MODULE 4: AWS Cloud Security
1. AWS Cloud Security
2. Securing a New AWS Account
3. Securing Account
4. Securing Data
1. AWS Cloud Security
AWS Shared Responsibility Model
➔ Customer is responsible for security in the cloud
➔ AWS is responsible for the security of the cloud
AWS Responsibilities
➔ Physical Security of Data Centres: Controlled and need based access.
➔ Hardware and Software Infrastructure: Host operating systems access,
logging and auditing
➔ Network Infrastructure: Intrusion detection
➔ Virtualisation Infrastructure: Instance isolation
Customer Responsibilities
➔ Amazon EC2
➔ Instances Operating System
➔ Applications
➔ Security Groups Configurations
➔ OS or Host Based Firewall
➔ Network Configuration
➔ Account Management
Services Characteristics and Security Responsibilities
a. IaaS: Customers have more flexibility over configuring networking and
settings. Customers are responsible for managing more aspects of security.
Customer configures the access controls
1
� b. PaaS: Customer doesn’t need to manage the underlying infrastructure. AWS
handles the OS, database patching, firewall configuration and disaster
recovery. Customers can focus on managing code or data.
c. SaaS: Software is centrally hosted. Licence on a subscription model or pay as
you go basis. Services are typically accessed via web browser, mobile app or
API. Customers do not need to manage the infrastructure that supports the
service.
AWS IAM
➔ Used for managing access to AWS resources
➔ Free of cost
IAM Components
a. IAM User: A person or application that can authenticate with an AWS
account.
b. IAM Group: A collection of IAM Users that are granted identical
authorisation.
c. IAM Policy: Its a document which defines which resources can be accessed
and the level of access to each resource.
d. IAM Role: Useful mechanism to grant set of permission for making aWS
service request.
NOTE: When you define an IAM user, you select what type of access this user is
permitted to use.
Types of Access
a. Programmatic Access: Access key ID, secret access key - authentication. It
provides AWS CLI and AWS SDK access.
b. Management Console Access: Authentication - 12 digit account ID, IAM
username and password. MFA is also used here and we get an authentication
code every time you login.
IAM MFA
➔ It provides increased security.
➔ In addition to username and password, it requires an authentication code to
access AWS services.
➔ Access permitted: IAM User, IAM group, IAM roles have full access to read
IAM policy but they can’t write IAM policies.
➔ Full access of EC2 and read only for S3 bucket.
IAM Authorisation
➔ Assign permission by reading an IAM policy. Permission determines which
resources and operations are allowed and best practises for IAM
authorisation is the principle of least privilege.
NOTE: IAM Policy is a document which defines permissions.
2
�Types of IAM Policies
a. Identity-based: Attach a policy to any IAM entity. Actions that may or may
not be performed by the entity. A single policy can be attached to multiple
entities and a single entity can have multiple policies attached to it.
b. Resource-based: It is attached to a resource like S3 Bucket.
IAM Group
➔ It a collection of IAM users
➔ A group is used to grant the same permissions to multiple users
➔ A user can belong to multiple group
➔ There is no default group
➔ Group cannot be nested
IAM Roles
➔ IAM Role is an IAM Identity with specific permission
➔ It is similar to IAM user as it attaches permission policies to it
➔ It is different from IAM users as it is not uniquely associated
➔ Roles provided temporary security credentials
➔ Examples: An application that runs on EC2 instance and need access to an S3
bucket
2. Securing a New AWS Account
AWS Root User V/S AWS IAM User
Best practises is to always use the AWS IAM User instead of AWS Root User.
➔ AWS Root User: privileges can’t be controlled in account root. Full access to
all resources.
➔ AWS IAM User: It integrates with other AWS services. Identity federation,
secure access for applications, granular permissions.
How to Secure New AWS Account
➔ Stop using Root user asap
➔ Enabling MFA
➔ Use AWS Cloudtrail
➔ Enable billing report
Best Practises to Secure AWS Account
➔ Secure logins with MFA.
➔ Delete account root user’s access key
➔ Create individual IAM users and grant permission according to the principle of
least privilege.
➔ Use group to assign permission to IAM users
➔ Configure a strong password policy
➔ Monitor account activity using AWS cloudtrail
➔ Delegate using Roles instead of sharing credentials
3
�3. Securing Account
➔ AWS Organisation enables you to consolidate multiple AWS accounts so that
you can centrally manage.
➔ Securing features of AWS Organisations:
➔ Group AWS accounts into OU and attach different access policies to
each OU.
➔ Integration and support for IAM.
➔ Use service control policies to establish control over the AWS services
➔ SCP offers centralised control over accounts. It ensures that the
account complies with access control guidelines.
AWS KMS Features
➔ It enables you to create and manage encryption keys.
➔ It enables you to control the use of encryption across AWS services and in
your application.
➔ It integrates with AWS Cloudtrail to log all key usage.
AMAZON COGNITO
➔ Adds user signup sign in an access control to your web and mobile
application.
➔ It scales to millions of users.
➔ It support sign in with social indemnity provider via SAML 2.0 (Security
Assertion Markup Language).
AWS Shield
➔ It is managed by DDOS protection services.
➔ It safeguard application running on AWS.
➔ Provides always on detection.
➔ No additional cost - AWS Shield Standard.
➔ Paid - AWS Shield Advanced.
➔ It is used to minimise application downtime and latency.
4. Securing Data
➔ AWS supports encryption for data at rest (Data stored physically).
➔ You can encrypt data stores in any service that is supported by AWS KMS
which includes S3, EBS, EFS, RDS.
Encryption of data in transit
➔ Transport Layer Security is an open standard protocol.
➔ AWS certificate manager provides a way to manage deploy, and renew TLS
certificate.
➔ AWS services supports data in transit encryption.
Securing S3 objects and buckets
➔ Newly created S3 buckets and objects are private and protected by default.
4
�Working to ensure compliance
➔ AWS engages with certifying bodies and independent auditors to provide
customers with detailed information about the policies, processes, and
controls that are established and operated by AWS.
Certifications and attestation
Laws, regulation and privacy
Alignment and frameworks
AWS Config
➔ Assess, Audit and Evaluate the configuration of AWS resources.
➔ It reviews configuration changes .
➔ It simplifies compliance auditing and security analysis .
AWS Artefact
➔ It is a resource for compliance related information.
➔ It provides access to security and compliance reports and select online
agreements.
➔ You can access it directly from AWS management Console.
