DEV Community

Cover image for 30 days of AWS - Part 6: AWS Security
Jully Achenchi
Jully Achenchi

Posted on

30 days of AWS - Part 6: AWS Security

Ever heard of the saying, "A group is only as good as its weakest link?" So it goes security in the cloud. Your workloads are only as good as the security measures put around it.

Cloud security is a pillar of AWS. Under the shared responsibility model, AWS is responsible for the security of the cloud, and the customers are responsible for the security in the cloud.

In this module, we'll look at:

  • AWS Identity and Access Management (IAM)
  • AWS shared responsibility model
  • Securing a new AWS account
  • Securing data on AWS

AWS Shared responsibility model

AWS

  • Operates, manages, and controls the components from the software virtualization layer to the physical security of the facilities where AWS services operate.

  • AWS is responsible for protecting the infrastructure that runs all the services offered in AWS cloud. This is composed of the hardware, software, networking, and facilities that run the services.

The Customer

  • Responsible for the encryption of data at rest and in transit.

  • Responsible for the management of security credentials and logins.

  • Responsible for the configuration of security groups and configuration of the operating system that runs on compute instances that they launch.

AWS Identity and Access Management (IAM)

AWS IAM is a service/tool that lets you define individual user accounts with permissions across AWS resources. Such permissions include: launching, configuring, managing, and terminating resources.

IAM is a feature of your AWS account and it is offered at no additional charge.

Essential components of IAM

IAM User - A person or application that is defined in an AWS account.

IAM Group - A collection of IAM users. IAM groups are used to simplify and manage permissions to multiple users.

IAM Policy - A document that defines permissions to determine what users can do in the AWS account. It is written in JSON format.

IAM Role - It is a tool for granting temporary access to specific AWS resources in an AWS account.

Authentication and Authorization

Authentication
Authentication refers to proving your identity as a user to a system.
IAM users can be granted 1 of 2 types of access:

a. Programmatic access
Authentication is done using:

  • Access Key ID
  • Secret access key

b. AWS Management console
Authentication is done using:

  • 12-digit account ID or alias
  • IAM User name
  • IAM password
  • If MFA is enabled, you'll be prompted to provide the MFA code.

Authorization
The process of determining what permissions a user, service, or application should be granted. This is achieved through the policies you have attached to a user or group.

By default, IAM users do not have permission to access any resources or data in an AWS account.

The principle of least privilege is a concept in computer security that promotes that you grant only the minimal user privileges needed to the user(s) based on need.

IAM Policies

IAM policies are of two types:
- Identity-based policies - Policies that you attach to a user, group, or role
- Resource-based policy - Policies that you attach to a resource such as an S3 bucket.

Securing a new AWS Account: Account Root User

Best practices

Step 1: Stop using the account root user as soon as possible

  • After creating a new AWS account, navigate to the IAM service and create an IAM user as yourself with AWS management console access enabled. Save the IAM access key and secret access key if needed.

  • Create an IAM group and give it full administration access. Add the created IAM user to the group.

  • Disable and remove your account root user access keys if they exist.

  • Sign in to your account using the IAM credentials.

Step 2: Enable Multi-factor Authentication
This is an additional layer of security to your AWS account.

Step 3: Use AWS CloudTrail

  • CloudTrail is a service that tracks user activity on your account.

  • Basic AWS CloudTrail event History is enabled by default at no cost.

Step 4: Enable a billing report, such as the Cost and Usage report

  • Billing reports provide information about your use of AWS resources and estimated costs for that use.

  • AWS delivers these reports to an S3 bucket of your choice.

Securing data on AWS

Encryption of data at rest

Data encryption - Taking data that is legible and encoding it so that it is unreadable to anyone who does not have access.

Data at rest is data that is physically stored on disk or on tape.

Encryption of data in transit

Data in transit is data moving across a network.

Encryption of data in transit is accomplished by using Transport Layer Security (TLS), which was formerly known as Secure Sockets Layer (SSL).

  • TLS/SSL - Certificates that are used to secure network communications and establish the identity of websites over the internet, and also resources on a private network.

AWS certificate manager

  • A service that enables you to provision, manage, and deploy SSL to TLS certificates
  • It also handles certificate renewals.

Top comments (0)