Security Infrastructure Reference

This article provides some details on components of the infrastructure and links to resources; see the security overview article for a higher-level explanation of the security principles.

Cloud security

edu leverages the security capabilities and tools of the cloud providers it is built upon: AWS and Snowflake.

In AWS, all edu resources are created inside a VPC, which can be locked down with various network policies and rules. (This whitepaper gives more detail about AWS's security features.) Key ways in which edu leverages AWS's security features include:

• Access to EC2 resources like the Airflow server is configurable via route tables and network ACLs, and traffic is secured with HTTPS using certificates from AWS ACM.
• Direct access to EC2 resources like the Airflow server requires a key-pair (either one set up for EC2, or one associated with a GitHub account).
• Secrets such as the password for Airflow's storage backend are securely stored using AWS Systems Manager - Parameter Store.
• Data stored in AWS S3 is encrypted using keys managed using AWS Key Management Service
• Systems log to CloudWatch for centralized, searchable observability

In Snowflake, the security capabilities edu leverages include

• end-to-end encryption
• SSO/SAML integration, which may (optionally) include MFA at the SSO provider
• IP-based access restrictions, which allow you to prevent access from outside your organization
• Access history for auditing data access

Network security

Network access to edu is secured by all the features provided by AWS, including secure network architecture (with firewalls and monitoring), secure access points and transmission protection, fault tolerant network design, and automated monitoring systems that mitigate DDoS and MITM attacks.

Data security

Data in edu is secured both in transit and at rest.

In transit, encrypted channels are always used to move data:

• HTTPS when moving data out of the Ed-Fi API
• TLS when moving data into the data lake (AWS S3)
• HTTPS when querying or moving data out of Snowflake (see Snowflake end-to-end encryption)

At rest, data stored in AWS S3 is encrypted using keys managed using AWS Key Management Service.

Access security

If (as recommended) SSO is implemented, users must authenticate with your identity provider to access the data. IdPs may further require MFA for additional security. Access may also be limited by IP address.

Auditing

• Systems logs via CloudWatch for observability
• Access history for auditing access