In this post, I’ll go over how security works in the AWS ecosystem, the shared responsibility model, resources for security support and the different cloud security concepts.
This post is part of a series of posts I’m doing as I prepare to take the AWS Certified Cloud Practitioner Certification. The goal is to learn the concepts in public, create notes for myself in the process and hopefully help someone else at the same time.
Let’s begin. In today’s post I’ll cover the following:
- Shared Responsibility Model
- Account Security
- Application Credentials
- Security within your environment
2) data security and privacy
- Securing public facing apps from DDoS and web exploits.
Shared Responsibility Model
Security at AWS is a primary concern and their data centers and network are architected to protect your information and applications. Security is however, a shared responsibility between the customer and AWS. AWS has a responsibility to protect their core infrastructure and their customers have the responsibility of securing and protecting their applications and data. AWS puts it this way, they are responsible for the security of the AWS Cloud and the customers are responsible for everything they put in the AWS cloud. The image below is a table that summarises this well:
AWS infrastructure is made up of the hardware, software, networking and physical facilities that run AWS Cloud services. AWS is responsible for securing their data centers, controlling access to them and protecting their infrastructure from the environment and elements.
What Customer data is depends on what applications and services the customer chooses to host on the AWS Cloud. The customer is responsible for configuring security and policies around access to their services and information. For example, if a customer has an EC2 instance running, they are responsible for keeping the instance Operating System and installed utilities up to date and configuring a firewall to restrict who can talk to the EC2 instance.
AWS is held to very high standards because they handle sensitive customer data. To gain the trust of customers, they publish compliance reports and online agreements and certifications from compliance and accreditation bodies such as Payment Card Industry (PCI), Service Organization Control (SOC) and the International Organization for Standardization (ISO) This information is available in AWS Artifact.
To protect the security of your account, AWS uses a service called the AWS Identity and Access Management Service (IAM). IAM enables you to securely manage access to AWS services and resources. Using this service, you can create users, groups and permissions to limit what users and groups have access to.
User accounts have support for multi factor authentication. Multi factor authentication is a way of proving who you are to a web service using one or more of the following:
- something you have — something like a physical key or device e.g Yubikey
- something you know — a password, passphrase etc
- something you are — biometric information e.g fingerprint
security for a single user account
The recommended way to create a user in IAM is a three step process:
- Create a Policy or set of permissions
- Create an IAM Group and apply the Policy to the Group
- Create a user and add it to the Group
The IAM Policy is saved in JSON format.
multiple user account security
In an organisation with multiple teams accessing a similar set of resources, managing permissions can become difficult. AWS offers a service known as the Service Control Policy(SCP). SCP offers a central control over the permissions for all accounts in your organisation to ensure that all accounts stay within the required access control guidelines. SCP can be applied to individual accounts and it trumps user policies.
Using organisation features also allows you to roll billing from the different teams into a single payer organisation.
AWS Single Sign-On (SSO)
This is a service that allows you to sign in once to all the accounts your organisation has given you access to. SSO also allows admins to manage the SSO access and user permissions for all accounts in the organisation.
In addition to users, groups and policies, AWS has IAM Roles. Roles are temporary credentials or permissions that can be bestowed on a user or an application that assumes a certain role. Roles are not tied to a single person but can be applied to as many people as needed. Roles have policies attached to them but do NOT have any groups attached. It is possible to add, change and remove roles from the console.
AWS offers a service called CloudTrail that enables monitoring and auditing of activity within an organisation. It keeps track of individual user actions including actions taken in the console, CLI and SDKs.
Security within your environment
The following diagram shows AWS services that protect your application environment.
Inspector is an assessment tool that ensures that your EC2 instance has been configured according to best practices. Inspector looks inside the EC2 for exposure, vulnerabilities and deviations from best practices. For example, AWS Inspector can check for vulnerable software versions being installed, remote root login activation and incoming connections from the Internet.
Guard Duty is a threat detection service that looks at what your EC2 instance is doing and checks it if it is communicating with malicious servers/sites. It works with S3 as well to monitor malicious and unauthorised behavior around your data. Guard Duty does this by analysing your server logs to detect and identify potential threats.
Security Groups in AWS are a stateful virtual firewall that control inbound and outbound traffic to your EC2 instance. Operates at the instance level.
A Network Access Control List is a layer of security for your Virtual Private Cloud(VPC) that acts as a firewall to control traffic coming in or out of a subnet. This Firewall is stateless. Operates at the subnet level.
As organisations grow, so does their data. Managing and securing growing volumes of data at scale is time consuming and difficult. Macie gives you a security and privacy overview of data stored in S3 buckets. Using Macie, you can identify buckets with personally identifiable information, no encryption, public access and other vulnerabilities all in one place.
The AWS Security Hub allows you to view a holistic view of your security standing from the different security applications such as Inspector, Guard Duty and Macie.
Securing Public Facing Applications
The items below are AWS technologies that protect your web application or APIs from threats that come from the Internet.
Web Application Firewall(WAF)
This is a firewall that operates at the Elastic Load Balancer layer as well as in edge locations and regions. The firewall protects against common we threats and exploits such as SQL injection and cross site scripting.
The AWS Shield is a service that protects your web application from Distributed Denial of Service(DDoS) attacks. Shield works at the Load Balancer and edge location layers. It protects from all known denial of service attacks.
This post is an overview of services offered by AWS to protect your privacy as well as security. In the post, I discussed the Shared Responsibility Model which shows that the responsibility of securing infrastructure, applications and data is shared between you the AWS customer and AWS itself.
I covered what services you can use to enforce account application and environment security. The last section of this post went over services such as the Web Application Firewall and AWS Shield that are used to protect web applications from common threats and DDoS attacks. In the next post, I’ll cover Well-Architected Framework, a framework for building high performing , resilient and efficient infrastructure.