CR

11_Cloud Security Principles Review

AWS Shared Responsibility Model

  • AWS is responsible for the security of the cloud.
  • Customers are responsible for security in the cloud.
  • Choosing AWS managed services offloads more security work to AWS.

Security Pillar of the Well-Architected Framework

  • Security is one of the six pillars of the Well-Architected Framework, which also includes:
    • Operational Excellence
    • Reliability
    • Performance Efficiency
    • Cost Optimization
    • Sustainability
  • Reference the AWS Well-Architected Framework security pillar white paper.

Seven Design Principles in the Security Pillar:

  • Implement a strong identity foundation.
  • Protect data in transit and at rest.
  • Apply security at all layers.
  • Keep people away from data.
  • Maintain traceability.
  • Prepare for security events.
  • Automate best practices.
  • These principles support a defense-in-depth approach.

Implementing a Strong Identity Foundation

  • Use policies to grant or deny access to cloud resources.
  • Example:
    • User John:
      • Full access to Amazon S3 bucket 1.
      • Read-only access to Amazon S3 bucket 2.
      • Explicitly denied access to DynamoDB table.

Principle of Least Privilege

  • Limit permissions to the minimum amount needed to perform a role.
  • Example:
    • Users Mary (Marketing) and John (Administrator) accessing an Amazon S3 bucket.
      • John has full access.
      • Mary has read-only access.
    • On a second bucket, Mary is explicitly denied access.

Important Aspects of the Principle of Least Privilege:

  • Grant only the permission required to do a task.
  • Start with the minimum set of permissions.
  • Grant additional permissions only if needed.
  • Revoke unnecessary permissions.

Data Encryption

  • Encryption prevents unauthorized data access.
  • Applies to protecting data in transit and at rest.

Data in Transit

  • Data actively moving from one location to another.
  • Encrypting data in transit protects privacy.
  • Uses a cryptographic protocol to secure the data transfer.

Data at Rest

  • Data that is not actively moving.
  • Encrypt the files themselves where they are stored.

Client-Side Encryption

  • Objects are encrypted before they are sent to the cloud.
  • Data is encrypted at rest on the client.
  • Sent through an encrypted pipe to be stored in the cloud in its encrypted state.

Server-Side Encryption

  • Data is encrypted before it's stored on the server side.
  • Example: Amazon S3.
  • The service encrypts data at the object level as it writes the data to disk.
  • The service decrypts the data when you access it.

Key Takeaways

  • Security and compliance are a shared responsibility between AWS and customers.
  • The security pillar of the AWS Well-Architected Framework provides design principles and best practices.
  • Follow the principle of least privilege as part of implementing a strong identity foundation.
  • Use encryption as part of protecting data at rest and in transit.