AWS Security Best Practices 1O1

Customers of Cloud Service Providers place a high value on information security. Security is a key functional need that protects mission-critical information against theft, leakage, integrity breach, and deletion, whether unintentional or intentional.

AWS delivers a worldwide secure infrastructure and fundamental computing, storage, networking, and database services, as well as higher level services, under the AWS shared responsibility model. AWS offers a variety of security services and capabilities that clients may employ to protect their assets.

Customers of AWS are responsible for ensuring the confidentiality, integrity, and availability of their data in the cloud, as well as satisfying specific business needs for information security. AWS manages the secure global infrastructure and services that offer a reliable basis for business systems and individual applications. AWS maintains high standards for cloud-based information security and has a comprehensive and holistic set of control objectives spanning from physical security to software procurement and development to personnel lifecycle management and security organization.

End users should be familiar with regions, Availability Zones, and endpoints, all of which are components of AWS’s secure global architecture. AWS regions may be used to control network latency and regulatory compliance. Data stored in a given region is not duplicated outside of that region. If your organization requires it, it is your duty to duplicate data between locations. AWS offers information about the region and, if appropriate, the state in which each region is located; you are responsible for selecting the region in which to store data while keeping your compliance and network latency needs in mind.

Regions are created with availability in mind and include at least two, and frequently more, Availability Zones. Availability Zones are intended to isolate faults. They are linked to several Internet Service Providers (ISPs) and electricity grids. They are linked together via high-speed networks, so applications may communicate between Availability Zones within the same area using Local Area Network (LAN) connectivity. It is your responsibility to carefully pick the Availability Zones in which your systems will reside.

AWS provides a wide range of infrastructure and platform services. To better comprehend the security and shared accountability of various AWS services, divide them into three categories: infrastructure, container, and abstracted services. Based on how you interact with and access the functionality, each category has a somewhat distinct security ownership model.

Infrastructure Services

This category covers computational services like Amazon EC2 as well as associated services like Amazon Elastic Block Store (Amazon EBS), Auto Scaling, and Amazon Virtual Private Cloud (Amazon VPC).

You may plan and develop a cloud infrastructure utilizing technologies that are similar to and generally compatible with on-premises solutions employing these services. You are in charge of the operating system, as well as any identity management system that gives access to the virtualization stack’s user layer.

Image retrieved from: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

Container Services

Services in this category are generally operated on distinct Amazon EC2 or other infrastructure instances, although the operating system or platform layer are not always managed. For these application “containers,” AWS offers a managed service. You are in charge of configuring and administering network restrictions such as firewall rules, as well as platform-level identity and access management independent from IAM. Amazon Relational Database Services (Amazon RDS), Amazon Elastic Map Reduce (Amazon EMR), and AWS Elastic Beanstalk are examples of container services.

Image retrieved from: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

Abstracted Services

Amazon Simple Storage Service (Amazon S3), Amazon Glacier, Amazon DynamoDB, Amazon Simple Queuing Service (Amazon SQS), and Amazon Simple Email Service are examples of high-level storage, database, and messaging services (Amazon SES). These services abstract the platform or administrative layer upon which cloud applications may be built and operated. AWS APIs are used to reach the endpoints of these abstracted services, while AWS controls the underlying service components or the operating system on which they reside.

Image retrieved from: https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

AWS Cloud Platform offers several advantages to contemporary organizations, including flexibility, elasticity, utility billing, and decreased time-to-market. It offers a variety of security services and capabilities that you can use to manage the security of your assets and data on AWS. While AWS provides an outstanding service management layer for infrastructure or platform services, companies are still responsible for ensuring the confidentiality, integrity, and availability of their data in the cloud, as well as satisfying particular business needs for information security.

Please feel free to write @ piyush.jalan93@gmail.com for any queries on AWS Security Best Practices & stay tuned for next write-up.

Thank you!

Senior Cloud Consultant | Cloud Enthusiast | Helping Customers in Adopting Cloud Technology