AWS Cloud Security
AWS shared responsibility model
AWS Identity and Access Management (IAM)
AWS Management Console, the AWS CLI, or the AWS software development kits (SDKs),
Securing a new AWS account
Securing accounts
Securing data on AWS
Working to ensure compliance
on lab that provides you with practice configuring IAM by using the AWS Management Console
AWS operates, manages, and controls the components from the software virtualization layer down to the physical security of the facilities where AWS services operate.
AWS is responsible for protecting the infrastructure is composed of the hardware, software, networking, and facilities that run the AWS Cloud services.
The customer is responsible for the encryption of data at rest and data in transit
The customer should also ensure that the network is configured for security and that security credentials and logins are managed safely
the customer is responsible for the configuration of security groups and the configuration of the operating system that run on compute instances that they launch
AWS is responsible for protecting the global infrastructure :AWS Regions, Availability Zones, and edge locations.
AWS is responsible for the physical infrastructure
Physical security of data centers
Hardware infrastructure, such as servers, storage devices,
Software infrastructure, which hosts operating systems, service applications, and virtualization software.
Network infrastructure, such as routers, switches, load balancers, firewalls, and cabling.
AWS also continuously monitors the network at external boundaries, secures access points, and provides redundant infrastructure with intrusion detection
customers are responsible for security of everything they put in the cloud.
selecting and securing any instance operating systems, securing the applications that are launched on AWS resources, security group configurations, firewall configurations, network configurations, and secure account management
managing critical content security requirements, including: What content they choose to store on AWSWhich AWS services are used with the content In what country that content is stored, The format and structure of that content and whether it is masked, anonymized, or encrypted. Who has access to that content and how those access rights are granted, managed, and revoked
Infrastructure as a service (IaaS) refers to services that provide basic building blocks for cloud IT, typically including access to configure networking, computers (virtual or on dedicated hardware), and data storage space
Platform as a service (PaaS) refers to services that remove the need for the customer to manage the underlying infrastructure. Customers don’t need to worry about resource procurement, capacity planning, software maintenance, or patching
Software as a service (SaaS) refers to services that provide centrally hosted software that is typically accessible via a web browser, mobile app, or application programming interface (API). AWS Trusted Advisor, AWS Shield, and Amazon Chime
allows you to control access to compute, storage, database, and application services in the AWS Cloud.
IAM can be used to handle authentication
specify exactly which API calls the user is authorized to make to each service.
manage which resources can be accessed by who , and how these resources can be accessed.
IAM components.
An IAM user is a person or application that is defined in an AWS account, and that must make API calls to AWS products
An IAM group is a collection of IAM users
An IAM policy is a document that defines permissions to determine what users can do in the AWS account
An IAM role is a tool for granting temporary access to specific AWS resources in an AWS account.
For increased security, we recommend enabling MFA.
Options for generating the MFA authentication token include virtual MFA-compliant applications(such as Google Authenticator or Authy 2-Factor Authentication), U2F security key devices, and hardware MFA devices.
Authorization is the process of determining what Permissions a user, service or application should be granted
A policy, is a document in JavaScript Object Notation (JSON) format.
A policy lists permissions that allow or deny access to resources in the AWS account
All actions in the account are denied to the user by default
Any actions that you explicitly deny are always denied.
The principle of least privilege :you grant only the minimal user privileges needed to the user
Identity-based policies are permissions policies that you can attach to a principal (or identity) such as an IAM user, role, or group
Resource - based policies are JSON policy documents that you attach to a resource
Managed policies –Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account
Inline policies –Policies that you create and manage, and that are embedded directly into a single user group or role.
A group can contain many users, and a user can belong to multiple groups.
. IAM groups offer a convenient way to specify permissions for a collection of users
An IAM role is an IAM identity you can create in your account that has specific permissions.
instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it
the role provides you with temporary security credentials for your role session
For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account
AWS account root users have (and retain) full access to all resources in the account. Therefore, AWS strongly recommends that you do not use account root user credentials for day-to-day interactions with the account
Instead, AWS recommends that you use IAM to create additional users and assign permissions to these users, following the principle of least privilege
You should avoid sharing the same credentials with multiple users.
require multi factor authentication (MFA) for the account root user login and for all other IAM user logins
MFA- compliant applications (such as Google Authenticator and Authy Authenticator), U2F security key devices, and hardware MFA options that provide a key fob or display card.
AWS CloudTrail is a service that logs all API requests to resources in your account.
enable billing reports, such as the AWS Cost and Usage Report.
Use groups to assign permissions to IAM users.•Configure a strong password policy.•Delegate using roles instead of sharing credentials
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
you can group accounts into organizational units (OUs) and attach different access policies to each OU
AWS Organizations integrates with and supports IAM.
The resulting permissions are the logical intersection of what is allowed by the AWS Organizations policy settings and what permissions are explicitly granted by IAM in the account for that user or role.
AWS Organizations provides service control policies (SCPs) that enable you to specify the maximum permissions that member accounts in the organization can have.
In SCPs, you can restrict which AWS services, resources, and individual actions the users and roles in each member account can access
These restrictions even override the administrators of member accounts
SCP never grants permissions
AWS Key Management Service (AWS KMS)
is a service that enables you to create and manage encryption keys, and to control the use of encryption across a wide range of AWS services and your applications
AWS KMS also integrates with AWS CloudTrail to provide you with logs of all key usage
Customer master keys (CMKs) are used to control access to data encryption keys that encrypt and decrypt your data
Amazon Cognito
provides solutions to control access to AWS resources from your application
adds sign up sign in and user control to your web and mobile applications
Amazon Cognito uses common identity management standards, such as Security Assertion Markup Language (SAML) 2.0. SAML is an open standard for exchanging identity and security information with applications and service providers.
AWS Shield
AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications that run on AWS.
It provides always -on detection and automatic inline mitigations that minimize application downtime and latency
AWS Shield helps protects your website from all types of DDoS attacks, including Infrastructure layer attacks , state Exhaustion attacks, and application-layer attacks.
Data encryption
Data at rest refers to data that is physically stored on disk or on tapeusing the open standard AdvancedEncryption Standard (AES)-256 encryption algorithm
AWS KMS, encryption and decryption are handled automatically and transparently,
You can encrypt data stored in any service that is supported by AWS KMS.
Data in transit refers to data that is moving across the network. Encryption of data in transit is accomplished by using Transport Layer Security (TLS) 1.2 with an open standard AES-256 cipher.
AWS Certificate Manager is a service that enables you to provision, manage, and deploy SSL or TLS certificates for use with AWS services and your internal : connected resources
With AWS Certificate Manager, you can request a certificate and then deploy it on AWS resources
HTTPS traffic is protected against eavesdropping and man-in-the-middle attacks because of the bidirectional encryption of the communication.
Securing Amazon S3 buckets
By default, all Amazon S3 buckets are private and can be accessed only by users who are explicitly granted access
Using Amazon S3 Block Public Access These settings override any other policies or object permissions.
Enable Block Public Access for all buckets that you don't want to be publicly accessible.
Writing IAM policies
Writing bucket policies
Setting access control lists (ACLs)
AWS Trusted Advisor provides a bucket permission check feature
A full Listing of AWS Compliance Programs is available
AWS also provides security features and legal agreements that are designed to help support customers with common regulations and laws.
click to edit
the European Union (EU) General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data.
AWS Config is a service that enables you to assess, audit, and evaluate the Configurations of your AWS resources.
continuously monitors and records your AWS resource configurations, and it enables you to automate the evaluation of recorded configurations against desired configurations.
determine your overall compliance against the configurations that are specified in your internal guidelines
This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
Resources that are found to be noncompliant are flagged,
AWS Config is a Regional service.To track resources across Regions, enable it in every Region that you use.
AWS Artifact provides on-demand downloads of AWS security and compliance documents
AWS Artifact provides documents about AWS only
You can also use AWS Artifact to review, accept, and track the status of AWS agreements
you can accept agreements with AWS and designate AWS accounts that can legally process restricted information. You can accept an agreement on behalf of multiple accounts.