# Security
Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security *of* the cloud and security *in* the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. The effectiveness of our security is regularly tested and verified by third-party auditors as part of the [AWS compliance programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Kinesis Video Streams, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your organization’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Amazon Kinesis Video Streams with WebRTC. The following topics show you how to configure Amazon Kinesis Video Streams with WebRTC to meet your security and compliance objectives. You'll also learn how to use other AWS services that can help you to monitor and secure your Amazon Kinesis Video Streams with WebRTC resources.
**Topics**
+ [Control access to Amazon Kinesis Video Streams with WebRTC resources with AWS Identity and Access Management](kvswebrtc-how-iam.md)
+ [Compliance validation for Amazon Kinesis Video Streams with WebRTC](SERVICE-compliance.md)
+ [Resilience in Amazon Kinesis Video Streams with WebRTC](kvswebrtc-disaster-recovery-resiliency.md)
+ [Infrastructure security in Kinesis Video Streams with WebRTC](kvswebrtc-infrastructure-security.md)
+ [Security best practices for Amazon Kinesis Video Streams with WebRTC](kvswebrtc-security-best-practices.md)
+ [WebRTC encryption](kvswebrtc-encryption.md)
# Control access to Amazon Kinesis Video Streams with WebRTC resources with AWS Identity and Access Management
By using AWS Identity and Access Management (IAM) with Amazon Kinesis Video Streams with WebRTC, you can control whether users in your organization can perform a task using specific Kinesis Video Streams with WebRTC API operations and whether they can use specific AWS resources.
For more information about IAM, see the following:
+ [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/)
+ [Getting started with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started.html)
+ [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/)
**Topics**
+ [Policy syntax](#policy-syntax)
+ [API actions](#kinesis-using-iam-actions)
+ [Amazon Resource Names (ARNs)](#kinesis-using-iam-arn-format)
+ [Grant other IAM accounts access to a Kinesis video stream](#how-iam-crossaccount)
+ [Example policies](#how-iam-policies)
## Policy syntax
An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows:
```
{
"Statement":[{
"Effect":"effect",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value"
}
}
}
]
}
```
There are various elements that make up a statement:
+ **Effect:** The *effect* can be `Allow` or `Deny`. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.
+ **Action**: The *action* is the specific API action for which you are granting or denying permission.
+ **Resource**: The resource that's affected by the action. To specify a resource in the statement, you need to use its Amazon Resource Name (ARN).
+ **Condition**: Conditions are optional. They can be used to control when your policy is in effect.
As you create and manage IAM policies, you might want to use the [IAM Policy Generator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-generator) and the [IAM Policy Simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html).
## API actions
In an IAM policy statement, you can specify any API action from any service that supports IAM. For Kinesis Video Streams with WebRTC, use the following prefix with the name of the API action: `kinesisvideo:`. For example: `kinesisvideo:CreateSignalingChannel`, `kinesisvideo:ListSignalingChannels`, and `kinesisvideo:DescribeSignalingChannel`.
To specify multiple actions in a single statement, separate them with commas as follows:
```
"Action": ["kinesisvideo:action1", "kinesisvideo:action2"]
```
You can also specify multiple actions using wildcards. For example, you can specify all actions whose name begins with the word "Get" as follows:
```
"Action": "kinesisvideo:Get*"
```
To specify all Kinesis Video Streams operations, use the asterisk (\$1) wild card as follows:
```
"Action": "kinesisvideo:*"
```
For the complete list of Kinesis Video Streams API actions, see the [https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/API_Reference.html](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/API_Reference.html).
## Amazon Resource Names (ARNs)
Each IAM policy statement applies to the resources that you specify using their ARNs.
Use the following ARN resource format for Kinesis Video Streams:
```
arn:aws:kinesisvideo:region:account-id:channel/channel-name/code
```
For example:
```
"Resource": arn:aws:kinesisvideo::*:111122223333:channel/my-channel/0123456789012
```
You can get the ARN of a channel using [DescribeSignalingChannel](https://docs.aws.amazon.com/kinesisvideostreams/latest/dg/API_DescribeStream.html).
## Grant other IAM accounts access to a Kinesis video stream
You might need to grant permission to other IAM accounts to perform operations on Kinesis Video Streams with WebRTC signaling channels. A service role is an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
## Example policies
The following example policies demonstrate how you can control user access to your Kinesis Video Streams with WebRTC channels.
**Example 1: Allow users to get data from any signaling channel**
This policy allows a user or group to perform the `DescribeSignalingChannel`, `GetSignalingChannelEndpoint`, `ListSignalingChannels`, and `ListTagsForResource` operations on any signaling channel.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesisvideo:Describe*",
"kinesisvideo:Get*",
"kinesisvideo:List*"
],
"Resource": "*"
}
]
}
```
**Example 2: Allow a user to create a signaling channel**
This policy allows a user or group to perform the `CreateSignalingChannel` operation.
```
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesisvideo:CreateSignalingChannel"
],
"Resource": "*"
}
]
}
```
**Example 3: Allow a user full access to all Kinesis Video Streams and Kinesis Video Streams with WebRTC resources**
This policy allows a user or group to perform any Kinesis Video Streams operation on any resource. This policy is appropriate for administrators.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kinesisvideo:*",
"Resource": "*"
}
]
}
```
**Example 4: Allow a user to get data from a specific signaling channel**
This policy allows a user or group to get data from a specific signaling channel.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kinesisvideo:DescribeSignalingChannel",
"Resource": "arn:aws:kinesisvideo:us-west-2:123456789012:channel/channel_name/0123456789012"
}
]
}
```
# Compliance validation for Amazon Kinesis Video Streams with WebRTC
To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you are interested in. For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using AWS services is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. For more information about your compliance responsibility when using AWS services, see [AWS Security Documentation](https://docs.aws.amazon.com/security/).
# Resilience in Amazon Kinesis Video Streams with WebRTC
The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. You can use Availability Zones to design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in Kinesis Video Streams with WebRTC
As a managed service, Kinesis Video Streams (including its WebRTC capability) is protected by the AWS global network security procedures that are described in the [Amazon Web Services: Overview of Security Processes](https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf) whitepaper.
You use AWS published API calls to access Kinesis Video Streams through the network. Clients must support Transport Layer Security (TLS) 1.2 or later. We recommend TLS 1.3 or later. Clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) (AWS STS) to generate temporary security credentials to sign requests.
# Security best practices for Amazon Kinesis Video Streams with WebRTC
Amazon Kinesis Video Streams (including its WebRTC capability) provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.
For security best practices for your remote devices, see [Security Best Practices for Device Agents](https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-DetectMetricsMessagesBestPract.html).
## Implement least privilege access
When granting permissions, you decide who is getting what permissions to which Kinesis Video Streams resources. You enable specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
For example, a producer that sends data to Kinesis Video Streams requires only `PutMedia`, `GetStreamingEndpoint`, and `DescribeStream`. Do not grant producer applications permissions for all actions (`*`), or for other actions such as `GetMedia`.
For more information, see [Apply least-privilege permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#grant-least-privilege).
## Use IAM roles
Producer and client applications must have valid credentials to access Kinesis video streams. You should not store AWS credentials directly in a client application or in an Amazon S3 bucket. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised.
Instead, you should use an IAM role to manage temporary credentials for your producer and client applications to access Kinesis video streams. When you use a role, you don't have to use long-term credentials to access other resources.
For more information, see the following topics in the *IAM user guide*:
+ [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
+ [Common scenarios for roles: users, applications, and services](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios.html)
## Use CloudTrail to monitor API calls
Kinesis Video Streams with WebRTC is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Kinesis Video Streams with WebRTC.
Using the information collected by CloudTrail, you can determine the request that was made to Kinesis Video Streams with WebRTC, the IP address from which the request was made, who made the request, when it was made, and additional details.
For more information, see [Log API calls with AWS CloudTrail](kvswebrtc-monitoring-ct.md).
# WebRTC encryption
End to end encryption is a mandatory feature of Amazon Kinesis Video Streams with WebRTC, and Kinesis Video Streams enforces it on all the components, including signaling and media or data streaming. Regardless of whether the communication is peer-to-peer or relayed via Kinesis Video Streams TURN end points, all WebRTC communications are securely encrypted through standardized encryption protocols.
The signaling messages are exchanged using secure Websockets (WSS), data streams are encrypted using Datagram Transport Layer Security (DTLS), and media streams are encrypted using Secure Real-time Transport Protocol (SRTP).