AWS Transform for mainframe refactor

Security

General

How is security implemented in AWS Transform for mainframe refactor?   
Security is a core pillar of AWS Transform for mainframe refactor. Read this FAQ and see this page to discover what has been implemented to protect you and your data.

Is AWS Transform for mainframe refactor protected from malware and viruses?   
All uploaded files are scanned using updated antivirus software to prevent and detect any malware or viruses from infiltrating the system.

Has AWS Transform for mainframe refactor been accredited to any security standards?   
AWS Transform for mainframe refactor benefits, like other AWS services, from internal audits made at the infrastructure level (e.g. check resources configuration), at the software stack level (e.g. check library dependencies and vulnerabilities). AWS Transform for mainframe refactor frequently goes through AppSec reviews made by security experts. We also regularly perform Penetration Tests. Third-party auditors assess the security and compliance of AWS Transform for mainframe refactor new features, based on AWS security standards.

Is there an automated JML process to manage JML -Joiners, Movers, Leavers- on AWS Transform for mainframe refactor?   
The customer manages and controls JML process based on their AWS accounts. In addition, AWS Transform for mainframe refactor accounts get disabled within 30 days of inactivity.

Encryption

How does AWS Transform for mainframe refactor encrypt my data?   
We keep all data in AWS Transform for mainframe refactor encrypted at rest and in transit. AWS Transform for mainframe refactor configures server-side encryption (SSE) on all dependent resources that store data (disks/volumes and databases). AWS Transform for mainframe refactor also uses HTTPS to encrypt the service APIs.

Are projects and services encrypted?   
Yes. AWS Transform for mainframe refactor uses KMS for encryption.

Can I use my own KMS key for encryption?  
No. Users of AWS Transform for mainframe refactor don’t manage any infrastructure related feature. AWS Transform for mainframe refactor manages the encryption using its own keys on behalf of the customer. 

How are the AWS Transform for mainframe refactor keys managed? How is access to these keys protected and restricted?   
AWS Transform for mainframe refactor keys are mainly managed with AWS KMS and restricted with IAM roles with the least privilege.

What Transport encryption versions does AWS Transform for mainframe refactor?   
AWS Transform for mainframe refactor uses HTTPS to access to bluinsights.aws and supports both TLS 1.2 and TLS 1.3. All internal transports in the AWS Transform for mainframe refactor infrastructure are encrypted with TLS 1.2 everywhere.

What encryption ciphers are used to encrypt data at rest?   
AES-GCM 256 bits is used to encrypt data at rest.

What is the rotation interval for AWS Transform for mainframe refactor encryption keys?   
Yearly. It is automatically managed by KMS. Key rotation is monitored. A ticket is automatically raised in case the rotation does not occur.

Is backup data appropriately encrypted?   
Yes.

How often solution services and components are patched?   
AWS Transform for mainframe refactor mainly relies on native AWS services (EFS, ECS, ECR, etc.) which are scanned and patched with respect to the AWS security policy.

Access control

Does AWS Transform for mainframe refactor log all user access?   
Yes.

How does AWS Transform for mainframe refactor restrict user permissions?   
Controls are made both on front-end and back-end layers every time a user tries to access to a resource, service, data, etc. We rely on thousands of business rules and Spring Security. In addition, AWS Transform for mainframe refactor creates dedicated temporary containers on which the analysis runs isolated per project/customer.

Which user permissions can I control in AWS Transform for mainframe refactor?   
AWS Transform for mainframe refactor offers flexible data access control setup by allowing project owners to configure customized access roles, with more than 50 different permissions for user actions in AWS Transform for mainframe refactor, and can be used to specify user access levels to certain features, actions and content. The People and Permissions documentation details how to manage this.

Who can delete a project?   
Project creators decide who can do that based on Profiles.

Are there any functions to auto-delete the data in AWS Transform for mainframe refactor (e.g. when the expiration date is reached or when there is no operation for a certain period)?   
No. You have to do it manually. The content is yours and you have full control over it.

Data privacy

Do I need to upload my source code to AWS Transform for mainframe refactor?   
Yes. You need to upload the source code of the legacy applications to be modernized. You will have full control over who can view it.

Do I need to upload sensitive or private data to AWS Transform for mainframe refactor?   
No. Don’t do that. The data needed for the modernization project (usually test cases) does not need to be uploaded to AWS Transform for mainframe refactor.

Can data and metadata (such as reports) be exported?   
AWS Transform for mainframe refactor allows to export data and reports in XLSX format. However, only users allowed by the project owner can do that.

Who has access to my uploaded source code?   
A AWS Transform for mainframe refactor project owner manages and controls individual user rights by granting specific types of user permissions.

Is it possible for AWS Transform for mainframe refactor staff to access my data?   
The SecOps team (part of the service team) does not access customer data. They access the infrastructure but not customers data i.e. their access is limited through an IAM role and security groups related to a bastion.

Is there no way to pick up any data from AWS Transform for mainframe refactor where our programs are stored to outside?   
You decide who can do what on your projects (see People and Permissions documentation).

Do my actions run on a dedicated or multi-tenant infrastructure? How does AWS Transform for mainframe refactor isolate runs of other customers?   
AWS Transform for mainframe refactor is a multi-tenant SaaS application. Even though customers are partially sharing a common IT infrastructure, their projects/contents are isolated so that the actions of one tenant cannot compromise the data or service of another tenant.   
Concretely, Customer data are stored in a dedicated folder within AWS EFS, and each customer has their own individual folder Access to customer’s folder in EFS is protected at the application level by using JWT, Spring Security and business rules.

Is my data backed up in case of an emergency?   
Yes, data is backed up daily and we can perform a full backup recovery in case of a system-wide emergency.

What service is used to create and store the backups created by AWS Transform for mainframe refactor?   
AWS Backup.

Can I delete my data and their backups?   
Yes, when you request a deletion of your content, AWS Transform for mainframe refactor will delete them with their backups almost immediately (within a few minutes for the content, and within 24 hours for their backups).

Who can download my project artifacts?   
All the download rights are described here.

How long my source code will be stored on AWS Transform for mainframe refactor?   
Customers decide to keep or delete their projects on AWS Transform for mainframe refactor.

Please describe all the AWS and non-AWS services that are used to store customers data.   
AWS Transform for mainframe refactor relies only on native AWS services, i.e. EFS, Aurora and AWS Backup.

Which technical controls are used to segregate customers data on AWS Transform for mainframe refactor services?   
Multiple hardware and software layers including but not limited to different disk partitions, different isolated containers, JWT tokens, etc. More details are available at Security

Network

How is network security monitored?   
AWS Transform for mainframe refactor identifies threats by monitoring the network activity and platform behavior (Logs/Audits and Incident Response are configured).

Does AWS Transform for mainframe refactor implement an IP filtering mechanism?   
Yes, using a WAF.

Are there any solutions in place to deal with DDoS?   
There is a limitation on the number of requests per IP.

Is there a network perimeter/Firewalls to protect the overall service and restrict external user connectivity to specified ports and protocols?   
Yes. Inbound access is restricted to only necessary traffic from allowed IP addresses. Network access from outside is only allowed to the AWS Transform for mainframe refactor portal. Other traffic is totally prohibited.

How can customers restrict their employees accessing the AWS Transform for mainframe refactor portal from only corporate networks?   
Customers manages the AWS accounts of their employees.

Security operations

Does AWS Transform for mainframe refactor include an activity report?   
Yes. AWS Transform for mainframe refactor logs project events that can be consulted by allowed team members in the activities feed and in email reports (see Notifications management).

What are the activities captured in the application logs?   
All the actions performed by the project team members.

Can you share the project activities with the customer?   
Application logs are accessible directly in the AWS Transform for mainframe refactor project.

Can security logs be viewed in real time?   
Yes, they can be viewed in CloudWatch in real time (not by AWS Transform for mainframe refactor users but by the service team). As a reminder, the infrastructure belongs to the service.

Are security logs available for export?   
No.

Can you confirm that all user activities are logged?   
Yes.

Can log files be changed or deleted by users?   
No.

What audit logs are captured by the service team?

  • Access to projects
  • Failed Login tentatives
  • Email notifications sent by the service
  • Analysis status

What is the retention period for audit logs?   
10 years (similar to all AWS services)

By whom and how are audit logs monitored and reviewed?   
By the AWS service team using the following AWS services:

  • CloudWatch to monitor the status of EFS file system.
  • AWS CloudTrail to provide records of all AWS services API activities, including EFS, performed by any role, or an AWS Service.
  • AWS VPC Flow Logs to record traffic metadata within the VPC.
  • AWS GuardDuty and AWS Security Hub for continuous monitoring of AWS CloudTrail event logs, VPC Flow Logs.
  • Guardrails to prevent modification and disallow changes of buckets storing the activity logs.

Does AWS Transform for mainframe refactor provides the capability of setting alerts on suspicious login (e.g. location, time) and data access (e.g. batch access).   
Access to AWS Transform for mainframe refactor is done through AWS accounts fully managed by the customer.

Is it possible for log files to be provided as a feed to a customer?   
No.

How permissions work for Transformation Center projects?

See https://bluinsights.aws/docs/transformation-center-create-a-project/#build-your-team.

Can I set permissions on Runs for a specific user (e.g. only run Transform or generate the Weather Report)?

No. See https://bluinsights.aws/docs/transformation-center-create-a-project/#build-your-team for Transformation Center permissions.

Can I remove a member from my projects?

Yes. See https://bluinsights.aws/docs/quick-start-get-started#deny-members-access-to-the-project.

How can I view, audit and export the activities of my project?

You can download activities in your project settings.