System Requirements
An AWS account is needed to deploy ADAPT to the AWS Cloud environment. To install, the State needs a user with IAM admin access to the AWS account who can issue CLI security credentials.
In addition, we recommend using GitHub Actions to support the deployment of ADAPT. We have provided alternative options if States don’t have a GitHub account.
Security
Security is an essential aspect of the overall system architecture. We adopted AWS’ Shared Responsibility Model in which AWS assumes responsibility for the security of the cloud, and the customer ensures security in the cloud. ADAPT resides entirely within the AWS Cloud and utilizes access controls provided by AWS through Identity & Access Management (IAM) policies and roles. Following the security principle of granting least privilege, these security policies and roles can be managed by the State in the AWS Console and configured in the CDK code base.
Authentication
User-to-System access is controlled and configured using Amazon Cognito and AWS IAM permissions that are granted to a user based on their ADAPT Admin account.
All ADAPT Admin users must be authenticated using the State’s SAML identity provider, usually Active Directory, to access the ADAPT Admin application.
Password requirements are enforced by the State’s identity provider and can include MFA and password rotation policies.
User accounts in ADAPT Admin are given no access to data by default. A user with the SuperAdmin role must elevate a new user’s role before any data is visible or editable by a user.
A SuperAdmin user or the State’s IT manager can revoke any user’s access to ADAPT Admin.
Admin-to-System access is managed through the AWS Console. The State’s AWS administrator can monitor cloud activity and data logs through the AWS Console and may grant access to other users through methods supported by the AWS Console
System-to-System access is managed using AWS IAM policies assigned to service roles.
Roles and Permissions
Access to data in ADAPT Admin is restricted by a user’s assigned role. By default, an authorized user has read-only access to data views and reports.
ADAPT Admin has the following roles defined and the associated permissions for each role.
Data Views
Read
Write
Write
Write
Write
Reports
Read
Write
Write, Publish
Read
Write, Publish
Data Sources
Read
Write
Write
Users
Read
Write
Write
Settings
Read
Write
Write
Security Controls
Data from the State’s Generate / CEDS DW reporting tables is fetched using a JDBC connection from the State’s AWS account and stored in Amazon S3. The data is transformed into parquet files and is encrypted using server-side encryption. Database connection information is securely stored using AWS Secrets Manager. Access to all of these services is controlled using AWS IAM roles assigned to users based on their ADAPT Admin user account role.
Authenticated ADAPT Admin users with editor permissions may upload data files (CSV, HTML, DOC) through the ADAPT Admin web application. These files are uploaded securely via the ADAPT Admin REST API and stored securely in Amazon S3.
Access to the ADAPT Admin web application is controlled using Amazon Cognito and AWS IAM permissions. User authentication is performed by a State’s SAML identity provider, usually Active Directory.
Before data is published for public view on the ADAPT Viewer application, it is suppressed and stored in Amazon S3 separately from unsuppressed data. The ADAPT Viewer API serves published data via the ADAPT Viewer web application to public users.
All SSL/TLS certificates are issued and managed using AWS Certificate Manager and used with Amazon CloudFront using the TLSv1.2_2021 policy.
Last updated