AWS: Security Best Practices on AWS: Learn to secure your data, servers, and applications with AWS

In this lesson, we will learn about protecting data in the AWS platform for various AWS services. To begin with, we will go over the fundamentals of encryption and decryption and how encryption and decryption of data work in AWS. Post that, we will start with security features for securing data in transit and at rest for each of the following AWS services:

We will look at data encryption in AWS and we will learn about three models that are available for managing keys for encryption and how we can use these models for encrypting data in various AWS services such as, AWS S3, Amazon EBS, AWS Storage Gateway, Amazon RDS, and so on.

Next, we will deep dive on AWS KMS and go through KMS features and major KMS components.

Furthermore, we will go through the AWS CloudHSM service with its benefits and popular use cases.

Lastly...

Encryption of data can be defined as converting data known as plaintext into code, often known as ciphertext that is unreadable by anyone except the intended audience. Data encryption is the most popular way of adding another layer of security for preventing unauthorized access and use of data. Encryption is a two-step process: in the first step, data is encrypted using a combination of an encryption key and an encryption algorithm, in the second step, data is decrypted using a combination of a decryption key and a decryption algorithm to view data in its original form.

The following three components are required for encryption. These three components work hand in hand for securing your data.

There are two types of encryption available, symmetric and asymmetric. Asymmetric encryption is also known as public key encryption. Symmetric encryption uses...

You might be required to encrypt your data at rest for all AWS services or for some of the AWS storage services depending on your organizational policies, industry or government regulations, compliance, or simply for adding another layer of security for your data. AWS provides several options for encrypting data at rest including fully automated and fully managed AWS encryption solutions, manual encryption solutions, client-side encryption, and so on. In this section, we are going to go over these options for each AWS storage service.

Most of the web applications that are hosted on AWS will be sending data over the internet and it is imperative to protect data in transit. This transit will involve network traffic between clients and servers, and network traffic between servers. So data in transit needs to be protected at the network layer and the session layer.

AWS services provide IPSec and SSL/TLS support for securing data in transit. An IPSec protocol extends the IP protocol stack primarily for the network layer and allows applications on the upper layers to communicate securely without modification. The SSL/TLS, however, operates at the session layer.

The Transport Layer Security (TLS) is a standard set of protocols for securing communications over a network. TLS has evolved from Secure Sockets Layer (SSL) and is considered to be a more refined system.

Let us look at options to secure network traffic in AWS for various AWS services.

AWS KMS is a fully managed service that supports encryption for your data at rest and data in transit while working with AWS services. AWS KMS lets you create and manage keys that are used to encrypt your data. It provides a fully managed and highly available key storage, management and auditing solution that can be used to encrypt data across AWS services as well as to encrypt data within your applications. It is low cost as default keys are stored in your account at no charge – you pay for key usage and for creating any additional master keys.

AWS and AWS partners offer various options such as AWS KMS to protect your data in AWS. However, due to contractual, regulatory compliance, or corporate requirements for security of an application or sensitive data, you might need additional protection. AWS CloudHSM is a cloud-based dedicated, single-tenant HSM allowing you to include secure key storage and high-performance crypto operations to your applications on the AWS platform. It enables you to securely generate, store, manage, and protect encryption keys in a way that these keys are accessible only by you or authorized users that only you specify and no one else.

AWS CloudHSM is a fully managed service that takes care of administrative, time-consuming tasks such as backups, software updates, hardware provisioning, and high availability by automating these tasks. However, AWS does not have any access to configure, create, manage, or use your CloudHSM. You can quickly scale by adding or removing HSM capacity on-demand with...

Let us look at some features of the AWS CloudHSM service.

A CloudHSM cluster can store up to 3,500 keys of any type or size. It integrates with AWS CloudTrail so all activities related to CloudHSM are logged and you can get a history of all AWS API calls made to CloudHSM.

With so many features and benefits, AWS CloudHSM has many use cases when it comes to securing your data. Let us look at some of the most popular use cases for this service.

Amazon Macie is the newest security service powered by Artificial Intelligence launched by AWS that uses machine learning to identify, categorize, and secure your sensitive data that is stored in S3 buckets. It continuously monitors your data and sends alerts when it detects an anomaly in the usage or access patterns. It uses templated Lambda functions for either sending alerts, revoking unauthorized access, or resetting password policies upon detecting suspicious behavior.

As of now, Amazon Macie supports S3 and CloudTrail with the support for more services such as EC2, DynamoDB, RDS, Glue is planned in the near future. Let us look at two important features of Amazon Macie.

Data security is one of the major requirements for most of the AWS users. The AWS platform provides multiple options to secure data in their data storage services for data at rest and data in transit. We learned about securing data for most popular storage services such as AWS S3, AWS RDS, and so on.

We learned the fundamentals of data encryption and how AWS KMS provides a fully managed solution for creating encryption keys, managing, controlling, and auditing usage of these encryption keys.

We also learned about AWS CloudHSM, a dedicated hardware appliance to store your encryption keys for corporate or regulatory compliance. We went through various features of CloudHSM and the most popular use cases for this service.

Lastly, we went through Amazon Macie, a newly launched data security service that uses machine learning for protecting your critical data by automatically detecting and classifying it.

The AWS EC2 service provides compute or servers in AWS for purposes such as web servers...