Issue link: https://read.uberflip.com/i/1182528
Amazon Web Services – Architecting for Genomic Data Security and Compliance in AWS December 2014 Page 16 of 17 the scaling up (or down) of computational resources that process data to handle variable rates of data acquisition. AWS CloudTrail and AWS Config are two services that enable you to monitor and audit all of the operations against the AWS product API's. AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With AWS CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by AWS CloudTrail enables security analysis, resource change tracking, and compliance auditing. AWS Config builds upon the functionality of AWS CloudTrail, and provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting. Lastly, AWS has implemented various methods of external communication to support all customers in the event of security or operational issues that may impact our customers. Mechanisms are in place to allow the customer support team to be notified of operational and security issues that impact each customer's account. The AWS incident management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events within the AWS cloud platform. The operational systems that support the platform are extensively instrumented to monitor key operational metrics, and alarms are configured to automatically notify operations and management personnel when early warning thresholds are crossed on those key metrics. Staff operators provide 24 x 7 x 365 coverage to detect incidents and to manage their impact and resolution. An on-call schedule is used so that personnel are always available to respond to operational issues. Authorizing Access to Data Researchers using AWS in connection with controlled access datasets must only allow authorized users to access the data. Authorization is typically obtained either by approval from the Data Access Committee (DAC) or within the terms of the researcher's existing Data Use Certification (DUC). Once access is authorized, you can grant that access in one or more ways, depending on where the data reside and where the collaborator requiring access is located. The scenarios below cover the situations that typically arise: Provide the collaborator access within an AWS account via an IAM user (see User Accounts, Passwords and Access Control Lists) Provide the collaborator access to their own AWS accounts (see File Systems, Storage Volumes, and Databases) Open access to the AWS environment to an external network (see Internet, Networking, and Data Transfers)