Ever heard of the saying, “A group is only as good as its weakest link?” So it goes security in the cloud. Your workloads are only as good as the security measures put around it.
Cloud security is a pillar of AWS. Under the shared responsibility model, AWS is responsible for the security of the cloud, and the customers are responsible for the security in the cloud.
In this module, we’ll look at:
AWS Identity and Access Management (IAM)
AWS shared responsibility model
Securing a new AWS account
Securing data on AWS
AWS Shared responsibility model
AWS
Operates, manages, and controls the components from the software virtualization layer to the physical security of the facilities where AWS services operate.
AWS is responsible for protecting the infrastructure that runs all the services offered in AWS cloud. This is composed of the hardware, software, networking, and facilities that run the services.
The Customer
Responsible for the encryption of data at rest and in transit.
Responsible for the management of security credentials and logins.
Responsible for the configuration of security groups and configuration of the operating system that runs on compute instances that they launch.
AWS Identity and Access Management (IAM)
AWS IAM is a service/tool that lets you define individual user accounts with permissions across AWS resources. Such permissions include: launching, configuring, managing, and terminating resources.
IAM is a feature of your AWS account and it is offered at no additional charge.
Essential components of IAM
IAM User – A person or application that is defined in an AWS account.
IAM Group – A collection of IAM users. IAM groups are used to simplify and manage permissions to multiple users.
IAM Policy – A document that defines permissions to determine what users can do in the AWS account. It is written in JSON format.
IAM Role – It is a tool for granting temporary access to specific AWS resources in an AWS account.
Authentication and Authorization
Authentication
Authentication refers to proving your identity as a user to a system.
IAM users can be granted 1 of 2 types of access:
a. Programmatic access
Authentication is done using:
Access Key ID
Secret access key
b. AWS Management console
Authentication is done using:
12-digit account ID or alias
IAM User name
IAM password
If MFA is enabled, you’ll be prompted to provide the MFA code.
Authorization
The process of determining what permissions a user, service, or application should be granted. This is achieved through the policies you have attached to a user or group.
By default, IAM users do not have permission to access any resources or data in an AWS account.
The principle of least privilege is a concept in computer security that promotes that you grant only the minimal user privileges needed to the user(s) based on need.
IAM Policies
IAM policies are of two types:
– Identity-based policies – Policies that you attach to a user, group, or role
– Resource-based policy – Policies that you attach to a resource such as an S3 bucket.
Securing a new AWS Account: Account Root User
Best practices
Step 1: Stop using the account root user as soon as possible
After creating a new AWS account, navigate to the IAM service and create an IAM user as yourself with AWS management console access enabled. Save the IAM access key and secret access key if needed.
Create an IAM group and give it full administration access. Add the created IAM user to the group.
Disable and remove your account root user access keys if they exist.
Sign in to your account using the IAM credentials.
Step 2: Enable Multi-factor Authentication
This is an additional layer of security to your AWS account.
Step 3: Use AWS CloudTrail
CloudTrail is a service that tracks user activity on your account.
Basic AWS CloudTrail event History is enabled by default at no cost.
Step 4: Enable a billing report, such as the Cost and Usage report
Billing reports provide information about your use of AWS resources and estimated costs for that use.
AWS delivers these reports to an S3 bucket of your choice.
Securing data on AWS
Encryption of data at rest
Data encryption – Taking data that is legible and encoding it so that it is unreadable to anyone who does not have access.
Data at rest is data that is physically stored on disk or on tape.
Encryption of data in transit
Data in transit is data moving across a network.
Encryption of data in transit is accomplished by using Transport Layer Security (TLS), which was formerly known as Secure Sockets Layer (SSL).
TLS/SSL – Certificates that are used to secure network communications and establish the identity of websites over the internet, and also resources on a private network.
AWS certificate manager
A service that enables you to provision, manage, and deploy SSL to TLS certificates
It also handles certificate renewals.
