AWS solutions medium security documentation change
Summary
Added section on multimodal file storage lifecycle policies and security considerations including GuardDuty Malware Protection, file validation, and access controls
Security assessment
The change introduces security controls for uploaded files including malware scanning recommendations, access restrictions, and file validation. Explicitly recommends enabling GuardDuty Malware Protection which directly addresses security risks from malicious uploads.
Diff
diff --git a/solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md b/solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md index 114d987c7..ad5feb3d5 100644 --- a//solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md +++ b//solutions/latest/generative-ai-application-builder-on-aws/step-4-post-deployment-configuration.md @@ -5 +5 @@ -Amazon S3 bucket versioning, lifecycle policies, and cross-Region replicationAmazon DynamoDB backupsAmazon CloudWatch dashboard and alarmsAmazon CloudWatch LogsCustom web domains with TLS v1.2 or higher certificatesScaling with Amazon KendraSetting up SSO using Idp federationManual User Pool configurationCustomizing login screenAdditional security considerations +Amazon S3 bucket versioning, lifecycle policies, and cross-Region replicationAmazon DynamoDB backupsAmazon CloudWatch dashboard and alarmsAmazon CloudWatch LogsCustom web domains with TLS v1.2 or higher certificatesScaling with Amazon KendraSetting up SSO using Idp federationManual User Pool configurationCustomizing login screenAdditional security considerationsMultimodal file storage and lifecycle @@ -97,0 +98,30 @@ Based on the use case for which you deploy the solution, review the following se +**Customizing lifecycle policies:** + +For production deployments, review and adjust the lifecycle policies based on your retention requirements. See [Setting lifecycle configuration on a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html) in the _Amazon Simple Storage Service User Guide_. + +## Multimodal file storage and lifecycle + +If you enabled multimodal input capabilities (**MultimodalEnabled** set to `Yes`) for your use case, the solution creates an Amazon S3 bucket to store uploaded files and a DynamoDB table to track file metadata. + +**Default lifecycle policies:** + + * **S3 files:** Automatically deleted after 48 hours + + * **DynamoDB metadata:** Records expire after 24 hours (conversation history TTL) + + + + +**Security considerations:** + + * Files are partitioned by use case ID, user ID, conversation ID and message ID and a file is stored with a UUID name instead. The mapping for the UUID to file names is available in the DynamoDB metadata table + + * Users can only access files they uploaded within their own conversations + + * File type validation is performed using magic number detection + + * We recommend enabling [Amazon GuardDuty Malware Protection for S3](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3.html) to scan uploaded files for malicious content + + + +