Module 4

AWS Shared Responsibility Model

• Customer

  • Anything related to Customer Data and Data in general is the responsibility of the AWS customer

  • Encryption of data at rest and data in transit.

  • Make sure the network is configured for security and that security credentials and logins are managed safely

  • Client-side encryption is making sure that sensitive data is encrypted before sending it off to AWS

• Amazon

  • Protecting the infrastructure that runs all the services that are offered in the AWS Cloud.

  • This infrastructure is composed of the hardware, software, networking, and facilities that run the AWS Cloud services

Examples

AWS Identity and Access Management (IAM)

Components

• IAM User is a person or application that can authenticate with a AWS account

• IAM Groups is a collection of IAM users with identical clearance

• IAM Policy is a document that defines what resources can be accessed and the level of access for each resource

• IAM Roles is based on RBAC. Permissions based on roles

Authentication as an IAM User

• Programmatic access

  • Access Key ID

  • Secret access keys

  • Can be static or dynamic

  • Provides AWS CLI and SDK access

• AWS Management Console Access

  • 12-digit account ID or alias

  • IAM username

  • IAM password

  • MFA can be enabled

  • Management console only

IAM MFA

In addition to username and password, MFA requires a unique authentication code to access AWS services

• Assign permissions by creating an IAM policy.

• Permissions determine which resources and operations are allowed

  • All permissions are implicitly denied by default.

  • If something is explicitly denied, it is never allowed.

  • Best practice: Follow the principle of least privilege

IAM Policies

Identity-based policies are attached to a user, group, or role

Resource-based policies

• Resource-based policies are attached to a resource (not to a user, group, or role

• Characteristics of resource-based policies –

  • Specifies who has access to the resource and what actions they can perform on it

  • The policies are inline only, not managed

  • Resource-based policies are supported only by some AWS services

IAM Groups

• A collection of IAM users

• A group is used to grant the same permissions to multiple users

• Permissions are granted by attaching IAM policy or policies to the group

• A user can belong to multiple groups

• There is no default group

IAM Roles

• An IAM role is an IAM identity with a specific set of permissions

• Based on RBAC permissions

• Intended to be assumable by a person, application, or service

• Works with application services. If the token gets stolen from an application IAM user the role will only allow them to work inside of the application their role has access to

Example

Some Takeaways

• IAM policies are constructed with JavaScript Object Notation (JSON) and define permissions.

• IAM policies can be attached to any IAM entity.

• Entities are IAM users, IAM groups, and IAM roles.

• An IAM user provides a way for a person, application, or service to authenticate to AWS.

• An IAM group is a simple way to attach the same policies to multiple users.

• An IAM role can have permissions policies attached to it, and can be used to delegate temporary access to users or applications

AWS Root user access vs IAM Access

Example actions that can only be done with the account root user:

• Update the account root user password

• Change the AWS Support plan

• Restore an IAM user's permissions

• Change account settings (for example, contact information, allowed Regions)

Securing a new AWS Account

1. Stop using the account root user as soon as possible

   1. The account root user has unrestricted access to all your resources

2. Enable multi-factor authentication (MFA)

   1. Require MFA for your account root user and all IAM users.

   2. You can also use MFA to control access to AWS service APIs

3. Use AWS CloudTrail

   1. CloudTrail tracks user activity on your account

   2. Basic AWS CloudTrail event history is enabled by default and is free.

   3. It contains all management event data on the latest 90 days of account activity.

4. Enable a billing report, such as the AWS Cost and Usage Report

   1. Billing reports provide information about your use of AWS resources and estimated costs for that use

AWS Organizations

Service Control Policies

• Service control policies (SCPs) offer centralized control over accounts.

• Limit permissions that are available in an account that is part of an organization.

• Ensures that accounts comply with access control guidelines.

• SCPs are similar to IAM permissions policies –

  • They use similar syntax.

  • However, an SCP never grants permissions.

  • Instead, SCPs specify the maximum permissions for an organization.

AWS Key Management Service (AWS KMS)

• Enables you to create and manage encryption keys

• Enables you to control the use of encryption across AWS services and in your applications.

• Integrates with AWS CloudTrail to log all key usage.

• Uses hardware security modules (HSMs) that are validated by Federal Information Processing Standards (FIPS) 140-2 to protect keys

Amazon Cognito

• Adds user sign-up, sign-in, and access control to your web and mobile applications.

• Scales to millions of users.

• Supports sign-in with social identity providers, such as Facebook, Google, and Amazon; and enterprise identity providers, such as Microsoft Active Directory via Security Assertion Markup Language (SAML) 2.0

AWS Shield

• Is a managed distributed denial of service (DDoS) protection service•Safeguards applications running on AWS

• Provides always-on detection and automatic inline mitigations

• AWS Shield Standard is enabled at no additional cost. AWS Shield Advanced is an optional paid service

Encryption Data at Rest

Encryption of Data in Transit

Securing Amazon S3 Buckets and objects

• Newly created S3 buckets and objects are private and protected by default.

• When use cases require sharing data objects on Amazon S3

  • It is essential to manage and control the data access.

  • Follow the permissions that follow the principle of least privilege and consider using Amazon S3 encryption

• Tools and options for controlling access to S3 data include

  • Amazon S3 Block Public Access feature: Simple to use.

  • IAM policies: A good option when the user can authenticate using IAM.

  • Bucket policies

  • Access control lists(ACLs): A legacy access control mechanism.

  • AWS Trusted Advisorbucket permission check: A free feature.

AWS Compliance Programs

AWS Config

• Assess, audit, and evaluate the configurations of AWS resources.

• Use for continuous monitoring of configurations.•Automatically evaluate recorded configurations versus desired configurations.

• Review configuration changes.

• View detailed configuration histories.

• Simplify compliance auditing and security analysis.

AWS Artifact

• Is a resource for compliance-related information

• Provide access to security and compliance reports, and select online agreements

Some Takeaways

• AWS security compliance programs provide information about the policies, processes, and controls that are established and operated by AWS.

• AWS Config is used to assess, audit, and evaluate the configurations of AWS resources.

• AWS Artifact provides access to security and compliance reports