This was my preparation note while I appeared for AWS solution architect – Associate exam. I cleared it in first attempt with good margin. Sharing it here as I guess it helps for beginners and aspirants.
Other notes in this series.
Shared Security Model
- Customer owns
- All data.
- OS in EC2 – patching, security updates, etc.
- Application software
- Security group, firewall, etc.
- AWS owns
- Host operating system – hypervisor
- Virtualization layer
- Physical infrastructure
- Managed services.
Identity and Access Management (IAM)
- IAM is common across regions.
- Root account is the one which is created with email I’d.
- When an user has been created, no permissions have been assigned by default. Access key and access secret key are generated by default (used for programmatic access). Need password to login. Password has to be generated.
- Power users access all AWS services except for management of groups and users within IAM.
- IAM supports users, groups, roles, policies. Groups cannot have roles.
- Policies are permissions on resources expressed in JSON format.
- The account with which we create AWS account is called ROOT account, usually a user id / password.
- In AWS account, multiple users, groups can be created.
- Identity (Authentication)
- Programmatic access – Create an IAM user, generate access key and use it in program.
- User access – Create IAM user, given them passwords.
- Can also federated identity soluations such as Corporate identity provider (SAML 2.0) or even Active Directory.
- In this casem users are temporary in AWS. Create roles and attach these users to those roles.
- IAM can also work with OpenID such as Google, Facebook, Linkedin, etc.
- Authorization (Permissions)
- Permissions are called policies, usually expressed in JSON structure.
- Policies can be attached to users, groups or even resources such as S3 bucket.
- IAM is accessible via
- Web interface
- SDK
- Web services (https endpoints).
EC2 and IAM
- IAM role can be assigned to a EC2 instance only when it’s created.
- Instead of storing credential in EC2, creating an instance with the appropriate role would provide security against compromising credentials. Example – For accessing S3 in an EC2 through aws command line tools, instead of storing S3 credentials in EC2, creating the EC2 with S3 IAM role would avoid the need of having S3 credentials in EC2.
IAM roles
- Roles are universal across regions as with IAM.
Key Management Services (KMS)
- Manages keys used for encryption.
- All keys are protected with a master key.
- Customer Master Key (CMK)
- One for every account.
- It’s generally a symmetric key.
- Data key
- Use data key to encrypt large objects outside AWS.
- For every data key, AWS provides (1) a plain text version and (2) cipher of that Key encrypted using CMK.
- Use the (1) plain text key to encrypt the application data.
- Attach the key in the form of (2) cipher to the encrypted data. To decrpyt, pass this encrypted data along with (2) cipher to AWS. AWS KMS uses the associated CMK to decrypt and retrieve your plaintext data key.
Web Application Firewall (AWS WAF)
- Can be used along with Cloud Front to filter out requests and protect web server.
- Rules and conditions can be set to filter traffic.
AWS Directory service
- AD service in AWS cloud. Offerings include provision to setup new directory or connector to connect to the existing enterprise directory.
Others
- Integration with active directory done through SAML.
Security whitepaper
- AWS follow shared security model. AWS responsible for securing the underlying cloud and you are responsible for anything you put on the cloud.
- AWS takes care of securing managed services such as RedShift, map-reduce, workspaces, etc. However account management and user access are your responsibility.
- IAAS such as Amazon EC2, Amazon VPC, Amazon S3 are under your control and require you to perform all of the necessary security configurations.
- Storage decommissioning.
- Network security – VPC, VPN to customer data center, subnet, etc. Supports HTTPs
- AWS OOTB network security
- DDoS
- Man in the middle
- IP Spoofing
- Port Scanning
- Packet Sniffing by other tenants
- Any vulnerability scan, AWS need to be informed in advance.
- Content served through cloudfront, it’s possible to secure content using x.509 certificates.
- Disks are scrubbed making set to 0 when unallocated. Memory also scrubbed by the hypervisor before returning to the pool
- AWS doesn’t have any access to your instances.
- In bound traffic is denied by default through security group.
- Encryption of EBS available in powerful EC2 instances such as M3, C3, R3, G2.
- ELBs allow termination of HTTPS/SSL.
- AWS risk management mechanism revisited once in 6 months (biannually)
- For customer vulnerability scans, AWS need to be informed. Otherwise, it’s a violation.
- AWS compliance – SOC1, SOC2, SOC3, PCI DSS Level 1 (payment card industry), ISO 27001, ISO 9001.