Security on Amazon Web Services (AWS)
When configuring your environment on the AWS Cloud, one of (if not the most important thing) you can do is to make it as secure as possible. This should be your top priority – ahead of any other consideration such as how to save on cost, or how to develop your products and services using the newest and most up to date technology.
At AWS “Security is job zero” – and this philosophy is applied to everything. AWS makes it really easy to ensure your account and your environments are secure, giving you the least chance of anything bad happening. How does AWS help you build solutions designed for enterprise grade security? In this article, we’ll discuss how to use the various security offerings in AWS to make your life as a builder much easier.
AWS Global Infrastructure
First of all, let’s talk about the AWS Global Infrastructure.
Security at AWS starts with the core IT infrastructure that makes up and powers the servers which everything is built upon.
The stringent security standard requirements set in stone by AWS ensure that infrastructure is monitored 24/7, across all sites. This helps to ensure confidentiality, integrity, and availability of all services and data which is flowing across the AWS Global infrastructure.
All customer data is automatically encrypted at the physical layer before it leaves the data center.
With the global footprint of AWS increasing all the time, you can be assured to build your applications with your security being stable at the most basic level.
Shared Responsibility Model
According to the AWS Shared Responsibility Model, AWS generally considers itself responsible for the security of the cloud as a whole, while customers are responsible for their own instances.
Using AWS services requires the customer to implement their own control implementation: AWS provides the infrastructure and the customer provides the implementation of these controls to make sure the product they are building is as secure as possible.
The management and operation of AWS’ core controls are ultimately shared between their customers and AWS. AWS can mitigate the burden of security methods like firewall maintenance and encryption at the network level, as well as overseeing IT controls deployment to ensure compliance with AWS security policies.
Certain things must be shared however – like the important part of training their customers. While AWS trains their own employees, a customer must also train their own team members using a myriad of resources, some of which are provided by AWS.
Customers should always be solely responsible for implementing access control policies using AWS IAM, configuring strong Security Groups with least permissive actions.
Encryption on AWS
Encryption is one of the key components of a defense-in-depth strategy. Defense-in-depth is an approach to security that has a series of defensive mechanisms designed to combat the effects of a single security mechanism that has failed and at least one more mechanism is still functioning even if one security mechanism failed.
Data security and compliance requirements are becoming increasingly critical as organizations seek to operate faster and at scale – and encryption is one of the easiest ways to add an additional layer of protection above the bare minimum.
There are two main considerations which you need to keep in mind when thinking about encryption:
Protecting keys at rest: Are the encryption keys themselves protected from access from anyone who could cause potential problems?
Independent key management: Does encryption authorization depend on access control to the underlying data?
AWS Trust & Safety team
Who are the AWS Trust & Safety team?
AWS Trust & Safety is a global team that helps protect against abusive use of AWS services while simultaneously working to build trust with AWS’ customers, partners and other stakeholders.
Through engagement with a variety of stakeholders, AWS Trust & Safety develops fit-for-purpose frameworks for assessing and minimizing risks for AWS’ customers, as well as guidelines and processes for responding to trust and safety concerns.
Trust & Safety Team members possess a solid understanding of AWS’ cloud infrastructure, strong technical skills, and sound judgment when dealing with complex and time-sensitive issues.
AWS Security Hub
Using AWS Security Hub, you can automatically and continuously check your AWS resources in your AWS account against a number of security best practice checks. This tool allows you to aggregate security alerts from various AWS services and partner products in a standardized format, so that you can take action more easily in response to them.
Keeping track of your security posture in AWS requires the integration of multiple tools and services, including Amazon GuardDuty threat detection, Amazon Inspector vulnerability detection, Amazon Macie sensitive data classification, AWS Config configuration issues, and AWS Partner Network Products.
As a result of its automated security best practice checks powered by AWS Config rules and automated integrations with dozens of AWS services and partner products, Security Hub helps you understand and improve your security posture in a fast and easy way.
The Security Pillar
The Security Pillar within the wider set of the AWS Well Architected Pillars has the following design principles:
- Implement a strong identity foundation
- Enable traceability
- Apply security at all layers
- Automate security best practices
- Protect data in transit and at rest
- Keep people away from data
- Prepare for security events
The AWS security pillars compromises of 6 key areas:
1. Foundations
2. Identity and access management
3. Detection
4. Infrastructure protection
5. Data protection
6. Incident response
By leveraging cloud technologies, you can protect data, systems, and assets in a way that enhances your security posture. AWS provides in-depth, best-practice guidance for architecting secure workloads on AWS from the top to the bottom.
Learn how to Master the AWS Cloud
AWS Training – Our popular AWS training will maximize your chances of passing your AWS certification the first time.
Membership – For unlimited access to our entire cloud training catalog, enroll in our monthly or annual membership program.
Challenge Labs – Build hands-on cloud skills in a secure sandbox environment. Learn, build, test and fail forward without risking unexpected cloud bills.