Security
We highly recommend that you follow AWS security best practices while provisioning any AWS resources.
Default security configuration
Amazon Simple Storage Service (S3)
Block public access
The Amazon S3 bucket created for Kubeflow artifacts has a default “block public access” configuration.
Encryption
When you use Amazon S3 for kubeflow artifact storage, Kubeflow on AWS configures the Amazon S3 bucket to use server-side encryption with Amazon S3-managed encryption keys (SSE-S3). If you prefer to use server-side encryption with AWS Key Management Service (SSE-KMS), you can modify these files to specify an AWS KMS key.
- main.tf for Terraform deployments
- auto-rds-s3-setup.py for manifest deployments
Both SSE-S3 and SSE-KMS provide encryption of objects in the Amazon S3 bucket. You may prefer SSE-KMS if you want to separate the management of encryption keys (via AWS KMS) from management of the Amazon S3 bucket. That separation may provide a stronger security posture. In order to access and use an object in an Amazon S3 bucket, a user needs permission to read the object in the Amazon S3 bucket as well as permission to use the AWS KMS encryption key.
Security resources
Refer to the following documents for more information:
- Security best practices for Amazon Elastic Kubernetes Service (EKS)
- Security best practices for AWS Secrets Manager
- Security best practices for Amazon Relational Database Service (RDS)
- Security best practices for Amazon Simple Storage Service (S3)
- Security in Amazon Route53
- Security in Amazon Certificate Manager (ACM)
- Security best practices for Amazon Cognito user pools
- Security in Amazon Elastic Load Balancing (ELB)