AWS Cloud Security & Infrastructure: Shared Responsibility, VPCs, IAM, and Services

AWS' Responsibility

Security of the cloud.

AWS Shared Responsibility Model

AWS operates, manages, and controls the components from the software virtualization layer down to the physical security of the facilities where AWS services operate.

Customer's Responsibility

Security in the cloud.

Authorization

The process of verifying permissions.

Availability Zones

Can span multiple availability zones.

Internet Gateway

Bridge for connecting your subnet to the Internet.

VPC Endpoints

A private connection between your VPC and an AWS service in another VPC that doesn't require traffic to go over the public internet.

Amazon CloudFront

Amazon's Content Delivery Network (CDN) for managing the caching of your content around the globe.

Amazon GuardDuty

A threat-detection service for your AWS account using machine learning that continuously monitors for malicious activity.

Amazon Inspector

An automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

AWS Artifact

A service that provides on-demand access to AWS compliance reports and security and privacy documentation.

PaaS (Platform as a Service)

Customer does not need to manage the underlying infrastructure; AWS handles the operating system, database patching, firewall configuration, and disaster recovery.

AWS Shield

A managed distributed denial of service (DDoS) protection tool.

IaaS (Infrastructure as a Service)

Customer is responsible for managing more aspects of the security such as patching the operating system, installing and patching any software installed on the instance, and configuring access controls.

SaaS (Software as a Service)

Customers do not need to manage the infrastructure that supports the service; software is centrally hosted.

Authentication

The process of verifying identity.

Principle of Least Privilege

Grant users the minimum set of permissions that they require to do their jobs.

Encryption of data at Rest

The concept of encrypting stored data so that if the storage is breached, the thief cannot read the data.

Encryption of data in Transit

The concept of encrypting data while it is moving across the network to protect it from eavesdroppers.

IAM User

A person or application that can authenticate with an AWS account.

IAM Group

A collection of IAM users that are granted identical authorization.

IAM Policy

A document that defines which resources can be accessed and the level of access to each resource.

IAM Role

A mechanism to grant a set of permissions for making AWS service requests.

Service Control Policies (SCPs)

Policies that restrict which accounts have access to which services and API actions.

IAM Best Practices

Do not use the AWS account root user except when necessary, enable multi-factor authentication, and store root user credentials securely.

AWS CloudTrail

A service to view all account activity for the last 90 days.

Amazon VPC

Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

Subnets

Range of IP addresses that divide a VPC.

IP Ranges

Largest CIDR block size /16 (65536 addresses).

Elastic Network Interface (ENI)

Is a virtual network card for EC2 instances, specifies the IP address(es) for that instance.

Route Table

Specifies the rules on how traffic (data packets) will be routed based upon their destination IP address.

Network Address Translation (NAT) Gateway

Similar to an internet gateway but allows outbound traffic only.

VPC Sharing

Typically, a VPC is for one account only.

VPC Peering

A networking connection between two VPCs that allows them to communicate with each other as if they were part of the same network.

VPC Security Groups

Applied to instances.

Network Access Control Lists (ACLs)

Applied to subnets.

AWS Site-to-Site VPN

A service that connects your on-premises network to your AWS Virtual Private Cloud (VPC) over an encrypted VPN connection using the public internet.

AWS Direct Connect

An alternative to Site-to-Site VPN that instead uses a dedicated, private network connection between your network and AWS.

AWS Transit Gateway

A central hub that connects multiple VPCs and on-premises networks in a scalable and simplified way.

Amazon Cognito

Adds user sign-up, sign-in, and access control to your web and mobile applications.

Amazon Macie

A security service that uses machine learning to automatically discover, classify, and protect sensitive data stored in Amazon S3s.

Amazon Route 53

Amazon's Domain Name System (DNS) web service.

AWS Certificate Manager

A service that provisions, manages, and automatically renews SSL/TLS certificates.

AWS Config

A service that continuously monitors and records your AWS resource configurations and changes.

AWS Identity and Access Management (IAM)

Enables you to manage access to AWS services and resources securely.

AWS Key Management Service (AWS KMS)

Enables you to create and manage encryption keys.

AWS Organizations

Facilitates consolidated billing, supports delegated administration.

AWS Service Catalog

Enables organizations to create and manage catalogs of IT services that are approved for use.

Edge Locations

Physical servers spread around the global that host the data cached by Amazon CloudFront.