AWS - Security

Shared Responsibility Model

the concept that both the customer and AWS is responsible for security; AWS is responsible for resources of the cloud, and customer responsible for resources in the cloud.

AWS responsible for

• Physical security of data centres

• Hardware and software infrastructure

• Network infrastructure

• Virtualisation infrastructure

AWS Identity and Access Management (IAM)

enables you to manage access to AWS services and resources securely; configuration of users, groups, roles, policies, MFA

root user

user who created the AWS account; has complete access to all AWS services and resources in the account; do not use for everyday tasks

IAM user

person or application that interacts with AWS services and resources; by default it has no permissions; recommended to create individual users for each person who needs to access AWS

IAM policy

is a document that allows or denies permissions to AWS services and resources per user levels; recommended follow security principle of least privilege

IAM group

collection of IAM users; can assign a policy to it, and all uses in the group are granted permissions specified by the policy

IAM roles

an identity that a user can assume to gain temporary access to permissions; they must first be granted permissions to switch to the role; when assumed, they abandon permissions that they had under a previous role; ideal for temporary assumption

AWS Organisations

used to consolidate and manage multiple AWS accounts within a central location; each that is created, creates a root which is the parent container for all the accounts

Service control policies (SCPs)

enable you to place restrictions on the AWS services, resources and individual API actions that users and roles in each account can access; can be applied to an individual member account or an organisational unit

AWS Organisational Units (OUs)

make it easier to manage accounts with similar business or security requirements; when you apply a policy to one, all the accounts in it automatically inherit the permissions specified in the policy

AWS Artifact

a service that provides on-demand access to AWS security and compliance reports and select online agreements; consists of two main sections: Artifacts and Agreements

AWS Artifact Agreements

here you can review, accept and manage agreements for an individual account, and for all your accounts in AWS Organisations; different agreeemnts are offered to address the needs of customers who are subject to specific regulations

AWS Artifact Reports

provide compliance reports from third-party auditors who have tested and verified that AWS is compliant with a variety of gloabl, regional and industry-specific standards and regulations.

Customer Compliance Center

contains resources to help you learn more about AWS compliance; you can read how companies have solved various compliance, governance and audit challenges, access whitepapers and includes an auditor learning path

DDoS

Distrubuted denial-of-service; cyberattack where multiple systems flood a target with traffic, making it unavailable to legitimate users

DoS

denial-of-service attach is a deliverate attempt to make a website or application unavailable to users

AWS Shield

a service that protects application against DDoS attacks; provides two levels or protection: Standard and Advanced

AWS Shield Standard

automatically protects all AWS customers at no cost; protects recources from most commond, frequently occuring types of DDoS attacks; uses variety of analysis techniques to detect malicious traffic and mitigate it

AWS Shield Advanced

paid service that provides detailed attack diagnostics and ability to detect more sophisticated DDoS attacks; integrates with other services such as CloudFront etc.

AWS Key Management Service (AWS KMS)

enables you to perform encryption operations through the use of cryptographic keys; can use to create, manage and use cryptographic keys; can also control the user of keys

AWS WAF

web application firewall that lets you monitor network requests that come into your web applications; works with Cloudfront and Load Balancer; can configure the web access control list (ACL) to list blocked ip addresses

Amazon Inspector

performs automated security assessments; helps improve security and compliance of applications; checks for secruity vulnerabilities and deviations from security best practises; outputs a list of issues and recommendations

Amazon GuardDuty

service that provides intelligent threat detection for your AWS infrastructure and resources; identifies threats by continuously monitoring network activity and account behaviour within your AWS environment

principle of least privilege

granting only the permissions that are needed to perform specific job tasks