Information security is protecting data and resources including sensitive information, computer systems, networks, and so on from unauthorized access, disruption, theft, or damage. Security also prevents attacks with a quick and effective response if an attack does occur. Effective security requires a combination of people, technologies, and processes.

Amazon Cloud Security protects data and resources on the AWS cloud platform. AWS provides a comprehensive cloud security model and a set of services to help customers secure their cloud-based applications and infrastructure. In this chapter, we will discuss the following topics:

• AWS cloud security model: The customer is responsible for the security of the cloud, and the provider is responsibility for security in the cloud.
• AWS Identity and Access Management: A cloud security service that enables customers to centrally manage access to AWS resources and services. Access is the first line of...

The AWS shared responsibility model is about the responsibilities of AWS and its customers. AWS is responsible for the security of the cloud, including the physical infrastructure, network, hypervisor, and so on that supports the customer’s applications and data. The customer is responsible for security in the cloud, including customers’ data, applications, and other configurations that are hosted on the AWS infrastructure, such as access management, firewall configurations, data encryptions, and so on.

Based on the shared responsibilities, AWS provides a multi-layered security model to protect customer data and resources in the cloud, including the following layers:

• Physical/hardware: AWS data centers are designed and managed to comply with security standards and regulations by employing physical security equipment such as access control systems, surveillance cameras, and perimeter fencing to prevent unauthorized access. These are...

IAM manages resource identity and accessibility, including authentication, authorization, and accounting.

Authentication is authenticating an identity to access an information system. One of the important security features of IAM is that it supports Multi-Factor Authentication (MFA), which requires users to provide a second form of authentication, such as a one-time token, or biometric identity, in addition to their username and password. IAM also supports identity federation, which allows customers to integrate their existing identity management systems with AWS, enabling users to sign into AWS using their existing credentials, such as Google or Meta logins, and so on.

Authorization is the user’s permission once they are authenticated in the system. With IAM, customers can create and manage AWS users and groups, and define permissions that grant or restrict access to specific AWS resources. Authentication defines who can perform which actions on what resources...

The basic unit of AWS infrastructure is the 12-digit AWS account that we have been logging in to and configuring our cloud services with. When you have many AWS accounts, it is necessary to have an infrastructure hierarchy – called AWS Organizations – to manage these accounts. In this section, we will first discuss the AWS resource organization hierarchy and security policies, and then inspect security for the AWS basic infrastructure components: EC2, S3, VPC, databases, and many others.

AWS Organizations

AWS Organizations consolidates multiple accounts into a central management unit, to manage business budgets, security, and compliance. With AWS Organizations, you can do the following:

• Automate AWS account creation and management using AWS APIs
• Consolidate billing and perform cost management across many AWS accounts, at various levels of your organization

With IAM policies, you can manage permissions for AWS users...

Data encryption is a must for securing sensitive data in the cloud. As we have discussed, almost all the AWS cloud data services provide data encryption. In this section, we will spend time introducing AWS KMS and explain how it is leveraged in S3 object encryption using an example.

KMS is a fully managed service to manage encryption keys. It is designed to simplify the process of creating and managing encryption keys, whether they are stored in Amazon S3, EBS, RDS, or other services. AWS KMS provides the following:

• Centralized key management: With AWS KMS, you can centrally manage encryption keys used to protect your data across multiple AWS services and applications.
• Customizable key policies: You can set fine-grained access controls on your encryption keys to define who can use them and under what conditions.
• Encryption key creation: AWS KMS enables you to create new encryption keys, import your own keys, and manage the lifecycle of your...

Logging and monitoring are everywhere in the AWS cloud. As we discussed earlier, the third A in AWS cloud’s AAA provides traceability of all activities in the cloud. We also introduced CloudTrail and analyzed the CloudTrail logs generated in the encryption and decryption process. In this section, we will explore further the AWS security services related to cloud resource logging and monitoring.

While CloudTrail provides a record of API calls made within a customer’s AWS account, thus enabling customers to monitor and audit activity within their accounts, Amazon CloudWatch is a managed service that enables customers to monitor, store, access, and analyze log files from AWS services and their own applications, such as EC2 instances, RDS databases, Lambda functions, and more, to gain insights into the health and performance of their applications and infrastructure. Some of the most important features of the AWS cloud are...

After the introduction of Amazon logging and monitoring services in the last section, we will conduct a case study on an actual security incident and details on how it was handled, by introducing an automatic threat detection and remediation system that the author developed for an AWS customer.

CloudSpace is an Amazon enterprise customer that functions as a reseller of AWS services to end customers, with over 4,000 AWS accounts in total. During 2017-2018, CloudSpace experienced three cases of account compromise. Three accounts were compromised in the first attack in November 2017, and four more in the second attack in March 2018. The third incident occurred in August 2018, when another five accounts were compromised. These incidents led to about $200,000 in losses. Investigations thereafter revealed that no threat-detection services were enabled and the Amazon fraud detection team’s customer notifications...

In this chapter, we started with the Amazon cloud security model, then discussed IAM, which manages authentication, authorization, and auditing. We dived into AWS cloud infrastructure security, which protects cloud resources such as EC2, S3, and RDS, and data security, which is about data encryption and key management. We further explored the AWS data encryptions, cloud monitoring and logging services, and ended with a case study about an AWS automatic cloud threat detection and remediation ecosystem.

We have now concluded Part 1 of the book: Learning the Amazon Cloud. In the next part, we will explore Google Cloud Platform.

Questions 1-10 are based on the AWS architecture shown in Figure 7.15. There is a cloud admin in company ABC, which has 10,000 EC2 instances in its AWS cloud. The diagram shows the three VPCs in the cloud admin account. All networks are configured correctly. The cloud admin created an EC2 role, R3, that can access the S3 bucket named B3 in us-east-1. EC2-1 has a security group named sg. Subnet1 has a network access control list named nacl:

Figure 7.15 – AWS Networking Architecture

1. They are looking for a place to securely store a connection string to RDS1. What do you suggest?

A. EBS

B. Parameter store

C. DynamoDB

D. RDS

2. They couldn’t ping EC2-1 from their home laptop, and he found the following in the AWS VPC flow log:

2 123456789010 eni-1235b8ca123456789 204.0.113.12 173.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca123456789 173.31.16.139 204.0.113.12 0 0 1...

1. B

2. A

3. A

4. A

5. A

6. C

7. C

8. A

9. B and C

10. B

For further insights into what you’ve learned about in this chapter, refer to the following links:

• https://docs.aws.amazon.com/security/
• https://aws.amazon.com/iam/
• https://aws.amazon.com/guardduty/
• https://aws.amazon.com/inspector/
• https://aws.amazon.com/config/
• https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
• https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/data-encryption.html
• https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/security-of-the-aws-infrastructure.html
• https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html
• https://aws.amazon.com/security/continuous-monitoring-threat-detection/