AWS cloud practitioner notes - Security
The content here is under the Attribution 4.0 International (CC BY 4.0) license
The AWS security model is shared meaning, AWS is responsible for the security of the cloud, and you, the customer are responsible for the security in the cloud. AWS controls the servers, data centers and all the layers in this section.
Module 6 - Shared responsibility model
Customer Responsibilities
Customers are responsible for everything they put in AWS.
____________________________________________________________________________________________
|C|__________________________________ CUSTOMER DATA _______________________________________|
|U|________________________________________________________________________________________|
|S|_________________ PLATFORM, APPLICATIONS, IDENTITY AND ACCESS MANAGEMENT________________|
|T|________________________________________________________________________________________|
|O|_________________ OPERATING SYSTEMS, NETWORK AND FIREWALL CONFIGURATION ________________|
|M|________________________________________________________________________________________|
|E|________________________________________________________________________________________|
|R|_ CLIENT-SIDEDATA ENCRYPTION | SERVER SIDE ENCRYPTION | NETWORKING TRAFFIC PROTECTION __|
AWS responsibilities
AWS is responsible for the security of the cloud.
____________________________________________________________________________________________
|A|_____________________________________ SOFTWARE _________________________________________|
| |_____ COMPUTE ______|______ STORAGE ______|_____ DATABASE _____|_____ NETWORKING _______|
|W|________________________________________________________________________________________|
| |_________________________ HARDWARE/AWS GLOBAL INFRASTRUCTURE ___________________________|
|S|______ REGIONS _____|____________ AVAILABILITY ZONES __________|__ EDGE LOCATIONS ______|
Module 6 - User permissions and access
AWS Identity and Access Management allows you to manage access to AWS services and resources.
- The root account is the owner of the AWS account, this is the default permission for an AWS-created account. The root user account controls any resources. As such, the recommended security approach is to turn on MF2, for this account.
- Users created by IAM, have no permissions by default. (Principle of least privilege)
As a best practice approach, avoid using the user root for everyday tasks. Instead, create a user and assign it the needed permissions.
IAM policy is a JSON document that describes which API calls a user can or can’t do. This is a policy example:
{
"version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my_resource"
}
}
The following table describes the possible values for each field in the IAM policy JSON:
| Option | Value |
|---|---|
| Effect | Allow / Deny |
| Action | Any API call |
| Resource | Which AWS resource the API call is for |
IAM groups are groups of users, you can attach policies to a group and all users in that group will have the permissions listed there. IAM roles have associated permissions that allow or deny actions in AWS, and these roles can be assumed for a temporary amount of time.
Module 6 - Organizations
AWS Organizations are used to consolidate and manage multiple AWS accounts, in a centralized manner. This approach avoids the problem of managing multiple AWS accounts.
Module 6 - Compliance
Compliance checks if a given regulation is being followed, countries might have different compliances. For example:
- Europian Union - GDPR
- Health care in the USA - HIPAA
Aws has already built data centers, infrastructure and networking following industries’ best practices for security, and you as a customer inherit those practices as well. Enabling data protection is a configuration setting on the resource. AWS offers whitepapers are documents you can download and use for compliance reports.
- AWS Artifact - compliance reports done by third parties [1]
- AWS Compliance - compliance information in all one place [2]
Module 6 - Denial-of-service attacks
DDoS attack objective is to put down a given service such that it can no longer respond to requests from clients.
- HTTP level attacks - too expensive to overwhelm AWS, not impossible though
- UDP flood - security group
- SLOWLORIS attack - Elastic load balancer
AWS WAF uses a web application firewall to filter traffic from bad actors.
AWS Shield standard
Automatically protects all AWS customers at no cost. It protects from the most common and frequent types of DDoS attacks.
AWS Shield Advanced
It is a paid service that provides detailed attack diagnostics.
Module 6 - Additional security resources
- Encryption at rest (when the data is idle). Server-side encryption at rest is enabled in all DynamoDB data
- Encryption in transit. SSL to data in transit encrypts data. (SQS, S3, RDS).
Amazon Inspector
runs an automated security assessment infrastructure, and checks deviations against best practices.
Amazon GuardDuty
It analyses streams of data from a network, VPC logs and DNS logs. Runs independently from AWS services.
References
- [1]AWS, “AWS Artifact,” 2021 [Online]. Available at: https://aws.amazon.com/artifact. [Accessed: 07-Jan-2021]
- [2]AWS, “AWS Customer Compliance Center,” 2021 [Online]. Available at: https://aws.amazon.com/compliance/customer-center. [Accessed: 07-Jan-2021]
Table of contents
Got a question?
If you have question or feedback, don't think twice and click here to leave a comment. Just want to support me? Buy me a coffee!