for SAP HANA, you must attach the IAM inline policy provided in Step 2 of the Amazon Identity and Access Management documentation for Amazon Backint Agent for SAP HANA. This policy and instructions to attach the policy to the role are provided by Launch Wizard.
-
AmazonSSMManagedInstanceCore
This policy enables Amazon Systems Manager service core functionality on Amazon EC2. For information, see Create an IAM Instance Profile for Systems Manager.
-
AmazonLaunchWizardFullAccessV2
This policy provides full access to Amazon Launch Wizard and other required services.
-
AWSLambdaVPCAccessExecutionRole
This policy provides minimum permissions for a Lambda function to execute while accessing a resource within a VPC. These permissions include create, describe, delete network interfaces, and write permissions to CloudWatch Logs.
-
AmazonLambdaRolePolicyForLaunchWizardSAP
This policy provides minimum permissions to enable SAP provisioning scenarios on Launch Wizard. It allows invocation of Lambda functions to be able to perform certain actions, such as validation of route tables and perform pre-configuration and configuration tasks for HA mode enabling.
-
To run custom pre- and post-configuration deployment scripts, you must manually add the permissions provided in Add permissions to run custom pre- and post-deployment configuration scripts to the
AmazonEC2RoleForLaunchWizardrole. -
To save generated artifacts from Launch Wizard for SAP to Amazon S3, and your S3 bucket name does not include the prefix
launchwizard, you must attach the policy provided in Add permissions to save deployment artifacts to Amazon S3 to the IAM user. -
To grant permissions for users to launch Amazon Service Catalog products created with Launch Wizard for SAP, follow the steps in Set up to launch Amazon Service Catalog products created with Amazon Launch Wizard.
-
To grant permissions to Amazon Service Catalog to create a launch constraint for users who want to launch an Amazon Service Catalog product created by Launch Wizard for SAP, follow the steps in Create a launch constraint.
If you deploy domain controllers into an existing VPC with an existing Active Directory, Launch Wizard for Active Directory requires domain administrator credentials to be added to Secrets Manager in order to join your domain controllers to Active Directory and promote them. In addition, the following resource policy must be attached to the secret so that Launch Wizard can access the secret. Launch Wizard guides you through the process of attaching the required policy to your secret.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<account-id>:role/service-role/AmazonEC2RoleForLaunchWizard" }, "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:GetRandomPassword" ], "Resource": "*" }] }
Update management in Launch Wizard
We recommend that you regularly patch, update, and secure the operating system and applications on your EC2 instances. You can use Amazon Systems Manager Patch Manager to automate the process of installing security-related updates for both the operating system and applications. Alternatively, you can use any automatic update services or recommended processes for installing updates that are provided by the application vendor.