Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security (Account Security (Passwords (for AWS Account, individual IAM…
Security
Account Security
Passwords
- for AWS Account, individual IAM accounts, AWS Discussion Forumes, AWS Support Center
- up to 128 characters
- configurable password policy rules to enforce strong passwords
-
Access Keys
- Used to access AWS APIs via SDK, CLI, REST / Query APIs
- Delivered in pairs: access key ID and Secret Access Key
Key Pairs
- used for SSH access to EC2 instances
- EC2 instance has a public key embedded
-
-
-
Compute Services
EC2
Hypervisor
- highly customized version of Xen hypervisor
- host OS executes in ring 0 privilege mode
- guest OS runs in ring 1
Instance isolation
- firewall within virtualisation layer, between physical NI and instances interface
- physical ram isolation
- disk virtualization resets every block before exposed to another customer
- memory scrubbed before returned to memory pool
Host Operating System
- all access by AWS admins is logged and audited, MFA required
Guest Operating System
- fully controled by AWS user
- for windows instances, RDP allowed with RDP certificate generated from instance
API access
- with AWS Secret key, either account's one or of user created via IAM
EBS security
- data exposed to other accounts only via snapshots
- data removed from EBS is not removed from snapshots
- instances wiped prior to assigned to a customer
Firewall
- deny-all by default, ports need to be open
ELB
- encryption / decryption taken from EC2 instances and managed in centralised location
- supports TLS
- uses long-term secret key to generate short-term secret key for a browser session
- configurable stronger encryption during client-server negotiation via Server Order Preference
- configurable usage of Perfect Forward Secrecy, with ephemeral session keys
VPC
- MAC & ARP spoofing blocked on the subnet level
-
Databases
DynamoDB
- access permissions via IAM
- including db level permissions for rows or columns (fine-grained controls)
- requests must be secured with HMAC-SHA-256 signature
- endpoints secured with SSL
RDS
- native DB accounts
- DB security groups
- can be ran iwithin VPC in private subnet
- SSL certificatrs: each Db provides native way of configuring them
- automatic software patching in defined maintenance window
RedShift
- firewall rules & security groups for access control
- IAM & db level configuration for users
- data encryption AES0-256
- audit log
- automatic software patching
4- tier encryption
- data encryption keys: for data blocks
- db key: for encryption keys in cluster
- cluster key
- master key
ElastiCache
- access via Cache Security Groups
-
Storage
S3
- access restricted to bucket / object owner (the AWS account owner, not the creator!)
- access restricted via IAM policies, ACLs, Bucket Policies, Query String Authentication
- restriction allowed for time, SSL only, requestor's IP address, client application
- amazon SSE available for et-rest encryption (metadata not encrypted)
- S3 bucket can be configured as a store for access logs
- CORS can be enabled to share resources with external sites
Glacier
- uses AES-256 for security
- self-healing, data fixed based on healthy replica
-
Analytics services
Elastic MapReduce
- two EC2 security groups created: for master node (ssh) and for worker nodes (communication with master node)
- upon launching, user can define cluster ssh key to later conect
- by default, all EMR resources are hidden from other users
- can be executed inside the VPC
- source S3 data can be encrypted, requires first step in the flow to be decryption
-
-
Application services
SQS / SNS
- acces via IAM policies or SQS-generated policy