Mastering the Cloud: Module 4-AWS Cloud Security
The Aws shared responsibility model indicates which parts of security will be handled by Aws and the Parts customers are responsible for
Aws is responsible for the ‘security of the cloud’ i.e. everything related to physical implementation like Systems and facilities.
customers are responsible for ‘security in the cloud’ i.e. Securing every application and dataset that they implement in the cloud.
Aws under the software virtualization layer operates and controls the database, storage, computing, and networking. while under the hardware layer, all the global infrastructure Components like Regions, availability zones, and edge locations are considered.
customer is responsible for the encryption of data, ensuring that the network is configured for security, ensuring Security Credentials and logins are managed safely, firewall Configurations, Security of the Operating system, etc.
Aws Security Responsibilities
1. Physical Security of data centers (controlled & need-based access).
2. Hardware & Software infrastructure (storage decommissioning, host operating System access logging, auditing, and securing edge locations)
3. Network infrastructure (Intrusion detection)
4. virtualization infrastructure (Instance Isolation).
Examples: Aws Lambda, Amazon RDS, Aws Elastic Beanstalk Services
Customer Security Responsibilities
1. Amazon Ec2 instance operating system (including patching, and maintenance).
2. Applications ( passwords, role-based access).
3. Security group configuration and managing IAM, and ACL settings.
4. OS or host-based firewalls (including intrusion detection and prevention systems).
5. Network configurations
6. Account management (Login and permission Settings for each user)
Examples: Amazon EC2, Amazon EBS, Amazon vpc Services.
Service Characteristics and Security Responsibility
1. Infrastructure as a service(IAAS):
-> Customer has more flexibility over configuring networking and storage settings (private, public and community cloud)
-> The customer is responsible for managing more security.
-> Customer configures the access controls
Examples: Amazon EC2, EBS, VPC
2. Platform as a Service (PAAS):
-> customer does not need to manage the underlying infrastructure
-> Aws handles the operating System, database patching, firewall configuration, and disaster recovery.
-> customer can focus on managing code or data
-> Maintains and organizes the community, public, and Hybrid cloud.
Examples: Aws Lambda, RDS, Elastic Beanstalk.
3. Software as a Solution (SAAS):
-> Software is centrally hosted.
-> Licensed on a subscription model or pay-as-you-go basis
-> Services are typically accessed via web browser, mobile app, and through API
-> Customers do not need to manage the infrastructure that supports the Service. ( like it handles the Private, community, and Hybrid cloud).
Examples: Aws Trusted Advisor, Aws Shield, Amazon Chime, Aws Recognition.
Aws Identity and Access Management (IAM)
-> IAM allows us to control access to all our AWS services using policies and assigning them to specific users to define operational groups like system administrators, database administrators, Storage and security administrators
-> It is a no-cost Aws account feature.
-> IAM handles authentication and verification of access for a specific purpose.
-> IAM is a tool that centrally manages and has access to launching, Configuring, managing, and terminating resources in your Aws account.
IAM Essential Components
1. ‘IAM user’, is a person or application that can authenticate with an Aws account
2. ‘IAM group’, is a collection of IAM users that are granted Identical authorization, and assign permissions for each team.
3. ‘IAM Policy’, is the document that defines which resources can be accessed and up to what level of access.
4. ‘IAM Role’, is a useful mechanism to grant a set of Permissions for making Aws service requests and It is also a secure way of using Aws API to call Aws services from EC2 instances.
Authenticate as an IAM User to Gain Access
1. Programmatic access
-> We should authenticate using an Access Key ID and secret access key that provides Aws CLI and Awn SDK access.
2. Aws management Console access
-> We should authenticate using a 12-digit account ID, along with an IAM username and IAM password
-> If enabled multi-factor authentication (MFA) Prompts for an authentication code, it usually provides increased security
-> We follow The principle of least privilege So that the permissions determine which resources and operations are allowed.
IAM Policies
-> It is a document in Java script notation that defines permissions to enable fine-grained access control.
1. Identity-based IAM policies
-> Attach a policy to an IAM entity.
-> Policies specify the ‘actions that may or may not be performed by the entity.
-> A single policy can be attached to multiple entities.
-> A single entity can have multiple policies attached to it.
2. Resource-based IAM policies
-> Attach to a resource like an S3 bucket.
Note: Mandatory elements of an IAM Policy are: EFFECT and ACTION.
Securing a New Aws Account
-> We should not use the Aws account root user except when necessary.
-> Account root user is accessed through Aws Management Console with the help of an email ID and password that provides full access to all the resources and privileges that cannot be controlled.
-> Instead we have to use an IAM account because:
1. Integrates with other Aws Services
2. Identity federation and granular permissions.
3. Secure access for applications.
Steps to Secure a new Aws Account
-> After creating an IAM User account and adding it to the group(organization if necessary), then remove the account root user.
-> Enable multi-factor authentication (MFA) for all IAM Users
-> Use Aws cloud trail.
-> Enable a billing report like the Aws cost & usage report.
-> It recommends deleting the access Keys of the Aws account.
Security Features of Aws Organizations
-> Group Aws accounts into organizational units
-> Integration and Support for IAM.
-> use service control Policies(SCP’s)
Aws Key Management Services (KMS)
-> Enables you to create and manage the encryption of keys
-> Enables you to control the use of encryption across AWS services and in your applications
-> Integrates with AWS cloud trail to log all key usage
-> Uses (HSMs) validated by (FIPS) to protect the keys
Amazon Cognito Features
-> Adds user sign-up, Sign-in, and access control to your web and mobile applications and Scales to millions of users that use SAML (Security assertion markup language).
Aws Shield
-> It is a managed distributed denial of Service attack Protection Service that safeguards applications that run on Aws (Note: AWS Shield, Aws Shield Advanced, Aws cloud front with route 53, and Aws WAF Protect from DDOS attacks.)
-> It provides always-on detection and automatic inline mitigations for network (layer 3) and transport (layer 4).
-> Aws Shield Standard is enabled for no additional cost.
-> Mainly used to minimize application downtime & latency.
-> It is offered to all the customers by default at no additional cost.
Securing Data
1. Encryption of data:
-> The Aws account owner has control of data in an AWS account
-> Aws Supports encryption of data at Rest (i.e. physically stored on disk or tape) Only those who have the Secret key that is managed by Aws KMS can access and decode the data.
-> It also supports the encryption of data in Transit through the Transport layer Security (TLS) and Aws certificate manager that provides a way to manage, deploy, and renew TLS/SSL Certificates.
-> These SSL/TLS certificates are used to secure network communications and establish the identity of websites over the internet.
-> Newly created S3 buckets and objects are private and protected by default. The tools for controlling access are:
1. Amazon S3 blocks public Access
2. Bucket policies
3. Access control lists
4. Aws Trusted Advisor
Aws Compliance Programs
-> Compliance Specifies the requirements for establishing, Implementing, maintaining, and continually, improving an Information security management system.
-> Aws engages with certifying bodies and independent auditors to provide customers with detailed information about the policies, Processes, and controls that are established and operated by Aws and there are many types:
1. certifications and attestations
-> Asserted by a third party and independent author.
Examples: ISO 27001, 27017, and ISO/IEC 9001 etc.
2. Laws, regulations and privacy
-> Aws Provides security features and legal agreements to Support compliance like EU GPDR, and HIPAA.
3. Alignments and Frameworks
-> Industry or function-specific, security or compliance requirements
Examples: CIS, EU-US Privacy Shield Certified.
Aws Config
-> It can access, audit, and evaluate the configurations of the AWS resources.
-> It automatically evaluates recorded configurations versus the desired configurations. And can review configuration changes and histories.
Aws Artifacts
-> It provides on-demand downloads of Aws Security and compliance documents and is a resource for compliance-related information.
-> Access this directly from the Aws management console as;
Security -> Identify & Compliance -> Artifact
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —-
Congratulations! You’ve unlocked the secrets of securing your cloud environment in the ever-evolving threat landscape. This knowledge empowers you to build robust and secure cloud solutions on AWS.
Leave a comment below with any questions or cloud computing concepts you’d like to explore further!
In the next module, Module 5: Networking & Content Delivery, we’ll navigate the intricate world of AWS networking and discover how to optimize data transfer and content delivery for your cloud applications.
