Summary

Shared Responsibility Model

With Shared Responsibility Model
– AWS controls security “of” the cloud (data centers, security of all services)
– AWS Customer controls security “in” the cloud (operating system, network and firewall configuration, network traffic protection, data encryption)

When you create AWS account, you are given what is called the AWS account root user. This root user is the owner of AWS account and has permission to do anything they want inside that account. AWS account root user accesses and controls any resource in the account.
It is considered a good practice to turn on Multi-Factor Authentication (MFA) to ensure that not only an email and password, but randomized token is needed to log in.

AWS Identity and Access Management (AWS IAM) enables you to manage access to AWS services and resources securely.
IAM allows to create users, by default, IAM user has no permissions after being created, user can’t even log in to AWS account at first.
Principle of least privilege : a user is granted access only to what they need.
IAM policy is a json document that describes what API calls user can or cannot make.
IAM groups is a way to make it easier to manage users and their permissions
IAM roles are AWS identities that have associated permissions to allow or deny any specific actions. Roles are assumed to be granted for temporary amounts of time. Roles are similar to user, but have no username and password.

AWS Organizations : a central location to manage multiple AWS accounts

AWS Organizations is a :
– Centralized management of all AWS accounts
– Consolidated billing for AWS accounts
– Hierarchical grouping of AWS accounts to meet security, compliance or budgeting needs
– AWS service and API actions access control (with Service Control Policies (SCP) you can specify the maximum permissions for member accounts in organization )

Important entity for AWS Organizations is Organizational units (OU) – accounts can be grouped into organizational units to make it easier to manage accounts with similar business or security requirements.

AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. AWS Artifact consists of two main sections :
– AWS Artifact Agreements
– AWS Artifact Reports

DDoS (Distributed denial-of-service) attacks is a deliberate attempt to make a website or application unavailable to users. It is overwhelming the capacity of the application to the point where it will no longer be able to operate. To help minimize the effect of DDoS attacks on your applications, you can use AWS Shield – a service that protects applications from DDoS attacks. AWS Shield provides two levels of protection :
– AWS Shield Standard (automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occuring types of DDoS attacks)
– AWS Shield Advanced (paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks. It also integrates with other services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing. Additionally, you can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.)

Encryption is securing a message or data in a way that only authorized parties can access it.
AWS Key Management Service (AWS KMS) enables to perform encryption operations through the use of cryptographic keys. AWS KMS can be used to create, manage and use cryptographic keys.

Amazon inspector helps to improve security and compliance of AWS deployed applications by running security assessments against your infrastructure. Amazon Inspector consists of 3 parts :
– Network configuration reachability piece
– Amazon agent
– Security assessment service

Amazon GuardDuty is a service that provides intelligent threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.

After you have enabled GuardDuty for your AWS account, GuardDuty begins monitoring your network and account activity. You do not have to deploy or manage any additional security software. GuardDuty then continuously analyzes data from multiple AWS sources, including VPC Flow Logs and DNS logs. 

If GuardDuty detects any threats, you can review detailed findings about them from the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.