Module 4

AWS Shared Responsibility Model

Customer
- Anything related to Customer Data and Data in general is the responsibility of the AWS customer
- Encryption of data at rest and data in transit.
- Make sure the network is configured for security and that security credentials and logins are managed safely
- Client-side encryption is making sure that sensitive data is encrypted before sending it off to AWS
Amazon
- Protecting the infrastructure that runs all the services that are offered in the AWS Cloud.
- This infrastructure is composed of the hardware, software, networking, and facilities that run the AWS Cloud services

Examples

AWS Identity and Access Management (IAM)

Components

IAM User is a person or application that can authenticate with a AWS account
IAM Groups is a collection of IAM users with identical clearance
IAM Policy is a document that defines what resources can be accessed and the level of access for each resource
IAM Roles is based on RBAC. Permissions based on roles

Authentication as an IAM User

Programmatic access
- Access Key ID
- Secret access keys
- Can be static or dynamic
- Provides AWS CLI and SDK access
AWS Management Console Access
- 12-digit account ID or alias
- IAM username
- IAM password
- MFA can be enabled
- Management console only

IAM MFA

In addition to username and password, MFA requires a unique authentication code to access AWS services

Assign permissions by creating an IAM policy.
Permissions determine which resources and operations are allowed
- All permissions are implicitly denied by default.
- If something is explicitly denied, it is never allowed.
- Best practice: Follow the principle of least privilege

IAM Policies

Identity-based policies are attached to a user, group, or role

The policies are written in JSON

Resource-based policies

Resource-based policies are attached to a resource (not to a user, group, or role
Characteristics of resource-based policies –
- Specifies who has access to the resource and what actions they can perform on it
- The policies are inline only, not managed
- Resource-based policies are supported only by some AWS services

IAM Groups

A collection of IAM users
A group is used to grant the same permissions to multiple users
Permissions are granted by attaching IAM policy or policies to the group
A user can belong to multiple groups
There is no default group

Groups cannot be nested

IAM Roles

An IAM role is an IAM identity with a specific set of permissions
Based on RBAC permissions
Intended to be assumable by a person, application, or service
Works with application services. If the token gets stolen from an application IAM user the role will only allow them to work inside of the application their role has access to

Example

Some Takeaways

IAM policies are constructed with JavaScript Object Notation (JSON) and define permissions.
IAM policies can be attached to any IAM entity.
Entities are IAM users, IAM groups, and IAM roles.
An IAM user provides a way for a person, application, or service to authenticate to AWS.
An IAM group is a simple way to attach the same policies to multiple users.
An IAM role can have permissions policies attached to it, and can be used to delegate temporary access to users or applications

AWS Root user access vs IAM Access

Best practice: Do not use the AWS account root user except when necessary

Example actions that can only be done with the account root user:

Update the account root user password
Change the AWS Support plan
Restore an IAM user's permissions
Change account settings (for example, contact information, allowed Regions)

Securing a new AWS Account

Stop using the account root user as soon as possible
1. The account root user has unrestricted access to all your resources
Enable multi-factor authentication (MFA)
1. Require MFA for your account root user and all IAM users.
2. You can also use MFA to control access to AWS service APIs
Use AWS CloudTrail
1. CloudTrail tracks user activity on your account
2. Basic AWS CloudTrail event history is enabled by default and is free.
3. It contains all management event data on the latest 90 days of account activity.
Enable a billing report, such as the AWS Cost and Usage Report
1. Billing reports provide information about your use of AWS resources and estimated costs for that use

AWS Organizations

Up to 5 levels

Service Control Policies

Service control policies (SCPs) offer centralized control over accounts.
Limit permissions that are available in an account that is part of an organization.
Ensures that accounts comply with access control guidelines.
SCPs are similar to IAM permissions policies –
- They use similar syntax.
- However, an SCP never grants permissions.
- Instead, SCPs specify the maximum permissions for an organization.

AWS Key Management Service (AWS KMS)

Enables you to create and manage encryption keys
Enables you to control the use of encryption across AWS services and in your applications.
Integrates with AWS CloudTrail to log all key usage.
Uses hardware security modules (HSMs) that are validated by Federal Information Processing Standards (FIPS) 140-2 to protect keys

Server-side encryption with Amazon S3 (SSE-S3) managed keys is the data will be encrypted but we don't have access to the keys

Server-side encryption with AWS Key management Service Keys (SSE-KMS) is where the customer manages the keys

Amazon Cognito

Adds user sign-up, sign-in, and access control to your web and mobile applications.
Scales to millions of users.
Supports sign-in with social identity providers, such as Facebook, Google, and Amazon; and enterprise identity providers, such as Microsoft Active Directory via Security Assertion Markup Language (SAML) 2.0

AWS Shield

Is a managed distributed denial of service (DDoS) protection service•Safeguards applications running on AWS
Provides always-on detection and automatic inline mitigations
AWS Shield Standard is enabled at no additional cost. AWS Shield Advanced is an optional paid service

Encryption Data at Rest

Encryption of Data in Transit

Securing Amazon S3 Buckets and objects

Newly created S3 buckets and objects are private and protected by default.
When use cases require sharing data objects on Amazon S3
- It is essential to manage and control the data access.
- Follow the permissions that follow the principle of least privilege and consider using Amazon S3 encryption
Tools and options for controlling access to S3 data include
- Amazon S3 Block Public Access feature: Simple to use.
- IAM policies: A good option when the user can authenticate using IAM.
- Bucket policies
- Access control lists(ACLs): A legacy access control mechanism.
- AWS Trusted Advisorbucket permission check: A free feature.

AWS Compliance Programs

AWS Config

Assess, audit, and evaluate the configurations of AWS resources.
Use for continuous monitoring of configurations.•Automatically evaluate recorded configurations versus desired configurations.
Review configuration changes.
View detailed configuration histories.
Simplify compliance auditing and security analysis.

AWS Artifact

Is a resource for compliance-related information
Provide access to security and compliance reports, and select online agreements

Some Takeaways

AWS security compliance programs provide information about the policies, processes, and controls that are established and operated by AWS.
AWS Config is used to assess, audit, and evaluate the configurations of AWS resources.
AWS Artifact provides access to security and compliance reports