AWS Shared Responsibility Model and IAM Security Best Practices

AWS Shared Responsibility Model

Security and compliance are shared between AWS and customer; AWS responsible for security 'of' the cloud, customer responsible for security 'in' the cloud.

AWS Responsibility (Security OF the Cloud)

Physical security of data centers; hardware and software infrastructure; storage decommissioning; network infrastructure; intrusion detection; virtualization infrastructure; instance isolation.

Physical Security (AWS)

Controlled need-based access; 24/7 security guards; two-factor authentication; access logging and review; video surveillance; disk degaussing and destruction.

Customer Responsibility (Security IN the Cloud)

EC2 instance OS (patching, maintenance); applications; passwords and role-based access; security group configuration; OS/host-based firewalls; network configurations; account management.

Customer Data Control

Customer maintains complete control over content; responsible for what content to store; which services to use; which country to store in; format/structure of content; who has access and how access is granted/revoked.

IaaS (Infrastructure as a Service)

Provides basic building blocks for cloud IT; customer has flexibility over networking and storage; customer manages more security aspects; examples: Amazon EC2, Amazon EBS, Amazon VPC.

PaaS (Platform as a Service)

Customer doesn't manage underlying infrastructure; AWS handles OS, database patching, firewall configuration, disaster recovery; customer focuses on managing code/data; examples: Amazon RDS, AWS Elastic Beanstalk, AWS Lambda.

SaaS (Software as a Service)

Centrally hosted software; subscription or pay-as-you-go model; accessed via web browser, mobile app, or API; customer doesn't manage infrastructure; examples: AWS Trusted Advisor, AWS Shield, Amazon Chime.

AWS Identity and Access Management (IAM)

Manages access to AWS resources securely; controls authentication and authorization; centrally manages access to launching, configuring, managing, and terminating resources; no additional cost.

IAM User

Person or application that can authenticate with an AWS account; must have unique name with no spaces; has security credentials not shared with others; defined in one AWS account only.

IAM Group

Collection of IAM users granted identical authorization; simplifies managing permissions for multiple users; user can belong to multiple groups; groups cannot be nested.

IAM Policy

JSON document defining permissions; determines which resources can be accessed and level of access; can be attached to users, groups, roles, or resources.

IAM Role

IAM identity with specific permissions; not uniquely associated with one person; assumable by person, application, or service; provides temporary security credentials.

Programmatic Access

Requires access key ID and secret access key; provides AWS CLI and AWS SDK access; used for making AWS API calls.

AWS Management Console Access

Requires 12-digit Account ID or alias, IAM user name, and IAM password; if MFA enabled, requires authentication code.

Multi-Factor Authentication (MFA)

Provides increased security; requires unique authentication code in addition to username and password; options include virtual MFA apps, U2F security keys, hardware MFA devices.

MFA Token Options

Virtual MFA apps (Google Authenticator, Authy); U2F security key devices (YubiKey); Hardware MFA devices (key fob or display card from Gemalto).

Authorization Process

Determines what permissions user/service/application should be granted after authentication; by default, IAM users have no permissions.

Implicit Deny

All permissions denied by default unless explicitly allowed.

Explicit Deny Rule

If something is explicitly denied, it is never allowed; takes precedence over allow statements.

Principle of Least Privilege

Grant only minimal user privileges needed based on user needs; start with minimum permissions and add as necessary; best practice for creating IAM policies.

IAM Scope

Global service; settings apply across all AWS Regions, not defined at Region level.

Identity-Based Policies

Attached to IAM user, group, or role.

Resource-Based Policies

Attached to resource (like S3 bucket); specify who can access resource and what actions they can perform; defined inline only, not managed.

Managed Policies

Standalone identity-based policies attachable to multiple users, groups, and roles.

Inline Policies

Policies created and managed that are embedded directly into single user, group, or role.

IAM Policy Components

Effect (Allow/Deny), Action (what can be done), Resource (which resources), NotResource (excluded resources).

IAM Permission Evaluation Flow

First checks for explicit deny; if no deny, checks for explicit allow; if neither exists, defaults to implicit deny.

IAM Policy Simulator

Useful tool for testing and troubleshooting IAM policies; helps determine if access will be granted.

IAM Group Characteristics

Can contain many users; user can belong to multiple groups; cannot be nested; no default group exists; must manually add users to groups.

IAM Role Use Cases

Used by IAM user in same account; used by AWS service (like EC2); used by IAM user in different account; grants access without sharing credentials.

IAM Role Benefits

Delegate access without long-term credentials; no password or access keys; provides temporary security credentials; useful for mobile apps and third-party audits.

AWS Account Root User

Single sign-in identity with complete access to all services and resources; accessed with email and password used to create account; has and retains full access to all resources.

Root User Best Practice

Do NOT use for day-to-day interactions; stop using as soon as possible; only use when necessary for specific tasks.

Tasks Requiring Root User

Update root user password; change AWS Support plan; restore IAM user's permissions; change account settings (contact info, allowed Regions).

Six Steps to Stop Using Root User

1) Create IAM user for yourself while logged in as root, 2) Create IAM group with full admin permissions and add IAM user, 3) Disable/remove root access keys, 4) Enable password policy, 5) Sign in with new IAM user, 6) Store root credentials securely.

MFA Requirement

Required for account root user and all IAM users; should also use MFA to control access to AWS service APIs.

AWS CloudTrail

Tracks user activity on account; logs all API requests to resources in all supported services; basic event history enabled by default and free.

CloudTrail Event History

Contains all management event data for latest 90 days of account activity; can view, filter, and search events.

Creating a CloudTrail Trail

Enables log retention beyond 90 days; enables alerting for specified events; creates new Amazon S3 bucket for log storage; should configure access restrictions on S3 bucket.

AWS Billing Reports

Provide information about AWS resource use and estimated costs; delivered to S3 bucket; updated at least once per day.

AWS Cost and Usage Report

Tracks AWS usage and provides estimated charges by hour or day; most comprehensive cost and usage data.

IAM Security Status Dashboard

Shows five security checks: Delete root access keys, Activate MFA on root, Create individual IAM users, Use groups to assign permissions, Apply IAM password policy.

IAM Password Policy

Set of rules defining password requirements for IAM users; can require minimum length, character types, expiration, password reuse prevention.

IAM User Sign-In Link

Custom URL for IAM users to sign in; displays account number by default; can customize to use account alias instead of number.

Best Practices for AWS Account Security

Secure logins with MFA; delete root access keys; create individual IAM users; use groups for permissions; configure strong password policy; delegate using roles; monitor with CloudTrail.

AWS Organizations

Account management service to consolidate multiple AWS accounts; centrally manage accounts; group accounts into organizational units (OUs); attach different access policies to each.

AWS Organizations Security Features

Group accounts into OUs; integration with IAM; service control policies to establish control over services and API actions each account can access.

AWS Organizations Permission Model

Permissions are intersection of what AWS Organizations allows AND what IAM grants in that account.

Service Control Policies (SCPs)

Offer centralized control over accounts; limit permissions available in accounts part of organization; ensure accounts comply with access control guidelines; never grant permissions, only restrict.

SCP Characteristics

Use JSON format similar to IAM policies; specify maximum permissions for organization; act as safeguard for actions accounts can do; not substitute for IAM configurations.

SCP Availability

Only available in organization with all features enabled (including consolidated billing); not available if only consolidated billing enabled.

AWS KMS (Key Management Service)

Creates and manages encryption keys; controls use of encryption across AWS services and applications; integrates with CloudTrail to log all key usage.

AWS KMS Features

Uses hardware security modules (HSMs) validated by FIPS 140-2; customer master keys (CMKs) control access to data encryption keys; can import keys from own infrastructure.

Customer Master Keys (CMKs)

Control access to data encryption keys that encrypt and decrypt data; can create new keys anytime; manage who has access and can use keys.

Amazon Cognito

Adds user sign-up, sign-in, and access control to web and mobile apps; scales to millions of users; supports social and enterprise identity providers.

Amazon Cognito Features

Define roles and map users to different roles; uses SAML 2.0; enables single sign-on (SSO); meets HIPAA, PCI DSS, SOC, ISO standards.

SAML 2.0

Security Assertion Markup Language; open standard for exchanging identity and security information; enables SSO using corporate directory credentials.

AWS Shield

Managed DDoS protection service; safeguards applications running on AWS; provides always-on detection and automatic inline mitigations.

AWS Shield Standard

Automatically enabled for all AWS customers at no additional cost.

AWS Shield Advanced

Optional paid service; additional protections against sophisticated and larger attacks; available for EC2, ELB, CloudFront, Global Accelerator, Route 53; requires Business or Enterprise Support to contact DDoS Response Team.

DDoS Attack Types Shield Protects Against

Infrastructure layer attacks (UDP floods); state exhaustion attacks (TCP SYN floods); application-layer attacks (HTTP GET/POST floods).

Data Encryption

Encodes data with secret key making it unreadable; only those with secret key can decode data; essential tool for protecting digital data.

Data at Rest

Data stored physically on disk or on tape.

Encryption of Data at Rest

AWS supports encryption using AES-256 encryption algorithm; AWS KMS manages secret keys; can encrypt data in S3, EBS, EFS, RDS; encryption/decryption handled automatically.

Data in Transit

Data moving across a network.

Encryption of Data in Transit

Uses Transport Layer Security (TLS) 1.2 with AES-256 cipher; TLS formerly called SSL; creates secure tunnel for bidirectional data exchange.

AWS Certificate Manager

Provisions, manages, and deploys SSL/TLS certificates; handles certificate renewals; used with AWS services and internal resources.

HTTPS (Secure HTTP)

HTTP traffic encrypted using TLS or SSL; protected against eavesdropping and man-in-the-middle attacks; bidirectional encryption of communication.

Amazon S3 Default Security

Newly created S3 buckets and objects are private and protected by default; can only be accessed by users explicitly granted access.

Amazon S3 Block Public Access

Simple feature to use; overrides other policies or object permissions; prevents unintended exposure of S3 data; should enable for all buckets not meant to be public.

S3 Block Public Access feature

A feature that helps control public access to S3 buckets.

IAM policies

Policies that define permissions for AWS Identity and Access Management users and groups.

Bucket policies

Policies that grant access across AWS accounts or grant public/anonymous access; should be written carefully and tested fully.

Access Control Lists (ACLs)

Legacy access control mechanism; less commonly used and should not set access too open or permissive.

AWS Trusted Advisor bucket permission check

A free feature useful for discovering if buckets have permissions granting global access.

AWS Compliance Programs Categories

1) Certifications and attestations, 2) Laws, regulations, and privacy, 3) Alignments and frameworks.

Certifications and Attestations Examples

ISO 27001, 27017, 27018, ISO/IEC 9001.

Laws, Regulations, and Privacy Examples

EU GDPR, HIPAA.

Alignments and Frameworks Examples

Center for Internet Security (CIS), EU-US Privacy Shield certified.

ISO/IEC 27001:2013

Specifies requirements for establishing, implementing, maintaining, and improving Information Security Management System.

HIPAA

Health Insurance Portability and Accountability Act; regulation for US government agencies and healthcare customers.

GDPR

EU General Data Protection Regulation; protects EU data subjects' fundamental right to privacy and protection of personal data.

AWS Config

Assesses, audits, and evaluates configurations of AWS resources; continuously monitors and records resource configurations.

AWS Config Features

Review configuration changes; view detailed configuration histories; simplify compliance auditing and security analysis.

AWS Config Dashboard

Shows inventory of all resources; checks configuration rule compliance; flags noncompliant resources.

AWS Config Aggregator

Shows aggregated view of resources across multiple Regions and accounts.

AWS Artifact

Resource for compliance-related information; provides on-demand access to security and compliance reports and online agreements.

AWS Artifact Available Documents

AWS ISO certifications, PCI reports, SOC reports; can submit to auditors/regulators.

AWS Artifact Agreements

Review, accept, and track status of AWS agreements like Business Associate Agreement (BAA).

Business Associate Agreement (BAA)

Required for companies subject to HIPAA; ensures protected health information (PHI) is appropriately safeguarded.

AWS Service Catalog

Creates and manages catalogs of IT services approved for organization use; helps employees find and deploy approved IT services.

AWS Service Catalog Constraints Examples

AWS Region where product can be launched; allowed IP address ranges.

AWS Service Catalog Benefits

Centrally manage IT service lifecycle; help meet compliance requirements.

Amazon Macie

Uses machine learning to automatically discover, classify, and protect sensitive data; recognizes PII and intellectual property.

Amazon Macie Features

Fully managed service; continuously monitors data access activity for anomalies.

Amazon Inspector

Automated security assessment service; improves security and compliance of applications deployed on AWS.

Amazon Inspector Output

Produces detailed list of security findings by severity level.

Amazon GuardDuty

Threat detection service; continuously monitors for malicious activity and unauthorized behavior.

Amazon GuardDuty Features

Uses machine learning, anomaly detection, and integrated threat intelligence.