AWS Security
Shared Responsibility Model:
Every layer and step of any IT resource, including its networks, facilities, and applications, must be secured. We are obviously in charge of the application's security if it is utilizing on-premises infrastructure. The cloud provider will, however, handle a portion of the security when we migrate to the cloud. This is referred to as the shared responsibility model.
Figure: Shared Responsibility Model
The security of our resources will be divided between Customer and the cloud provider as shown in the above figure.
As per AWS the shared responsibility model is defined as,
The cloud service provider is responsible for the security of the cloud while the customer is responsible for security in the cloud.
Security of the cloud means, Our cloud provider AWS, is in charge of maintaining the security of the underlying infrastructure, which includes the security of the actual data centres and the essential components like computation, network, and storage. On the other hand security in the cloud means as a customer we are responsible for security of our application and its data.
We now understand the shared responsibility model. We can now take a deeper look at the various duties that AWS and the customer have.
AWS responsibility:
· AWS is responsible for security and reliability of their global infrastructure including their data center building, networking infrastructure, physical hardware, virtualization technology and software used to provide all the services they offer.
· AWS protects their physical data centers with video surveillance, intrusion detection system and enforcing their employees to use two factor authentication.
· Interestingly AWS physically destroys old storage devices after they have run their lifecycles.
· Also to protect their physical facilities against natural disaster AWS installs automatic fire detection and suppression systems redundant power generators and air conditioners that maintain and prevent their servers from overheating and causing power outages.
· Providing high availability and fast incident detection and response during any incident happening at the data center is of utmost important to AWS.
· This is why they built their data centers as redundantly and connected clusters in various geographic relations.
· AWS can quickly redistribute the traffic to an unaffected area if an area is affected by any disaster.
Customer Responsibility:
· Customer is responsible for securing activities that occur in the cloud or connected to the cloud. This includes securing the guest operating system, configuring access management and securing the application data.
· Securing the guest operating system, EBS volume etc.
· The customer’s responsibilities varies based on the services delivery model the customer selects.
Security compliance:
Security means how much our application will be secured. To have our application to be secured we have to follow some guidelines/rules/regulations this is Compliance.
Figure: Security Compliance
Consider,
By utilizing Cloud technology to its fullest from the beginning, we have seen new and smaller businesses succeed and become leaders in their respective industries, such as Netflix and Airbnb. However, a number of banks, financial institutions, healthcare providers, and insurance firms have not yet arrived. What is preventing them from arriving? We can argue that costs are an obstacle but that's not true this company has a million dollars I.T budget so that's not a problem. Could there be security concerns, yes and no, but if so, what were the restrictions that prevented these sensitive verticals from migrating their on-premise workloads to the cloud? The answer is compliance.
The phrase "compliance" in business or a firm typically refers to abiding by legal regulations set down by the government, such as those pertaining to data security and health standards.
· If our business is in a certain country then we have to follow country specific laws
· If we are operating in a certain industry like healthcare then we have to follow the healthcare industry guideline.
· Public Cloud providers have therefore made great efforts to meet security and compliance criteria in preparation for our move to the Cloud.
· The shared responsibility model encompasses all conceivable elements, ensuring that cloud service providers are in full compliance with all applicable industry standards.
· AWS also has a compliance program that is designed to provide great governance and audit capabilities.
· AWS is compliant with the new European Union Privacy Law regulation gdpr or general data protection regulation according to the regulation AWS is both a data controller and a data processor.
· AWS has implemented solutions to meet data encryption data processing data restoration and data accessibility requirements.
· Another one is PCidss it is payment card industry data security standard. The PCI security standard Council defines the standards for all entities who deal with storing processing or transmitting card holder data or sensitive authentication data.
· In order to build control, formality, ownership, and accountability inside our security programme security compliance is also helpful.
Recommended by LinkedIn
Encryption in AWS
Encryption is also a method of data protection, which converts the human readable text format to unreadable text format. This unreadable text is called as cipher text.
Data protection can be explained with following ways in AWS.
1. Data in Transit: Data which will be moved from one network to another. This is called as Data in transit. AWS provides encryption at transit for all its public services with https endpoints. Thus AWS provides end-to-end encryption when communicating with the AWS apis
2. Data in Rest: Data which is stored on disks in S3. This can be done in two ways. Namely server side encryption and client side encryption.
Figure: AWS encryption
AWS Config:
AWS Config is a service that enables us to access audit and evaluate the configurations of our AWS resources.
· Once AWS Config is enabled it will validate the AWS resources continuously. First we have to define how resources to be configured then the Config will check whether they comply with the defined configurations or not.
· AWS Config has a predefined rule and we can also create a custom rule based on our organization's requirement
· AWS Config rule will evaluate our resources in case there is a change in configuration or if anything happens against the rules.
· If any resource will violate the conditions of a rule AWS Config flags that resources as non-compliant
Working of AWS Config:
· Specify the resource types we want Config to record.
· Set up Amazon SNS to notify us of configuration changes.
· Specify an Amazon S3 bucket to receive configuration information.
· Add AWS Config managed rules to evaluate the resource types.
Benefits of AWS Config:
· Security Analysis & Resource Administration
· Continuous monitoring
· Continuous assessment
· Enterprise-wide compliance monitoring
AWS CloudTrail
AWS CloudTrail is an AWS service that helps us to enable operational and risk auditing, governance, and compliance of our AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
CloudTrail Working
· AWS Cloudtrail captures and records the activity as a Cloudtrail event.
· The user can set up Cloudtrail and define an Amazon S3 bucket for storage.
· The log of Cloudtrail is delivered to the Amazon S3 bucket and it gets delivered to the CloudWatch logs and the CloudWatch events.
· Monitoring process such as detection of unusual API acticity.
· Analysis process with Amazon Athena
Benefits
· Security Analysis and Troubleshooting
· Simplified Compliance
· Visibility into user and resource activity
· Security Automation
Well explained laxmi
It's always opportunities to learn from your bog. Very informative. 👏