AWS security and compliance overview
Amazon offers many solutions for ensuring your environment is secure and meets many industry standard compliance frameworks. By properly utilizing tools such as Cognito and Organizations, you will ensure your environment has proper controls in place to secure data.
With automated tools like Trusted Advisor and Audit Manager, you will be able to demonstrate this security and compliance when necessary.
Learn Cloud Security
Shared responsibility model
All cloud providers must take security and compliance seriously. With multiple customers sharing physical servers and infrastructure out of the direct control of customers, providers must demonstrate that their services are at least as secure as an on-premises solution. Amazon’s solution to this is what they refer to as the “shared responsibility model.” To use Amazon’s words, Amazon Web Services (AWS) is responsible for the security “of the cloud,” while customers are responsible for security “in the cloud.”
This means AWS takes responsibility for maintaining the security of the virtualization layers, server operating systems and physical security of the facilities. The customer is responsible for ensuring the operating systems and applications running within their AWS environment are patched and updated, as well as the firewall configuration and encryption of data. This allows customers to have greater control over their environment.
Identity and access management
To control access and permissions within AWS, Amazon uses its identity and access management (IAM) service. IAM allows you to create users, groups and roles to allow extremely granular access to your AWS environment.
These users and groups can be allowed explicit access to specific applications within your environment, including read-only access and full access. When creating groups and users, be sure to grant access based on the least privilege principle.
Working with Cognito
AWS also provides Cognito for authentication, authorization and user management for use with your web and mobile apps. Through a cognito user pool, a user is allowed to create an account, sign in to applications and use third-party services such as Google and Facebook to sign in to your apps (if you choose to allow this). It also integrates with SAML and OIDC identity providers such as Active Directory Federated Services (ADFS) in Windows, allowing for single sign-on with on-premises Exchange systems.
Once authenticated through Cognito, users may temporarily assume an IAM role through a Cognito identity pool. These temporary credentials will allow users access to specific resources and services, such as allowing a mobile application user to upload an image to a specific S3 bucket. Using identity pools will allow you to control who has access to which resources and options within your application. Additionally, through single sign-on services such as SAML, you will be able to restrict access to various AWS resources by the organizational unit in your current environment.
Using AWS Organizations for account management
AWS allows you to centrally manage your various accounts through a service known as AWS Organizations. Organizations allow you to consolidate billing for all member accounts, as well as centralize and standardize various items such as backups, usable services, support for IAM and more. There are two different account types within an organization: master and member accounts. A master account is an account that created the organization and allows you to create other accounts, invite existing accounts to the organization, and remove accounts from the organization. Member accounts are all other accounts under the same organization.
Additionally, you may group your accounts within your organization into organizational units. These could be broken down into categories such as production, development and testing, or regions such as North America, Europe, Asia or any structure that helps you better apply policies. These policies can be applied to the organizational units and will flow down to all accounts which are contained within.
Using Trusted Advisor
To increase security, as well as optimize costs and performance, Amazon offers a service called Trusted Advisor. Trusted Advisor is an automated service that inspects your AWS environment and makes recommendations for security and optimization using AWS best practices. These reports can be stored in S3 and queried using various services such as Athena and QuickSight. All AWS customers have access to six security checks by default:
- S3 bucket permissions
- Security groups, unrestricted ports
- IAM use
- Multi-factor authentication on the root account
- Elastic Block Store public snapshots
- RDS public snapshots
Other checks are available with AWS business and enterprise support, premium support models from Amazon.
Trusted Advisor also offers an organizational view, which allows you to run trusted advisor checks for all accounts within your organization and compile the reports into a single source. This option is very useful to large enterprise customers.
AWS risk and compliance program
In addition to the above security services, AWS offers the Audit Manager service to help your organization stay in compliance. Audit Manager assists in automating compliance reviews, supporting many common compliance standards such as GDPR, HIPAA and PCI DSS. Audit Manager allows you to create your compliance framework to support internal audits. These reports are generated with links to detailed evidence showing the results of the audit. Please note that while Audit Manager collects evidence that is needed for showing compliance, it does not directly assess your compliance yourself. To ensure your company is fully within legal compliance, legal counsel or compliance experts are still needed.
Learn Cloud Security
Utilizing AWS
When designed properly with security as a primary factor, your AWS environment will be as secure as an on-premises data center. Be sure to understand and take advantage of all the tools offered by Amazon to secure your data and ensure your compliance.
Sources
Security and compliance, Amazon
Amazon web services, Amazon
AWS cloud security, Amazon
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- AWS security and compliance overview
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security