AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2026-02-22 · Documentation low

File: solutions/latest/cloud-migration-factory-on-aws/security.md

Summary

Added documentation sections for API Gateway TLS recommendations, CloudWatch monitoring, KMS key management, log retention configuration, and Amazon Bedrock integration including model selection and guardrail features.

Security assessment

The changes add security best practices documentation (TLS enforcement, monitoring, encryption controls) but don't reference any specific vulnerability or incident. New content describes security features like WAF restrictions, KMS controls, and Bedrock guardrails without evidence of addressing existing flaws.

Diff

diff --git a/solutions/latest/cloud-migration-factory-on-aws/security.md b/solutions/latest/cloud-migration-factory-on-aws/security.md
index dfd53e3b0..cef6db63c 100644
--- a//solutions/latest/cloud-migration-factory-on-aws/security.md
+++ b//solutions/latest/cloud-migration-factory-on-aws/security.md
@@ -5 +5 @@
-IAM rolesAmazon CognitoAmazon CloudFrontAWS WAF - Web Application Firewall
+IAM rolesAmazon CognitoAmazon CloudFrontAWS WAF - Web Application FirewallAmazon API GatewayAmazon CloudWatch Alarms / CanariesCustomer Managed AWS KMS KeysLog RetentionAmazon Bedrock
@@ -34,0 +35,77 @@ When configuring WAF IP restrictions, ensure that the IP address of your CMF aut
+## Amazon API Gateway
+
+This solution deploys Amazon API Gateway REST APIs and uses the default API endpoint and SSL certificate. The default API endpoint supports TLSv1 security policy. It is recommended to use the TLS_1_2 security policy to enforce TLSv1.2+ with your own custom domain name and custom SSL certificate. For more information, refer to [choosing a minimum TLS version for a custom domain in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html) and [configuring custom domains](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html) in the _Amazon API Gateway Developer Guide_.
+
+## Amazon CloudWatch Alarms / Canaries
+
+Amazon CloudWatch alarms help you monitor the solution’s functional and security assumptions are being followed. The solution includes logging and metrics for AWS Lambda functions and API Gateway endpoints. If additional monitoring is needed for your specific use case, you can configure CloudWatch alarms to monitor:
+
+  * **API Gateway Monitoring:**
+
+    * Set up alarms for 4XX and 5XX errors to detect unauthorized access attempts or API issues
+
+    * Monitor API Gateway latency to ensure performance
+
+    * Track the count of API requests to identify unusual patterns
+
+  * **AWS Lambda Function Monitoring:**
+
+    * Create alarms for Lambda function errors and timeouts
+
+    * Monitor Lambda function duration to ensure optimal performance
+
+    * Set up alarms for concurrent executions to prevent throttling
+
+
+
+
+You can create these alarms using the CloudWatch console or through AWS CloudFormation templates. For detailed instructions on creating CloudWatch alarms, refer to [Creating Amazon CloudWatch Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the _Amazon CloudWatch User Guide_.
+
+## Customer Managed AWS KMS Keys
+
+This solution uses encryption at rest for securing data and employs AWS managed keys for customer data. These keys are used to automatically and transparently encrypt your data before it is written to storage layers. Some users might prefer to have more control over their data encryption processes. This approach allows you to administer your own security credentials, offering a greater level of control and visibility. For more information, refer to [Basic Concepts](https://docs.aws.amazon.com/kms/latest/cryptographic-details/basic-concepts.html) and [AWS KMS Keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) in the _AWS Key Management Service Developer Guide_.
+
+## Log Retention
+
+This solution captures application and service logs by creating Amazon CloudWatch logs groups in your account. By default, logs are kept for 10 years. You can adjust the LogRetentionPeriod parameter for each log group, switching to indefinite retention, or choosing a retention period between one day and 10 years based on your requirements. For more information, refer to [What is Amazon CloudWatch Logs?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html#cloudwatch-logs-features) in the _Amazon CloudWatch Logs User Guide_.
+
+## Amazon Bedrock
+
+The solution automatically selects the best available foundation model for your region during CloudFormation stack deployment. The selection process uses a Lambda function that calls `list_foundation_models()` and chooses the first available model from this priority order:
+
+  1. `anthropic.claude-sonnet-4-20250514-v1:0` (Sonnet 4)
+
+  2. `anthropic.claude-3-7-sonnet-20250219-v1:0` (Sonnet 3.7)
+
+  3. `anthropic.claude-3-5-sonnet-20241022-v2:0` (Sonnet 3.5v2)
+
+  4. `anthropic.claude-3-5-sonnet-20240620-v1:0` (Sonnet 3.5)
+
+  5. `anthropic.claude-3-sonnet-20240229-v1:0` (Sonnet 3)
+
+  6. `amazon.nova-pro-v1:0` (Nova Pro)
+
+
+
+
+You must enable the selected model in your AWS account through the Bedrock console to use the GenAI features. The solution’s core functionalities remain fully operational without enabling the GenAI features. Customers can choose to use the tool with manual inputs if they prefer not to use the AI-assisted capabilities.
+
+After deployment, you can find the selected model ARN in the CloudFormation stack outputs under the `GenAISelectedModelArn` field in the WPMStack.
+
+![CloudFormation stack output showing selected GenAI model ARN](/images/solutions/latest/cloud-migration-factory-on-aws/images/cloudformation-genai-model-output.png)
+
+![Amazon Bedrock model enablement interface](/images/solutions/latest/cloud-migration-factory-on-aws/images/bedrock-model-enablement.png)
+
+This solution’s default configuration will deploy Amazon Bedrock Guardrails in order to:
+
+  * Filter out harmful content
+
+  * Block prompt injections that are irrelevant to your use case
+
+
+
+
+![Amazon Bedrock Guardrails configuration interface](/images/solutions/latest/cloud-migration-factory-on-aws/images/bedrock-guardrails.png)
+
+For more information, refer to [Amazon Bedrock Guardrails](https://aws.amazon.com/bedrock/guardrails/). To opt out Guardrails in CMF solution, you can select false in template parameter section.
+