11_Cloud Security Principles Review

AWS Shared Responsibility Model

• AWS is responsible for the security of the cloud.
• Customers are responsible for security in the cloud.
• Choosing AWS managed services offloads more security work to AWS.

Security Pillar of the Well-Architected Framework

• Security is one of the six pillars of the Well-Architected Framework, which also includes:
  • Operational Excellence
  • Reliability
  • Performance Efficiency
  • Cost Optimization
  • Sustainability
• Reference the AWS Well-Architected Framework security pillar white paper.

Seven Design Principles in the Security Pillar:

• Implement a strong identity foundation.
• Protect data in transit and at rest.
• Apply security at all layers.
• Keep people away from data.
• Maintain traceability.
• Prepare for security events.
• Automate best practices.
• These principles support a defense-in-depth approach.

Implementing a Strong Identity Foundation

• Use policies to grant or deny access to cloud resources.
• Example:
  • User John:
    • Full access to Amazon S3 bucket 1.
    • Read-only access to Amazon S3 bucket 2.
    • Explicitly denied access to DynamoDB table.

Principle of Least Privilege

• Limit permissions to the minimum amount needed to perform a role.
• Example:
  • Users Mary (Marketing) and John (Administrator) accessing an Amazon S3 bucket.
    • John has full access.
    • Mary has read-only access.
  • On a second bucket, Mary is explicitly denied access.

Important Aspects of the Principle of Least Privilege:

• Grant only the permission required to do a task.
• Start with the minimum set of permissions.
• Grant additional permissions only if needed.
• Revoke unnecessary permissions.

Data Encryption

• Encryption prevents unauthorized data access.
• Applies to protecting data in transit and at rest.

Data in Transit

• Data actively moving from one location to another.
• Encrypting data in transit protects privacy.
• Uses a cryptographic protocol to secure the data transfer.

Data at Rest

• Data that is not actively moving.
• Encrypt the files themselves where they are stored.

Client-Side Encryption

• Objects are encrypted before they are sent to the cloud.
• Data is encrypted at rest on the client.
• Sent through an encrypted pipe to be stored in the cloud in its encrypted state.

Server-Side Encryption

• Data is encrypted before it's stored on the server side.
• Example: Amazon S3.
• The service encrypts data at the object level as it writes the data to disk.
• The service decrypts the data when you access it.

Key Takeaways

• Security and compliance are a shared responsibility between AWS and customers.
• The security pillar of the AWS Well-Architected Framework provides design principles and best practices.
• Follow the principle of least privilege as part of implementing a strong identity foundation.
• Use encryption as part of protecting data at rest and in transit.