Module 4: AWS Cloud Security

AWS Academy Cloud Foundations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module objectives
After completing this module, you should be able to:
• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Recognize how to secure AWS data
• Recognize AWS compliance programs

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Section 1: AWS shared responsibility
model
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model
AWS is responsible for
protecting the infrastructure that
runs all the services that are
offered in the AWS Cloud. This
infrastructure is composed of the
hardware, software, networking,
and facilities that run the AWS
Cloud services.

The customer is responsible for

the encryption of data at rest and
data in transit. The customer
should also ensure that the
network is configured for security
and that security credentials and
logins are managed safely.
Additionally, the customer is responsible for the configuration of security groups and the configuration of the operating
system that run on compute instances that they launch (including updates and security patches).

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 4
AWS responsibility: Security of the cloud
AWS is responsible for the physical infrastructure that hosts your resources, including:
• Physical security of data centers
• Controlled, need-based access
• located in nondescript facilities, with 24/7 security guards; two-factor authentication; access logging and
review; video surveillance; and disk degaussing and destruction
• Hardware and software infrastructure
• servers, storage devices, and other appliances that AWS relies on.
• hosts operating systems, service applications, and virtualization software.
• Network infrastructure
• routers, switches, load balancers, firewalls, and cabling.
• continuously monitors the network at external boundaries, secures access points, and provides redundant
infrastructure with intrusion detection.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 5
Customer responsibility: Security in the cloud
Customers are responsible for security of everything they put in the cloud.
Customer responsibilities include;
• selecting and securing any instance operating systems,
• securing the applications that are launched on AWS resources,
• security group configurations, firewall configurations, network configurations
• secure account management.
When customers use AWS services, they maintain complete control over their content. Customers are
responsible for managing critical content security requirements, including:
•What content they choose to store on AWS
•Which AWS services are used with the content
•In what country that content is stored
•The format and structure of that content and whether it is masked, anonymized, or encrypted
•Who has access to that content and how those access rights are granted, managed, and revoked

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
Service characteristics and security responsibility (1 of 2)

Example services managed by the customer Infrastructure as a service (IaaS)

• Customer has more flexibility over configuring
networking and storage settings
Amazon Amazon Elastic Amazon • Customer is responsible for managing more
EC2 Block Store Virtual Private Cloud aspects of the security
(Amazon EBS) (Amazon VPC)
• Customer configures the access controls

AWS services—such as Amazon EC2—can be categorized as IaaS and thus require the customer to
perform all necessary security configuration and management tasks. Customers who deploy EC2
instances are responsible for managing the guest operating system (including updates and security patches),
any application software that is installed on the instances, and the configuration of the security groups that
were provided by AWS.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
Service characteristics and security responsibility (1 of 2)

Example services managed by AWS Platform as a service (PaaS)

• Customer does not need to manage the underlying
infrastructure
• AWS handles the operating system, database patching,
AWS Amazon AWS Elastic
Lambda Relational Database Beanstalk firewall configuration, and disaster recovery
Service (Amazon RDS)
• Customer can focus on managing code or data

AWS services such as AWS Lambda and Amazon RDS can be categorized as PaaS because AWS operates
the infrastructure layer, the operating system, and platforms. Customers only need to access the
endpoints to store and retrieve data. With PaaS services, customers are responsible for managing their data,
classifying their assets, and applying the appropriate permissions. However, these service act more like
managed services, with AWS handling a larger portion of the security requirements. For these services, AWS
handles basic security tasks—such as operating system and database patching, firewall configuration, and
disaster recovery.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
Service characteristics and security responsibility (2 of 2)
Software as a service (SaaS)
• Software is centrally hosted
SaaS examples
• Licensed on a subscription model or pay-as-you-go basis.
• Services are typically accessed via web browser, mobile
AWS Trusted AWS Shield Amazon Chime app, or application programming interface (API)
Advisor
• Customers do not need to manage the infrastructure that
supports the service

AWS Trusted Advisor is an online tool that analyzes your AWS environment and provides real-time
guidance and recommendations to help you provision your resources by following AWS best practices.
The Trusted Advisor service is offered as part of your AWS Support plan. Some of the Trusted Advisor
features are free to all accounts, but Business Support and Enterprise Support customers have access to the
full set of Trusted Advisor checks and recommendations.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
Section 2: AWS Identity and Access
Management (IAM)
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) allows you to control

access to compute, storage, database, and application services in the
AWS Cloud. IAM can be used to handle authentication, and to specify
AWS Identity and Access
Management and enforce authorization policies so that you can specify which users
(IAM) can access which services.

With IAM, you can manage:

• Who can access the resources
• Which resources can be accessed
• How these resources can be accessed

IAM is a feature of your AWS account, and it is offered at no additional charge.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11
IAM: Essential components
To understand how to use IAM to secure your AWS account, it is important to understand the role and
function of each of the four IAM components.

A person or application that can authenticate with an AWS account.

Each user must have a unique name (with no spaces in the name) within the AWS
IAM user account, and a set of security credentials that is not shared with other users.

A collection of IAM users that are granted identical authorization.

Can be used to simplify specifying and managing permissions for multiple users.
IAM group

The document that defines which resources can be accessed and the level of access
to each resource.
IAM policy Policies can also explicitly deny access.

Useful mechanism to grant a set of permissions for making AWS service requests.
IAM role It is a tool for granting temporary access to specific AWS resources in an AWS account.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
Authenticate as an IAM user to gain access
Authentication is a basic computer security concept: a user or system must first prove their
identity.
When you define an IAM user, you select what types of access the user is permitted to use.
You can assign two different types of access to users:

AWS Management Console access

• Authenticate using:
• 12-digit Account ID or alias
• IAM user name
• IAM password
• If enabled, multi-factor authentication (MFA) prompts for an authentication code.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
Authenticate as an IAM user to gain access
Authentication is a basic computer security concept: a user or system must first prove their
identity.
When you define an IAM user, you select what types of access the user is permitted to use.
You can assign two different types of access to users:
Programmatic access AWS Management Console access
• Authenticate using: • Authenticate using:
• Access key ID • 12-digit Account ID or alias
• Secret access key • IAM user name
• Provides AWS CLI and AWS • IAM password
SDK access • If enabled, multi-factor authentication
(MFA) prompts for an authentication
code.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14
Authorization: What actions are permitted

Authorization is the process of determining what permissions a user, service or

application should be granted. After a user has been authenticated, they must be authorized
to access AWS services.

By default, IAM users do not have permissions to access any resources or data in an AWS
account.

You must explicitly grant permissions to a user, group, or role by creating a policy, which
is a document in JavaScript Object Notation (JSON) format. A policy lists permissions that
allow or deny access to resources in the AWS account.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
IAM: Authorization
• Assign permissions by creating an IAM policy.

• Permissions determine which resources and operations are allowed:

• All permissions are implicitly denied by default.

IAM
• If something is explicitly denied, it is never allowed. permissions

Best practice: Follow the principle of least privilege.

The principle of least privilege is an important concept in computer security. It promotes that
you grant only the minimal user privileges needed to the user, based on the needs of your
users.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 16
 IAM policies
• An IAM policy is a formal statement of permissions that will be granted to an entity.
• Policies can be attached to any IAM entity. Entities include users, groups, roles, or resources.
• Policies specify what actions are allowed, which resources to allow the actions on, and what
the effect will be when the user requests access to the resources.
• There are two types of IAM policies.
• Identity-based policies are permissions policies that you can attach to a principal (or
identity) such as an IAM user, role, or group. These policies control what actions that
identity can perform, on which resources, and under what conditions. Identity-based
policies can be further categorized as:
• Resource-based policies are JSON policy documents that you attach to a resource. These
policies control what actions a specified principal can perform on that resource, and under
what conditions. Resource-based policies are supported only by some AWS service.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17
IAM groups

• An IAM group is a collection of IAM users AWS account

• A group is used to grant the same

permissions to multiple users IAM group: IAM group: IAM group:
Admins Developers Testers
• Permissions granted by attaching IAM policy or
policies to the group
Carlos Salazar Li Juan Zhang Wei

• A user can belong to multiple groups Márcia Oliveira Mary Major John Stiles

• There is no default group Richard Roe Li Juan

• Groups cannot be nested

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
IAM roles
• An IAM role is an IAM identity with specific permissions
• Similar to an IAM user
• Attach permissions policies to it
IAM role
• Different from an IAM user
• Not uniquely associated with one person
• Intended to be assumable by a person, application, or service

• Role provides temporary security credentials 

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
Section 3: Securing accounts
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Organizations
• AWS Organizations is an account management service that enables you to consolidate
multiple AWS accounts that you create and centrally manage.

• Security features of AWS Organizations: AWS Organizations

• Group AWS accounts into organizational units (OUs) and attach different access policies to each OU.

• Integration and support for IAM

• Permissions to a user are the intersection of what is allowed by AWS Organizations and what is granted by IAM in
that account.

• Use service control policies to establish control over the AWS services and API actions that each AWS
account can access

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
AWS Organizations: Service control policies
• Service control policies (SCPs) SCPs offer central control over the maximum available
permissions for all accounts in your organization, enabling you to ensure that your
accounts stay in your organization’s access control guidelines.

• SCPs are similar to IAM permissions policies –

• They use similar syntax.
• However, an SCP never grants permissions.
• Instead, SCPs specify the maximum permissions for an organization. 

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
AWS Key Management Service (AWS KMS)
• AWS Key Management Service (AWS KMS) is a service that enables you to create and
manage encryption keys, and to control the use of encryption across a wide range of AWS
services and your applications.
• AWS KMS also integrates with AWS CloudTrail to provide you with logs of all key usage
to help meet your regulatory and compliance needs.
• Customer master keys (CMKs) are used to control access to data encryption keys that
encrypt and decrypt your data. You can create new keys when you want, and you can
manage who has access to these keys and who can use them. You can also import keys
from your own key management infrastructure into AWS KMS.

AWS Key Management

Service (AWS KMS)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
Amazon Cognito
• Amazon Cognito provides solutions to control access to AWS resources from your
application. You can define roles and map users to different roles so your application can
access only the resources that are authorized for each user.
• Amazon Cognito uses common identity management standards, such as Security
Assertion Markup Language (SAML) 2.0. SAML is an open standard for exchanging
identity and security information with applications and service providers.
• Applications and service providers that support SAML enable you to sign in by using your
corporate directory credentials, such as your username and password from Microsoft
Active Directory. With SAML, you can use single sign-on (SSO) to sign in to all of your
SAML-enabled applications by using a single set of credentials.

Amazon Cognito

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
AWS Shield
• AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards
applications that run on AWS. It provides always-on detection and automatic inline mitigations that
minimize application downtime and latency, so there is no need to engage AWS Support to benefit
from DDoS protection.
• AWS Shield helps protects your website from all types of DDoS attacks, including Infrastructure
layer attacks (like User Datagram Protocol—or UDP—floods), state exhaustion attacks (like TCP
SYN floods), and application-layer attacks (like HTTP GET or POST floods).
• AWS Shield Standard is automatically enabled to all AWS customers at no additional
cost.
• AWS Shield Advanced is an optional paid service. AWS Shield Advanced provides
additional protections against more sophisticated and larger attacks for your applications
that run on Amazon EC2, Elastic Load Balancing, Amazon CloudFront, AWS Global AWS Shield
Accelerator, and Amazon Route 53. AWS Shield Advanced is available to all customers.
However, to contact the DDoS Response Team, customers need to have either Enterprise
Support or Business Support from AWS Support.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
Section 4: Securing data on AWS
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encryption of data at rest
• Encryption encodes data with a secret key, which makes it unreadable
• Only those who have the secret key can decode the data
• AWS KMS can manage your secret keys

• AWS supports encryption of data at rest

• Data at rest = Data stored physically (on disk or on tape)
• You can encrypt data stored in any service that is supported by AWS KMS, including:
• Amazon S3
• Amazon EBS
• Amazon Elastic File System (Amazon EFS)
• Amazon RDS managed databases

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
Encryption of data in transit
• Encryption of data in transit (data moving across a network)
• Transport Layer Security (TLS)—formerly SSL—is an open standard protocol
• AWS Certificate Manager provides a way to manage, deploy, and renew TLS or SSL certificates
• Secure HTTP (HTTPS) creates a secure tunnel
• Uses TLS or SSL for the bidirectional exchange of data
• AWS services support data in transit encryption.
• Two examples:

AWS Cloud Corporate data center AWS Cloud

TLS encrypted
data traffic TLS or SSL
encrypted Amazon S3
Amazon EC2 Amazon EFS AWS Storage Gateway

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
Securing Amazon S3 buckets and objects
• Newly created S3 buckets and objects are private and protected by default.
• When use cases require sharing data objects on Amazon S3 –
• It is essential to manage and control the data access.
• Follow the permissions that follow the principle of least privilege and consider using Amazon
S3 encryption.
• Tools and options for controlling access to S3 data include –
• Amazon S3 Block Public Access feature: Simple to use.
• IAM policies: A good option when the user can authenticate using IAM.
• Bucket policies
• Access control lists (ACLs): A legacy access control mechanism.
• AWS Trusted Advisor bucket permission check: A free feature.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
Section 5: Working to ensure compliance
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS compliance programs
• Customers are subject to many different security and compliance regulations and requirements.
• AWS engages with certifying bodies and independent auditors to provide customers with detailed information about
the policies, processes, and controls that are established and operated by AWS.

• Compliance programs can be broadly categorized –

• Certifications and attestations
• Assessed by a third-party, independent auditor
• Examples: ISO 27001, 27017, 27018, and ISO/IEC 9001
• Laws, regulations, and privacy
• AWS provides security features and legal agreements to support compliance
• Examples: EU General Data Protection Regulation (GDPR), HIPAA
• Alignments and frameworks
• Industry- or function-specific security or compliance requirements
• Examples: Center for Internet Security (CIS), EU-US Privacy Shield certified

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 31
AWS Config

• AWS Config is a service that enables you to assess, audit, and evaluate the
AWS Config configurations of your AWS resources.
• Continuously monitors and records your AWS resource configurations
• Enables you to automate the evaluation of recorded configurations against desired
configurations.
• You can review changes in configurations and relationships between AWS resources.
• You can also review detailed resource configuration histories, and determine your overall
compliance against the configurations that are specified in your internal guidelines.
• AWS Config keeps an inventory listing of all resources that exist in the account, and it
then checks for configuration rule compliance and resource compliance. Resources that
are found to be noncompliant are flagged, which alerts you to the configuration issues
that should be addressed within the account.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 32
AWS Artifact

• AWS Artifact provides on-demand downloads of AWS security and compliance

documents, such as AWS ISO certifications, Payment Card Industry (PCI), and
AWS Artifact Service Organization Control (SOC) reports.
• You can submit the security and compliance documents (also known as audit artifacts) to
your auditors or regulators to demonstrate the security and compliance of the AWS
infrastructure and services that you use.
• You can also use these documents as guidelines to evaluate your own cloud architecture and
assess the effectiveness of your company's internal controls.
• You can also use AWS Artifact to review, accept, and track the status of AWS agreements.
• You can accept agreements with AWS and designate AWS accounts that can legally process
restricted information.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
Complete the knowledge check

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34
 Thank you

Corrections, feedback, or other questions?

Contact us at https://support.aws.amazon.com/#/contacts/aws-academy.
All trademarks are the property of their owners.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35