Cloud security at AWS is the highest priority. AWS cloud allows customers to scale and innovate, while maintaining a secure environment.

AWS Cloud Security and Compliance covers following aspects of AWS Security

  • Infrastructure Security
  • Infrastructure Resilience
  • Data Encryption
  • Monitoring and Logging
  • Identity and Access Control
  • Compliance Assurance Programs
  • Security Support
  • Standards and Best Practices

Infrastructure Security

  • Network firewalls built into Amazon VPC.
  • TLS encryption in transit across all services.
  • Private or dedicated connections into your data centre

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC)

  • enables you to launch AWS resources into a virtual network that you’ve defined.
  • It resembles a traditional network in data centers
  • Benefits of using the scalable infrastructure of AWS.
  • Logically isolated from other virtual networks in the AWS Cloud.
  • Launch AWS resources, like EC2 instances, into VPC.
  • Use a public subnet for resources that must be connected to the internet
  • Use a  private subnet for resources that won’t be connected to the internet.
  • You can specify
    • an IP address range
    • add subnets
    •  associate security groups
    • configure route tables.

Accessing the Internet by VPC

  • Default VPC includes an internet gateway, and each default subnet is a public subnet.
  • Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address.
  • These instances can communicate with the internet through the internet gateway.
  • An internet gateway connect to the internet through the Amazon EC2 network edge.
define aws cloud security and compliance concepts
  • By default, each instance launched into a nondefault subnet has a private IPv4 address, but no public IPv4 address, unless assigned or modify the subnet’s public IP address attribute.
  • These instances can communicate with each other, but can’t access the internet.
  • Can enable internet access for an a nondefault subnet by attaching an internet gateway to its VPC and associating an Elastic IP address with the instance.
  • Amazon VPC provides a web-based user interface, the Amazon VPC console.
  • Access the Amazon VPC console by signing into the AWS Management Console and choosing VPC.

Infrastructure Resilience

  • Technologies built from the ground up for resilience in the face of DDoS attacks.
  • Services can be used in combination to automatically scale for traffic load.
  • Autoscaling, CloudFront, Route 53 can be used to prevent DDoS.

AWS Shield

  • It is a managed DDoS protection service
  • Available in two tiers: Standard and Advanced.
  • AWS Shield Standard applies always-on detection and inline mitigation techniques like deterministic packet filtering and priority-based traffic shaping. It is included automatically and transparently to Elastic Load Balancing load balancers, Amazon CloudFront distributions, and Amazon Route 53 resources at no additional cost.
  • AWS Shield Advanced includes access to near real-time metrics and reports, for extensive visibility into infrastructure layer and application layer DDoS attacks.

AWS WAF

  • It is a web application firewall to protect web applications from common web exploits.
  • It defines customizable web security rules to control which traffic accesses web applications.
  • Rules use conditions to target specific requests and trigger an action,
  • It helps you to identify and block common DDoS request patterns and effectively mitigate a DDoS attack.

Amazon Route 53

  • It is a highly available and scalable DNS service
  • Designed to route end users to infrastructure running inside or outside of AWS.
  • It can manage traffic globally through a variety of routing types, and provides out-of-the-box shuffle sharding and Anycast routing capabilities to protect domain names from DNS-based DDoS attacks.

Amazon CloudFront

  • Distributes traffic across multiple edge locations
  • Filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts.
  • Supports geoblocking, to prevent requests from particular geographic locations.

Elastic Load Balancing

  • Distributes incoming application traffic across multiple targets like , such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, to minimizes overloading a single resource.
  • Elastic Load Balancing, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances.
  • It is a single point of management
  • It can serve as a line of defense between the internet and private EC2 instances.
  • It includes the Application Load Balancer, for load balancing of HTTP and HTTPS traffic and also directly supports AWS WAF.

VPCs and Security Groups

Security groups or origin access identity (OAI), require attackers to make requests through AWS WAF and CloudFront instead from the website origin and minimizes the attack surface of

  • backend load balancers
  • EC2 instances
  • Amazon Simple Storage Service (Amazon S3) buckets

Amazon Virtual Private Cloud (Amazon VPC) allows to configure

  • subnet routes
  • public IP addresses
  • security groups
  • network access control lists
define aws cloud security and compliance concepts

Above, uses Route 53, AWS WAF, CloudFront, and Elastic Load Balancing to control and distribute traffic.

Data Encryption

  • Encryption at rest available in EBS, S3, Glacier, RDS (Oracle and SQL Server) and Redshift.
  • Key management through AWS KMS – you can choose whether to control the keys or let AWS.
  • Server side encryption of message queues in SQS.
  • Dedicated hardware-based cryptographic key storage using AWS CloudHSM, allowing you to satisfy compliance requirements.
  • APIs to integrate AWS security into any applications you create.

Server-Side Encryption

  • It is data encryption at rest
  • Like, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it.
  • You need to authenticate your request and you have access permissions

3 mutually exclusive options depending on how you choose to manage the encryption keys:

  • Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
  • Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) – Similar to SSE-S3, but with some additional benefits along with some additional charges for using this service. There are separate permissions for the use of an envelope key (that is, a key that protects your data’s encryption key) that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom. Additionally, you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the service you’re using, and the Region you’re working in.
  • Use Server-Side Encryption with Customer-Provided Keys (SSE-C) – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options:

  • Use an AWS KMS-managed customer master key.
  • Use a client-side master key.

The following AWS SDKs support client-side encryption:

  • AWS SDK for .NET
  • AWS SDK for Go
  • AWS SDK for Java
  • AWS SDK for PHP
  • AWS SDK for Ruby
  • AWS SDK for C++

Sample Implementation

In above diagram:

  1. The administrator encrypts a secret password by using KMS. The encrypted password is stored in a file.
  2. The administrator puts the file containing the encrypted password in an S3 bucket.
  3. At instance boot time, the instance copies the encrypted file to an internal disk.
  4. The EC2 instance then decrypts the file using KMS and retrieves the plaintext password. The password is used to configure the Linux encrypted file system with LUKS. All data written to the encrypted file system is encrypted by using an AES-256 encryption algorithm when stored on disk.

Standards and Best Practices

  • A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage
  • Deployment tools to manage the creation and decommissioning of AWS resources according to organization standards
  • Inventory and configuration management tools, including AWS Config, that identify AWS resources and then track and manage changes to those resources over time
  • Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments

Amazon Inspector

  • It is an automated security assessment service
  • Improve the security and compliance of applications deployed on AWS.
  • Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After assessment, it produces a detailed list of security findings prioritized by level of severity.

AWS Config

  • It provides a detailed view of the resources associated with your AWS account,
  • It includes
    • how resources are configured
    • how they are related to one another
    •  how the configurations and their relationships have changed over time
  • It continuously monitors and records your AWS resource configurations
  • You can automate the evaluation of recorded configurations against desired configurations.

Monitoring and Logging

  • Deep visibility into API calls through AWS CloudTrail, including who, what, who, and from where calls were made
  • Log aggregation options, streamlining investigations and compliance reporting
  • Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded

AWS CloudTrail

  • It helps you enable governance, compliance, and operational and risk auditing.
  • Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
  • Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
  • CloudTrail is enabled on your AWS account when you create it.

Identity and Access Control

  • AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources
  • AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators
  • AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience

AWS Multi-Factor Authentication

  • With MFA, when a user signs in to an AWS website, they will be prompted for
    • their user name and password (the first factor—what they know)
    • an authentication response from their AWS MFA device (the second factor—what they have)
  • Multiple factors provide increased security for AWS account settings and resources.
  • Enable MFA for AWS account and for individual IAM users created under account.
  • MFA can be also be used to control access to AWS service APIs.

Supported MFA mechanism other than, regular sign-in credentials, are

  • Virtual MFA devices. A software app that runs on a phone or other mobile device and emulates a physical device. The device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user’s virtual MFA device to authenticate.
  • U2F security key. A device that you plug into a USB port on your computer. U2F is an open authentication standard hosted by the FIDO Alliance. When you enable a U2F security key, you sign in by entering your credentials and then tapping the device instead of manually entering a code.
  • Hardware MFA device. A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user’s device to be authenticated.
  • SMS text message-based MFA. A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device. When the user signs in, AWS sends a six-digit numeric code by SMS text message to the user’s mobile device. The user is required to type that code on a second webpage during sign-in. Note that SMS-based MFA is available only for IAM users. You cannot use this type of MFA with the AWS account root user.

Security Support

  • Real-time insight through AWS Trusted Advisor
  • Proactive support and advocacy with a Technical Account Manager (TAM)

Compliance Assurance Programs

From certifications, regulations to frameworks, AWS has you covered. Some of those included are:

  • Cyber Essentials Plus (UK)
  • DoD SRG (US)
  • FIPS (US)
  • ISO 9001
  • CISPE
  • GLBA
  • UK Data Protection Act
  • EU Data Protection Directive
  • FFIEC
  • G-Cloud (UK)
  • NIST
  • UK Cloud Security Principles

Link for free practice test – https://www.testpreptraining.com/aws-certified-cloud-practitioner-free-practice-test

Menu