Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering AWS Security

You're reading from   Mastering AWS Security Create and maintain a secure cloud ecosystem

Arrow left icon
Product type Paperback
Published in Oct 2017
Publisher Packt
ISBN-13 9781788293723
Length 252 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Albert Anthony Albert Anthony
Author Profile Icon Albert Anthony
Albert Anthony
Arrow right icon
View More author details
Toc

Table of Contents (10) Chapters Close

Preface 1. Overview of Security in AWS FREE CHAPTER 2. AWS Identity and Access Management 3. AWS Virtual Private Cloud 4. Data Security in AWS 5. Securing Servers in AWS 6. Securing Applications in AWS 7. Monitoring in AWS 8. Logging and Auditing in AWS 9. AWS Security Best Practices

Customer security responsibilities

AWS shares security responsibilities with customers for all its offerings. Essentially, the customer is responsible for security of everything that they decide to put in cloud such as data, applications, resources, and so on. So network protection and instance protection for IaaS services and database protection for container services are areas that fall under customer security responsibilities. Let us look at customer security responsibilities for these three categories:

For AWS infrastructure services, the customer is responsible for the following:

  • Customer data
  • Customer application
  • Operating system
  • Network and firewall configuration
  • Customer identity and access management
  • Instance management
  • Data protection (transit, rest, and backup)
  • Ensuring high availability and auto scaling resources

For AWS container services, the customer is responsible for the following:

  • Customer data
  • Network VPC and firewall configuration
  • Customer identity and access management (DB users and table permissions)
  • Ensuring high availability
  • Data protection (transit, rest, and backup)
  • Auto scaling resources

For AWS abstract services, the customer is responsible for the following:

  • Customer data
  • Securing data at rest using your own encryption
  • Customer identity and access management

So essentially when we move from AWS infrastructure services towards AWS abstract services, customer security responsibility is limited to configuration, and operational security is handled by AWS. Moreover, AWS infrastructure services gives you many more options to integrate with on-premises security tools than AWS abstract services.

All AWS products that are offered as IaaS such as Amazon EC2, Amazon S3, and Amazon VPC are completely under customer control. These services require the customer to configure security parameters for accessing these resources and performing management tasks. For example, for EC2 instances, the customer is responsible for management of the guest operating system including updates and security patches, installation and maintenance of any application software or utilities on the instances, and security group (firewall at the instance level, provided by AWS) configuration for each instance. These are essentially the same security tasks that the customer performs no matter where their servers are located. The following figure depicts customer responsibilities for the AWS shared security responsibilities model:

Figure 9 AWS shared security model - customer responsibilities

AWS provides a plethora of security services and tools to secure practically any workloads, but the customer has to actually implement the necessary defenses using those security services and tools.

At the top of the stack lies customer data. AWS recommends that you utilize appropriate safeguards such as encryption to protect data in transit and at rest. Safeguards also include fine-grained access controls to objects, creating and controlling the encryption keys used to encrypt your data, selecting appropriate encryption or tokenization methods, integrity validation, and appropriate retention of data. Customer chooses where to place their data in cloud, meaning they choose geographical location to store their data in cloud. In AWS, this geographical location is known as region, so customer has to choose an AWS region to store their data. Customers are also responsible for securing access to this data. Data is neither replicated to another AWS Region nor moved to other AWS Region unless customer decides to do it. Essentially, customers always own their data and they have full control over encrypting it, storing it at a desired geographical location, moving it to another geographical location or deleting it.

For AWS container services such as Amazon RDS, the customer doesn't need to worry about managing the infrastructure, patch update or installation of any application software. The customer is responsible for securing access to these services using Amazon IAM. The customer is also responsible for enabling Multi-Factor Authentication (MFA) for securing their AWS account access.

As a customer, you get to decide on security controls that you want to put in place based on the sensitivity of your data and applications. You have complete ownership of your data. You get to choose from a host of tools and services available across networking, encryption, identity and access management, and compliance.

The following table shows a high-level classification of security responsibilities for AWS and the customer:

AWS Customer

Facility operations

Choice of guest operating system

Physical security

Configuring application options

Physical infrastructure

AWS account management

Network infrastructure

Configuring security groups (firewall)

Virtualization infrastructure

ACL

Hardware lifecycle management

IAM

Table 2 - AWS Security responsibilities classification
You have been reading a chapter from
Mastering AWS Security
Published in: Oct 2017
Publisher: Packt
ISBN-13: 9781788293723
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image