4 min read

Security 101

Securing the cloud is critical but can be overwhelming to start. This post looks at 4 areas you need to think about to get started.
Security 101
Photo by Markus Spiske / Unsplash

Following on from the foundational architecture post I thought I'd give a dive into security of the AWS cloud. For me this is the most important element to understand before even creating an AWS account as if you get this wrong it can be costly in more ways than one. There are a few items that need to be looked at when considering security. These include, but are not limited to:

  • Shared Responsibility Model
  • Identity and Access Management (IAM)
  • Data Protection
  • Governance and Compliance

Shared Responsibility Model

The shared security model is AWS' split of security responsibilities. While some of the lines have become slightly blurred with the newer services, it is a good way to understand what you are and are not responsible for.

As AWS puts it, in simplistic terms, you are responsible for security 'in the cloud' whilst they are responsible for security 'of the cloud'.  This is often one of the drivers for moving to the cloud as management of infrastructure and facilities are part of the service offering. However this mean that you also lose control over the management of these. To combat this AWS certifies it's processes  and standards against industry standards such as Sarbanes–Oxley and ISO 27001. All reports and certifications can be found in AWS Artifact.

Shared Responsibility Model - Amazon Web Services (AWS)
While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Learn more about the Shared Responsibility Model.

Identity and Access Management (IAM)

IAM is the foundation of security in AWS. It determines who or what can perform actions on difference services and resources. While it can seem overly complicated to begin with it offers more flexibility and customization than a traditional security model.

As well as role-based access management (RBAC) AWS IAM also has the capability to apply attribute-based access control (ABAC). This is an authorization strategy that defines permissions based on attributes such as resource tag or source IP. This allows to apply further control to secure and manage the environment.

Understanding how IAM works - AWS Identity and Access Management
Learn the infrastructure that AWS Identity and Access Management uses to control authorization and access control for your AWS account.

Data Protection

For me there are 3 elements to data protection. The first is covered under access management, and that is only allowing the right people to access the data they need, when they need it, and how they need it. My view is keep all users away from the data. While this can not always be achieved if it is the starting point it will ensure robust controls.

Second is about securing data that is being moved and how it is moved. Primarily this is about encryption for data in transit but it is also about ensuring data is only moved when and where it needs to go. Examples of this would be to restrict a S3 bucket to only be accessible via https and a VPC endpoint.

Finally data protection is about securing data being stored. This not only includes encryption at rest but also around ensuring data assurance and recovery. This could mean activating versioning on S3, snapshots for EBS or meta data and tags.

Governance and Compliance

How you manage security and report on compliance is just as critical as the security you implement. Often the hardest thing is proving solutions meet company, industry and country requirements.

Luckily AWS have a service for that, AWS Config. This allows accounts to report their compliance against a set of rules and standards. Whilst you can define your own rules there are also pre-defined conformation packs that can be deployed. Depending on the industry you might want to deploy PCI-DSS or HIPPA rules. If in a particular geography or serving a particular market you might have to comply with NCSC or FedRamp.

If you are unsure I would suggest to take a look at CIS Benchmarking as an over-view and also the category specific compliance packs based on pest practices.

AWS Config

For more details of security I would recommend taking a look at the Introduction to AWS Security whitepaper as well as the AWS Architecture Center which has a lot of resources on all aspects of security.

Security, Identity & Compliance | AWS Architecture Center
Learn best practices that can help you meet your security and compliance goals using AWS infrastructure and services.