1. Executive Summary
EdFiles is a secure, cloud-native document management platform purpose-built to safeguard client data. Security is a foundational principle of the EdFiles architecture, not an afterthought. This document provides a comprehensive overview of the security controls implemented across the infrastructure, application, data, and operational layers of the platform, incorporating the extensive security measures provided by Amazon Web Services (AWS).
EdFiles is hosted on AWS and leverages a defense-in-depth security model. Controls are applied at every layer of the stack—from AWS’s robust physical data center security to network-level threat filtering, encrypted data transmission, application-level access management, and audit logging. The platform is designed to meet the expectations of enterprise clients who require strong data protection, availability, and governance.
Security Controls Summary
| Security Control | Description | Status |
|---|---|---|
| Web Application Firewall | AWS WAF is configured with AWS Managed Rule Sets covering SQL injection, malicious input patterns, and IP reputation-based threats. | Active |
| DDoS Protection | Baseline mitigation via WAF rate limiting and AWS infrastructure defaults. | Active |
| TLS Encryption in Transit | HTTPS enforced across all communication channels. | Active |
| Encryption at Rest | Server-side encryption on all S3-stored documents. | Active |
| Secure File Access | Time-limited pre-signed URLs; no public file exposure. | Active |
| Authentication & RBAC | Secure login, role-based access control, session management. | Active |
| Multi-Factor Authentication | Email OTP verification available for all user accounts. | Active |
| Network Access Controls | ALB as sole public entry point; Security Groups enforce least-privilege access. | Active |
| Logging & Monitoring | WAF logs, access logs, error logs, traffic and anomaly monitoring. | Active |
| Backup & Recovery | Periodic backups of the EC2 instance, database, and S3 bucket are maintained to support recovery. | Active |
2. AWS Shared Responsibility Model
Security and compliance at EdFiles operate under the AWS Shared Responsibility Model [1]. This model delineates the responsibilities between AWS and EdFiles to ensure a secure environment.
Security OF the Cloud (AWS Responsibility): AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run AWS Cloud services.
Security IN the Cloud (EdFiles Responsibility): EdFiles is responsible for the secure configuration and management of the AWS services used. This includes configuring the Web Application Firewall, managing identity and access controls, encrypting data at rest and in transit, and securing the application code.
3. Physical and Environmental Security (AWS Data Centers)
AWS manages the physical security of the data centers where EdFiles infrastructure resides. AWS employs a multi-layered approach to physical security [2]:
- Environmental Layer: AWS selects data center sites carefully, prioritizing sustainability and resilience. AWS aims to power its operations with 100% renewable energy and has significantly reduced carbon emissions.
- Perimeter Layer: Data centers are protected by security guards, fencing, threat detectors, and continuous surveillance. Access is strictly controlled, requires justification, and is monitored continuously.
- Infrastructure Layer: This layer ensures the continuous operation of the data centers. It includes backup power equipment, HVAC systems, and fire suppression systems. Routine maintenance and redundancy in power, water, and telecommunications prevent interruptions.
- Data Layer: The most critical layer holding customer data. Access is highly restricted and under constant surveillance. Any intrusion attempt triggers alerts and security cameras. AWS conducts frequent security audits and emergency simulations.
4. Infrastructure Security
EdFiles utilizes a layered, highly available architecture on AWS. All infrastructure components are configured according to AWS security best practices, ensuring network isolation, encrypted traffic, and automatic threat mitigation.
4.1 Web Application Firewall (AWS WAF)
EdFiles deploys AWS WAF attached to the Application Load Balancer (ALB) to inspect and filter all inbound HTTP/HTTPS traffic. The WAF provides critical protections [3]:
- SQL Injection (SQLi) Prevention: Blocks malicious database query patterns.
- Cross-Site Scripting (XSS) Mitigation: Detects and blocks script injection attempts.
- Malicious Bot Filtering: Identifies and blocks automated scraping and credential stuffing.
- IP Reputation-Based Blocking: Rejects traffic from known malicious IP ranges.
- Rate Limiting: Protects against abuse and brute-force attempts.
- Custom Security Rules: Tailored rule sets based on application-specific traffic.
4.2 Application Load Balancer (ALB)
The AWS Application Load Balancer serves as the secure entry point to the EdFiles platform. It functions primarily for HTTPS termination and as the attachment point for AWS WAF [3]. It ensures all client connections are encrypted and provides baseline resilience against traffic spikes.
4.3 DDoS Protection
EdFiles benefits from the inherent DDoS mitigation provided by the AWS platform. While a dedicated service like AWS Shield Advanced is not explicitly configured, default protections are active:
- AWS WAF: Provides rate limiting and rule-based blocking for Layer 7 mitigation.
- AWS Infrastructure-Level Protections: Built-in mitigation for common volumetric attacks at the network edge.
- ALB Resilience: Inherent capacity to absorb traffic spikes.
5. Network Security
EdFiles employs robust network-level access controls to restrict the exposure of backend infrastructure.
- Sole Public Entry Point: The ALB is the only public-facing entry point. All traffic must pass through the WAF and ALB.
- Virtual Firewalls (Security Groups): AWS Security Groups act as virtual firewalls, permitting only explicitly whitelisted traffic between components.
- Principle of Least Privilege: Backend services only accept traffic from the ALB, preventing direct public internet access.
- Internal Communication: Service-to-service communication is restricted to defined, authorized traffic flows.
6. Data Security
Protecting client data is paramount. EdFiles employs industry-standard encryption and strict access control mechanisms.
6.1 Secure Document Storage (Amazon S3)
User documents are stored in Amazon S3 buckets configured for maximum privacy:
- Strictly Private Buckets: No public access is permitted.
- Public Access Block: Enforced at the account and bucket level to prevent accidental exposure.
- IAM Policies: Access is controlled through tightly scoped AWS Identity and Access Management (IAM) policies [3].
- Encryption at Rest: Server-side encryption (SSE) is enabled for all stored data.
6.2 Secure File Delivery via Pre-Signed URLs
Files are never served via static, public URLs. EdFiles utilizes time-limited pre-signed URLs:
- Generated on demand for authenticated, authorized users.
- Each URL has a cryptographic signature and an expiration timestamp.
- Direct access to S3 is impossible without a valid pre-signed URL.
- URLs grant read-only access, preventing modification or deletion.
6.3 Encryption in Transit
All data transmitted between clients, the application, and AWS services is encrypted using TLS (Transport Layer Security). This protects against man-in-the-middle (MITM) attacks.
7. Application Security
The EdFiles application layer implements stringent security controls for user identity, access permissions, and session management.
7.1 Authentication & Access Control
- Secure Credential Authentication: Passwords are cryptographically hashed; plaintext passwords are never stored.
- Role-Based Access Control (RBAC): User permissions are based on assigned roles, ensuring least privilege access.
- Session Management: Authenticated sessions use secure, server-issued tokens with automatic expiration.
7.2 Multi-Factor Authentication (MFA)
EdFiles supports MFA, requiring a one-time passcode (OTP) delivered via email at each login. This significantly mitigates risks associated with compromised credentials, phishing, and brute-force attacks.
8. Logging, Monitoring, and Auditing
Continuous visibility into system health and security events is maintained using AWS-native capabilities.
- Access Logs: Records of inbound requests and authentication events.
- Application Error Logs: Captures exceptions for rapid diagnosis.
- WAF Logs: Detailed records of traffic evaluated and blocked by the WAF.
9. Backup & Availability
EdFiles is designed for high availability and data durability.
- Amazon S3 Data Durability: S3 provides 99.999999999% (11 nines) data durability.
- Periodic Backups: Regular snapshots of the EC2 instance, database, and S3 bucket are taken.
- Backup Retention: Backups are retained to support point-in-time recovery in the event of a failure.
10. AWS Security Related Services Used by EdFiles
| AWS Service | Purpose in EdFiles |
|---|---|
| Application Load Balancer (ALB) | Public-facing entry point; HTTPS termination and WAF attachment. |
| AWS WAF | Web application firewall; filters malicious traffic before it reaches the app. |
| AWS IAM | Identity and access management; controls which services and roles can access S3 and other resources. |
References
[1] Simplifying the shared responsibility model: How to meet your cloud security obligations. Datadog. https://www.datadoghq.com/blog/shared-responsibility-model
[2] How AWS Manages and Maintains Their Massive Data Centres. TRG International. https://blog.trginternational.com/a-look-into-aws-data-centres
[3] EdFiles AWS Security Related Services. EdFiles Platform Documentation.
https://www.edfiles.com/security
