Module 6 - Security Flashcards
Shared Responsibility Model
AWS is responsible for some parts of your environment and the customer is responsible for other parts.
Customer responsibilities
“security in the cloud”.
Customers responsible for security of everything they create and put in AWS Cloud.
Customer maintains complete control over their content when using AWS services.
Responsible for managing security requirements for your content.
- Which content you choose to store on AWS.
- Which AWS services you use.
- Who has access to that content.
- How access rights are granted, managed and revoked.
Customer security steps factors
- Services that you use.
- Complexity of your systems.
- Company’s specific operational and security needs.
Customer security steps include:
- Selecting, configuring and patching operating systems that will run on Amazon EC2 instances.
- Configuring security groups.
- Managing user accounts.
AWS responsibilities
“security of the cloud”.
AWS responsible for security of the cloud.
AWS operates, manages, and controls components at all layers of infrastructure.
• Host operating system.
• Virtualisation layer.
• Physical security of data centres from which services operate.
AWS responsible for protecting global infrastructure that runs all of services offered in AWS Cloud.
• AWS Regions.
• Availability Zones.
• Edge locations.
AWS manages security of cloud specifically physical infrastructure that hosts your resources. • Physical security of data centres. • Hardware and software infrastructure. • Network infrastructure. • Virtualisation infrastructure.
AWS provides several reports from third-party auditors.
• Auditors verified compliance with variety of computer security standards and regulations.
AWS Identity and Access Management (IAM)
- Enables you to manage access to AWS services and resources securely.
- Gives you flexibility to configure access based on your company’s specific operational and security needs.
IAM features
IAM users, groups, roles.
IAM policies.
Multi-factor authentication.
AWS Account Root User
• Root user – first create an AWS account and begin identity.
o Accessed by signing in with email address and password that you used to create your AWS account.
o Complete access to all AWS services and resources in account.
AWS Account Root User Best Practice
o Do not use root user for everyday tasks.
o Use root user to create first IAM user and assign it permissions to create other users.
o Continue to create IAM users and access those identities for performing regular tasks throughout AWS.
o Only use root user when need perform limited number of tasks only available to root user.
o E.g. changing root user email address, changing AWS support plan.
IAM Users
- Identity you create in AWS.
- Represents person or application that interacts with AWS services and resources.
- Consists of name and credentials.
- Default – when you create new IAM user in AWS, has no permissions associated with it.
- Allow IAM user to perform specific actions in AWS – must grant IAM user necessary permissions.
IAM Users Best Practice
o Create individual IAM users for each person who needs access AWS.
o Provides additional security by allowing each IAM user to have unique set of security credentials.
IAM Policies
- Document that allows/denies permissions to AWS services and resources.
- Enable you to customise users’ levels of access to resources
IAM Policies Best Practice
o Follow security principle of least privilege when granting permissions.
o Help prevent users/roles from having more permissions than needed to perform tasks.
IAM Groups
- Collection of IAM users.
- Assign IAM policy to group – all users in group granted permissions specified by policy.
• Assigning IAM policies at group level makes it easier to adjust permissions when employee transfers to different job.
o Ensures employees have only permissions that are required for their current role.
IAM Roles
- Identity that you can assume to gain temporary access to permissions.
- Before IAM user, application, or service can assume IAM role – must be granted permissions to switch to role.
- Someone assumes IAM role – abandon all previous permissions they had under previous role and assume permissions of new role.
IAM Roles Best Practice
o IAM roles ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.
Multi-Factor Authentication
Provides extra layer of security for AWS account.
AWS Organisations
- Use to consolidate and manage multiple AWS accounts within central location.
- Create organisation – AWS Organisations automatically creates root which is parent container for all accounts in your organisation.
- Consolidated billing another feature of AWS Organisations.
Service Control Policies (SCPs)
enable you to place restrictions on AWS services, resources, and individual API actions that users and roles in each account can access.
o Centrally control permissions for accounts in organisation.
Organisational Units (OUs)
• Can group accounts into organisational units (OUs).
o Make easier to manage accounts with similar business/security requirements.
o More easily isolate workloads/applications that have specific security requirements.
• Apply policy to OU.
o All accounts in OU automatically inherit permissions specified in policy.
Compliance
AWS Artifact
Customer Compliance Centre
AWS Artifact
• Service that provides on-demand access to AWS security and compliance reports and select online agreements.
Two sections: AWS Artifact Agreements + AWS Artifact Reports
AWS Artifact Agreements
Review, accept and manage agreements for an individual account and for all your accounts in AWS Organisations.
Different types agreements offered to address needs of customers subject to specific regulations.
AWS Artifact Reports
Provide compliance reports from third-party auditors.
Auditors tested and verified AWS is compliant with variety of global, regional and industry-specific security standards and regulations.
Remains up to date with latest reports released.
Can provide AWS audit artifacts to your auditors/regulators as evidence of AWS security controls.