Scribd
Upload
56 views82 pages

Module 4

Module 4 of the AWS Academy Cloud Foundations focuses on AWS Cloud Security, emphasizing the shared responsibility model between AWS and customers regarding security. It covers AWS Identity and Access Management (IAM), detailing how to manage access to AWS resources, the importance of IAM users, groups, roles, and policies, as well as best practices for securing AWS accounts and data. The module includes activities and scenarios to reinforce understanding of security responsibilities and IAM functionalities.

Uploaded by

keerthanmorareddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views82 pages

Module 4

Module 4 of the AWS Academy Cloud Foundations focuses on AWS Cloud Security, emphasizing the shared responsibility model between AWS and customers regarding security. It covers AWS Identity and Access Management (IAM), detailing how to manage access to AWS resources, the importance of IAM users, groups, roles, and policies, as well as best practices for securing AWS accounts and data. The module includes activities and scenarios to reinforce understanding of security responsibilities and IAM functionalities.

Uploaded by

keerthanmorareddy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 82

Module 4: AWS Cloud Security

AWS Academy Cloud Foundations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module overview
Topics Activities
• AWS shared responsibility model • AWS shared responsibility model activity
• AWS Identity and Access Management (IAM)
• Securing a new AWS account Demo
• Securing accounts • Recorded demonstration of IAM
• Securing data on AWS
• Working to ensure compliance
Lab
• Introduction to AWS IAM

Knowledge check

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Module objectives
After completing this module, you should be able to:
• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Identify the steps to securing a new AWS account
• Explore IAM users and groups
• Recognize how to secure AWS data
• Recognize AWS compliance programs
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
Section 1: AWS shared responsibility
model
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 5
AWS responsibility: Security of the cloud

AWS responsibilities:
• Physical security of data centers
• Controlled, need-based access
AWS services

• Hardware and software infrastructure


• Storage decommissioning, host operating
Compute Storage Database Networking system (OS) access logging, and auditing

AWS Global Regions • Network infrastructure


Infrastructure • Intrusion detection
Availability Zones
Edge locations
• Virtualization infrastructure
• Instance isolation

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
Customer responsibility: Security in the cloud

Customer responsibilities:
• Amazon Elastic Compute Cloud (Amazon
EC2) instance operating system
Customer data • Including patching, maintenance
• Applications
Applications, IAM • Passwords, role-based access, etc.
• Security group configuration
Operating system, network, and firewall configuration • OS or host-based firewalls
• Including intrusion detection or prevention
Network traffic systems
Client-side data Server-side
protection • Network configurations
encryption and encryption
(encryption, • Account management
data integrity (file system or
integrity,
authentication data) • Login and permission settings for each user
identity)

Customer-configurable

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
Service characteristics and security responsibility (1 of 2)

Example services managed by the customer Infrastructure as a service (IaaS)


• Customer has more flexibility over configuring
networking and storage settings
• Customer is responsible for managing more aspects
of the security
Amazon Amazon Elastic Amazon
• Customer configures the access controls
EC2 Block Store Virtual Private Cloud
(Amazon EBS) (Amazon VPC)
Platform as a service (PaaS)
• Customer does not need to manage the underlying
Example services managed by AWS
infrastructure
• AWS handles the operating system, database
patching, firewall configuration, and disaster recovery
• Customer can focus on managing code or data
AWS Amazon AWS Elastic
Lambda Relational Database Beanstalk
Service (Amazon RDS)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
Service characteristics and security responsibility (2 of 2)

SaaS examples Software as a service (SaaS)


• Software is centrally hosted
• Licensed on a subscription model or pay-as-you-go
basis.
AWS Trusted AWS Shield Amazon Chime
Advisor • Services are typically accessed via web browser,
mobile app, or application programming interface
(API)
• Customers do not need to manage the
infrastructure that supports the service

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
Activity: AWS
shared
responsibility
model

Photo by Pixabay from Pexels.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
Activity: Scenario 1 of 2
Consider this deployment. Who is responsible – AWS or the customer?
AWS Cloud 1. Upgrades and patches to the 6. Oracle upgrades or patches
Virtual Private Cloud operating system on the EC2 If the Oracle instance runs
(VPC) instance? as an Amazon RDS instance?
2. Physical security of the data 7. Oracle upgrades or patches
center? If Oracle runs on an EC2
instance?
3. Virtualization infrastructure?
Amazon Simple Amazon Oracle 8. S3 bucket access
4. EC2 security group settings?
Storage Service EC2 instance configuration?
(Amazon S3) 5. Configuration of
applications that run on the
EC2 instance?
AWS Global Infrastructure

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11
Activity: Scenario 1 of 2 Answers
Consider this deployment. Who is responsible – AWS or the customer?
AWS Cloud 1. Upgrades and patches to the 6. Oracle upgrades or patches
Virtual Private Cloud operating system on the EC2 If the Oracle instance runs
(VPC) instance? as an Amazon RDS instance?
• ANSWER: The customer • ANSWER: AWS
2. Physical security of the data 7. Oracle upgrades or patches
center? If Oracle runs on an EC2
Amazon Simple Amazon Oracle • ANSWER: AWS instance?
Storage Service EC2 instance • ANSWER: The customer
3. Virtualization infrastructure?
(Amazon S3) 8. S3 bucket access
• ANSWER: AWS
configuration?
AWS Global Infrastructure 4. EC2 security group settings? • ANSWER: The customer
• ANSWER: The customer
5. Configuration of
applications that run on the
EC2 instance?
• ANSWER: The customer

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
Activity: Scenario 2 of 2
Consider this deployment. Who is responsible – AWS or the customer?
Secure Shell
(SSH) keys 1. Ensuring that the AWS 6. Ensuring network isolation
Management Console is not between AWS customers'
AWS Command hacked? data?
AWS Line Interface 2. Configuring the subnet? 7. Ensuring low-latency
Management (AWS CLI) network connection between
Console 3. Configuring the VPC? the web server and the S3
Internet
gateway 4. Protecting against network bucket?
VPC
outages in AWS Regions? 8. Enforcing multi-factor
Subnet 5. Securing the SSH keys authentication for all user
logins?

Web server on
Amazon EC2

S3 bucket
with objects

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
Activity: Scenario 2 of 2 Answers
Consider this deployment. Who is responsible – AWS or the customer?
Secure Shell
(SSH) keys 1. Ensuring that the AWS 6. Ensuring network isolation
Management Console is not between AWS customers'
AWS Command hacked? data?
AWS Line Interface • ANSWER: AWS • ANSWER: AWS
Management (AWS CLI)
Console 2. Configuring the subnet? 7. Ensuring low-latency
Internet network connection between
• ANSWER: The customer
VPC gateway the web server and the S3
3. Configuring the VPC? bucket?
Subnet • ANSWER: The customer • ANSWER: AWS
4. Protecting against network 8. Enforcing multi-factor
outages in AWS Regions? authentication for all user
Web server on
• ANSWER: AWS logins?
Amazon EC2
• ANSWER: The customer
5. Securing the SSH keys
• ANSWER: The customer

S3 bucket
with objects

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14
• AWS and the customer share security responsibilities:
Section 1 key • AWS is responsible for security of the cloud
takeaways • Customer is responsible for security in the cloud
• AWS is responsible for protecting the
infrastructure—including hardware, software, networking, and
facilities—that run AWS Cloud services
• For services that are categorized as infrastructure as a
service (IaaS), the customer is responsible for performing
necessary security configuration and management tasks
• For example, guest OS updates and security patches, firewall, security
group configurations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
Section 2: AWS Identity and
Access Management (IAM)
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
• Use IAM to manage access to AWS resources –
• A resource is an entity in an AWS account that you can work with
• Example resources; An Amazon EC2 instance or an Amazon S3 bucket

• Example – Control who can terminate Amazon EC2 instances

AWS Identity and


• Define fine-grained access rights – Access Management
• Who can access the resource (IAM)

• Which resources can be accessed and what can the user do to the resource
• How resources can be accessed

• IAM is a no-cost AWS account feature


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17
IAM: Essential components

A person or application that can authenticate with an


AWS account.
IAM user

A collection of IAM users that are granted identical


authorization.
IAM group

The document that defines which resources can be


accessed and the level of access to each resource.
IAM policy

Useful mechanism to grant a set of permissions for


IAM role making AWS service requests.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
Authenticate as an IAM user to gain access
When you define an IAM user, you select what types of access the user is permitted to use.

Programmatic access
• Authenticate using:
• Access key ID
• Secret access key AWS CLI AWS Tools
and SDKs
• Provides AWS CLI and AWS SDK access

AWS Management Console access


• Authenticate using:
• 12-digit Account ID or alias
AWS Management
• IAM user name Console
• IAM password
• If enabled, multi-factor authentication (MFA) prompts for an authentication code.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
IAM MFA
• MFA provides increased security.

• In addition to username and password, MFA requires a unique authentication code


to access AWS services.

Username and
password

MFA token

AWS Management Console


© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20
Authorization: What actions are permitted

After the user or application is connected to the AWS account, what are they allowed to do?

EC2
Full
instances
acces
s

Read-
only S3 bucket
IAM user,
IAM group,
or IAM role
IAM policies

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
IAM: Authorization
• Assign permissions by creating an IAM policy.

• Permissions determine which resources and operations are allowed:


• All permissions are implicitly denied by default.

• If something is explicitly denied, it is never allowed.

Best practice: Follow the principle of least privilege.


IAM
permissions

Note: The scope of IAM service configurations is global. Settings apply across all AWS Regions.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
IAM policies
• An IAM policy is a document that defines permissions
• Enables fine-grained access control
• Two types of policies – identity-based and resource-based
• Identity-based policies – IAM entities
• Attach a policy to any IAM entity
• An IAM user, an IAM group, or an IAM role Attach to
IAM user
one of
• Policies specify:
• Actions that may be performed by the entity
IAM IAM group
• Actions that may not be performed by the entity policy
• A single policy can be attached to multiple entities
IAM role
• A single entity can have multiple policies attached to it
• Resource-based policies
• Attached to a resource (such as an S3 bucket)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
IAM policy example

{
"Version": "2012-10-17", Explicit allow gives users access to a specific
"Statement":[{ DynamoDB table and…
"Effect":"Allow",
"Action":["DynamoDB:*","s3:*"],
"Resource":[
"arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name",
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"] …Amazon S3 buckets.
},
{ Explicit deny ensures that the users cannot use any other AWS
"Effect":"Deny", actions or resources other than that table and those buckets.
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name”,
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"]
}
] An explicit deny statement takes precedence
} over an allow statement.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
Resource-based policies

• Identity-based policies are attached to


a user, group, or role
• Resource-based policies are attached AWS Account
to a resource (not to a user, group or
role) IAM user S3 bucket
• Characteristics of resource-based MaryMajor photos
policies – attached Defined inline
• Specifies who has access to the resource on the bucket
and what actions they can perform on it
• The policies are inline only, not managed Identity-based Resource-
• Resource-based policies are policy based policy
supported only by some AWS services Policy grants list, Policy grants user
read objects to the MaryMajor list, read
photos bucket objects

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
IAM permissions
How IAM determines permissions:

Is the permission Is the permission


explicitly denied ? No explicitly allowed ? No Deny

Implicit deny

Yes Yes

Deny Allow

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 26
IAM groups

• An IAM group is a collection of IAM AWS


account
users
• A group is used to grant the same IAM group: IAM group: IAM group:
permissions to multiple users Admins Developers Testers

• Permissions granted by attaching IAM policy Carlos Salazar Li Juan Zhang Wei
or policies to the group
Márcia Oliveira Mary Major John Stiles
• A user can belong to multiple groups
Richard Roe Li Juan
• There is no default group

• Groups cannot be nested

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
IAM roles
• An IAM role is an IAM identity with specific permissions
• Similar to an IAM user
• Attach permissions policies to it
• Different from an IAM user IAM role

• Not uniquely associated with one person


• Intended to be assumable by a person, application, or service
• Role provides temporary security credentials
• Examples of how IAM roles are used to delegate access –
• Used by an IAM user in the same AWS account as the role
• Used by an AWS service—such as Amazon EC2—in the same account as the role
• Used by an IAM user in a different AWS account than the role

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
Example use of an IAM role

Scenario: AWS Cloud


• An application that runs on an EC2 Application has
instance needs access to an S3 bucket permissions to
Amazon EC2 instance access the S3
bucket
Application 3
Solution: Amazon S3
• Define an IAM policy that grants access 2 Role assumed by bucket
to the S3 bucket. the EC2 instance photos

• Attach the policy to a role


attached
• Allow the EC2 instance to assume the IAM role 1 IAM policy
role grants access
to photos
bucket

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
• IAM policies are constructed with JavaScript Object
Section 2 key Notation (JSON) and define permissions.
takeaways • IAM policies can be attached to any IAM entity.
• Entities are IAM users, IAM groups, and IAM roles.
• An IAM user provides a way for a person, application, or
service to authenticate to AWS.
• An IAM group is a simple way to attach the same
policies to multiple users.
• An IAM role can have permissions policies attached to it
and can be used to delegate temporary access to users
or applications.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
Recorded demo:
IAM

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 31
Section 3: Securing a new AWS
account
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS account root user access versus IAM access

Account IAM • Best practice: Do not use the AWS


root user
account root user except when
Integrates with ot
necessary.
her
AWS services • Access to the account root user requires
logging in with the email address (and
Identity federatio password) that you used to create the
n
account.
Privileges cannot
controlled
be Secure access fo
r
• Example actions that can only be
applications done with the account root user:
Full access to all • Update the account root user password
resources Granular
permissions • Change the AWS Support plan
• Restore an IAM user's permissions
• Change account settings (for example,
contact information, allowed Regions)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
Securing a new AWS account: Account root user
Step 1: Stop using the account root user as soon as possible.
• The account root user has unrestricted access to all your resources.

• To stop using the account root user:


1. While you are logged in as the account root user, create an IAM user for
yourself. Save the access keys if needed.
2. Create an IAM group, give it full administrator permissions, and add the IAM
user to the group.
3. Disable and remove your account root user access keys, if they exist.
4. Enable a password policy for users.
5. Sign in with your new IAM user credentials.
6. Store your account root user credentials in a secure place.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34
Securing a new AWS account: MFA
Step 2: Enable multi-factor authentication (MFA).
• Require MFA for your account root user and for all IAM users.
• You can also use MFA to control access to AWS service APIs.

• Options for retrieving the MFA token –


• Virtual MFA-compliant applications:
• Google Authenticator.
• Authy Authenticator (Windows phone app).
• U2F security key devices:
MFA token
• For example, YubiKey.
• Hardware MFA options:
• Key fob or display card offered by Gemalto.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
Securing a new AWS account: AWS CloudTrail
Step 3: Use AWS CloudTrail.
• CloudTrail tracks user activity on your account.
• Logs all API requests to resources in all supported services your account.
• Basic AWS CloudTrail event history is enabled by default and is free.
• It contains all management event data on latest 90 days of account activity.
• To access CloudTrail –
1. Log in to the AWS Management Console and choose the CloudTrail service.
2. Click Event history to view, filter, and search the last 90 days of events.
• To enable logs beyond 90 days and enable specified event alerting, create a trail.
1. From the CloudTrail Console trails page, click Create trail.
2. Give it a name, apply it to all Regions, and create a new Amazon S3 bucket for log storage.
3. Configure access restrictions on the S3 bucket (for example, only admin users should have
access).

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36
Securing a new AWS account: Billing reports
Step 4: Enable a billing report, such as the AWS Cost and Usage Report.

• Billing reports provide information about your use of AWS resources and
estimated costs for that use.

• AWS delivers the reports to an Amazon S3 bucket that you specify.

• Report is updated at least once per day.

• The AWS Cost and Usage Report tracks your AWS usage and provides estimated
charges associated with your AWS account, either by the hour or by the day.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37
Optional: Securing a new AWS
account – Full walkthrough
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM security status review

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 39
Activate MFA on the account root user

Custom
sign-in
link

MFA
activation

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 40
Activate MFA on account root user

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 41
MFA on account root user is activated

MFA MFA
activated
Setup

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 42
Create an individual IAM user (1 of 5)

IAM user
creation

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 43
Create an individual IAM user (2 of 5)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 44
Create an individual IAM user (3 of 5)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 45
Create an individual IAM user (4 of 5)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 46
Create an individual IAM user (5 of 5)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47
IAM user creation successful

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 48
IAM Dashboard security status

Password
policy
creation

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 49
Set an IAM password policy

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 50
Security status checks completed

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 51
Best practices to secure an AWS account:
Section 3 key
• Secure logins with multi-factor authentication (MFA).
takeaways • Delete account root user access keys.
• Create individual IAM users and grant permissions
according to the principle of least privilege.
• Use groups to assign permissions to IAM users.
• Configure a strong password policy.
• Delegate using roles instead of sharing credentials.
• Monitor account activity by using AWS CloudTrail.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 52
Lab 1:
Introduction to
IAM

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 53
Lab 1: Tasks

• Task 1: Explore the Users and Groups.

• Task 2: Add Users to Groups.

• Task 3: Sign-In and Test Users.


AWS Identity and
Access Management
(IAM)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 54
Lab 1: Final product

Account
AWS account

Users Groups

user-1 user-2 user-3 EC2-Admin EC2-Support S3-Support

user-2

Amazon EC2
read-only
Amazon EC2 – IAM inline IAM managed
access
View, start, and policy policy S3 read-
stop access only access

user-3 user-1

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 55
~ 40 minutes

Begin Lab 1:
Introduction to AWS
IAM

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 56
Lab debrief:
Key takeaways

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 57
Section 4: Securing accounts
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
• AWS Organizations enables you to consolidate multiple AWS
accounts so that you centrally manage them.

• Security features of AWS Organizations: AWS Organizations

• Group AWS accounts into organizational units (OUs) and attach different
access policies to each OU.

• Integration and support for IAM


• Permissions to a user are the intersection of what is allowed by AWS Organizations
and what is granted by IAM in that account.

• Use service control policies to establish control over the AWS services and
API actions that each AWS account can access

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 59
AWS Organizations: Service control policies
• Service control policies (SCPs) offer centralized control over accounts.
• Limit permissions that are available in an account that is part of an organization.

• Ensures that accounts comply with access control guidelines.

• SCPs are similar to IAM permissions policies –


• They use similar syntax.
• However, an SCP never grants permissions.
• Instead, SCPs specify the maximum permissions for an organization.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60
AWS Key Management Service (AWS KMS)
AWS Key Management Service (AWS KMS) features:
• Enables you to create and manage encryption keys

• Enables you to control the use of encryption across AWS services and in your
applications.

• Integrates with AWS CloudTrail to log all key usage.

• Uses hardware security modules (HSMs) that are validated by Federal


Information Processing Standards (FIPS) 140-2 to protect keys
AWS Key Management
Service (AWS KMS)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 61
Amazon Cognito
Amazon Cognito features:
• Adds user sign-up, sign-in, and access control to your web and mobile
applications.

• Scales to millions of users.

• Supports sign-in with social identity providers, such as Facebook, Google, and
Amazon; and enterprise identity providers, such as Microsoft Active Directory via
Security Assertion Markup Language (SAML) 2.0.

Amazon Cognito

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 62
AWS Shield
• AWS Shield features:
• Is a managed distributed denial of service (DDoS) protection service

• Safeguards applications running on AWS

• Provides always-on detection and automatic inline mitigations

• AWS Shield Standard enabled for at no additional cost. AWS Shield Advanced is
an optional paid service.

• Use it to minimize application downtime and latency.


AWS Shield

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 63
Section 5: Securing data on AWS
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption of data at rest
• Encryption encodes data with a secret key, which makes it unreadable
• Only those who have the secret key can decode the data
• AWS KMS can manage your secret keys

• AWS supports encryption of data at rest


• Data at rest = Data stored physically (on disk or on tape)
• You can encrypt data stored in any service that is supported by AWS KMS,
including:
• Amazon S3
• Amazon EBS
• Amazon Elastic File System (Amazon EFS)
• Amazon RDS managed databases
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 65
Encryption of data in transit
• Encryption of data in transit (data moving across a network)
• Transport Layer Security (TLS)—formerly SSL—is an open standard protocol
• AWS Certificate Manager provides a way to manage, deploy, and renew TLS or SSL
certificates
• Secure HTTP (HTTPS) creates a secure tunnel
• Uses TLS or SSL for the bidirectional exchange of data
• AWS services support data in transit encryption.
• Two examples:

AWS Cloud Corporate data center AWS Cloud

TLS encrypted
data traffic TLS or SSL
encrypted Amazon S3
Amazon EC2 Amazon EFS AWS Storage Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 66
Securing Amazon S3 buckets and objects
• Newly created S3 buckets and objects are private and protected by
default.
• When use cases require sharing data objects on Amazon S3 –
• It is essential to manage and control the data access.
• Follow the permissions that follow the principle of least privilege and consider using
Amazon S3 encryption.
• Tools and options for controlling access to S3 data include –
• Amazon S3 Block Public Access feature: Simple to use.
• IAM policies: A good option when the user can authenticate using IAM.
• Bucket policies
• Access control lists (ACLs): A legacy access control mechanism.
• AWS Trusted Advisor bucket permission check: A free feature.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 67
Section 6: Working to ensure
compliance
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS compliance programs
• Customers are subject to many different security and compliance regulations and requirements.
• AWS engages with certifying bodies and independent auditors to provide customers with detailed
information about the policies, processes, and controls that are established and operated by AWS.

• Compliance programs can be broadly categorized –


• Certifications and attestations
• Assessed by a third-party, independent auditor
• Examples: ISO 27001, 27017, 27018, and ISO/IEC 9001
• Laws, regulations, and privacy
• AWS provides security features and legal agreements to support compliance
• Examples: EU General Data Protection Regulation (GDPR), HIPAA
• Alignments and frameworks
• Industry- or function-specific security or compliance requirements
• Examples: Center for Internet Security (CIS), EU-US Privacy Shield certified

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 69
AWS Config

• Assess, audit, and evaluate the


AWS Config Example AWS Config Dashboard view configurations of AWS resources.
• Use for continuous monitoring of
configurations.
• Automatically evaluate
recorded configurations versus
desired configurations.
• Review configuration changes.
• View detailed configuration histories.
• Simplify compliance auditing and
security analysis.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 70
AWS Artifact

• Is a resource for compliance-related information


• Provide access to security and compliance reports, and
AWS Artifact
select online agreements
• Can access example downloads:
• AWS ISO certifications
• Payment Card Industry (PCI) and Service Organization Control
(SOC) reports
• Access AWS Artifact directly from the AWS Management
Console
• Under Security, Identify & Compliance, click Artifact.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 71
Section 6 key
• AWS security compliance programs provide
takeaways information about the policies, processes, and
controls that are established and operated by AWS.

• AWS Config is used to assess, audit, and evaluate


the configurations of AWS resources.

• AWS Artifact provides access to security and


compliance reports.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 72
Section 7: Additional security
services and resources
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Service Catalog

• Create and manage catalogs of IT services that are approved by your


organization
• Helps employees find and deploy approved IT services
AWS Service • An IT service can include one or more AWS resources
Catalog • Example:
• EC2 instances, storage volumes, databases, and networking components
• Control AWS service usage by specifying constraints –
• Example constraints:
• The AWS Region where a product can be launched
• Allowed IP address ranges
• Centrally manage the IT service lifecycle
• Help meet compliance requirements

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 74
Selected additional security services

Proactively protect personally identifiable information (PII)


and know when it moves.
Amazon
Macie

Define standards and best practices for your applications


and validate adherence to these standards.
Amazon
Inspector

Intelligent threat detection and continuous monitoring to


protect your AWS accounts and workloads.
Amazon
GuardDuty

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 75
Module wrap-up
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module summary
In summary, in this module you learned how to:
• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Identify the steps to securing a new AWS account
• Explore IAM users and groups
• Recognize how to secure AWS data
• Recognize AWS compliance programs
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 77
Complete the knowledge check

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 78
Sample exam question
Which of the following is AWS's responsibility under the
AWS shared responsibility model?

Choice Response

A Configuring third-party applications

B Maintaining physical hardware

C Securing application access and data

D Managing custom Amazon Machine Images (AMIs)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 79
Sample exam question answer
Which of the following is AWS's responsibility under the
AWS shared responsibility model?

The correct answer is B.


The keywords in the question are “AWS’s responsibility” and “AWS shared responsibility model”.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 80
Additional resources
• AWS Cloud Security: https://aws.amazon.com/security/
• AWS Security Resources: https://aws.amazon.com/security/security-learning/?cards-
top.sort-by=item.additionalFields.sortDate&cards-top.sort-
order=desc&awsf.Types=*all
• AWS Security Blog: https://aws.amazon.com/blogs/security/
• Security Bulletins : https://aws.amazon.com/security/security-bulletins/?card-
body.sort-by=item.additionalFields.bulletinId&card-body.sort-
order=desc&awsf.bulletins-flag=*all&awsf.bulletins-year=*all
• Vulnerability and Penetration testing: https://aws.amazon.com/security/penetration-
testing/
• AWS Well-Architected Framework – Security pillar: https:
//d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
• AWS documentation - IAM Best Practices: https:
//docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 81
Thank you

Corrections, feedback, or other questions?


Contact us at https://support.aws.amazon.com/#/contacts/aws-academy.
All trademarks are the property of their owners.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 82

You might also like