AW S A c a d e m y C l o u d F o u n d a t i o n s

Module 4: AWS Cloud Security

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights

reserved.
Module overview

Topics Activities
• AWS shared responsibility model • AWS shared responsibility model
• AWS Identity and Access Management activity
(IAM)
• Securing a new AWS account Demo
• Securing accounts • Recorded demonstration of IAM
• Securing data on AWS
• Working to ensure compliance
Lab
• Introduction to AWS IAM

Knowledge check

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 2

eserved.
Module objectives

After completing this module, you should be able to:

• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Identify the steps to securing a new AWS account
• Explore IAM users and groups
• Recognize how to secure AWS data
• Recognize AWS compliance programs

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 3

eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Section 1: AWS shared responsibility model

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
AWS shared responsibility model

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 5

eserved.
AWS responsibility: Security of the
cloud
AWS responsibilities:
• Physical security of data centers
AWS services • Controlled, need-based access

• Hardware and software infrastructure

Compute Storage Database Networking
• Storage decommissioning, host
operating system (OS) access logging,
AWS Global Regions and auditing
Infrastructure
Availability
Edge
Zones
locations
• Network infrastructure
• Intrusion detection

• Virtualization infrastructure
• Instance isolation

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 6

eserved.
Customer responsibility: Security in the
cloud
Customer responsibilities:
• Amazon Elastic Compute Cloud
Customer data (Amazon EC2) instance operating
system
Applications, IAM
• Including patching, maintenance
• Applications
Operating system, network, and firewall
• Passwords, role-based access, etc.
configuration
Client-side
data
Network • Security group configuration
Server-side traffic
encryption
encryption protection • OS or host-based firewalls
and data
(file system (encryption, • Including intrusion detection or
integrity
or data) integrity, prevention systems
authenticatio
identity)
n • Network configurations
Customer-configurable
• Account management
• Login and permission settings for each
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r user 7
eserved.
Service characteristics and security
responsibility
Example services managed by the Infrastructure as a service
customer
(IaaS)
• Customer has more flexibility over
configuring networking and storage settings
Amazon Amazon Amazon
• Customer is responsible for managing more
EC2 Elastic Block Virtual Private
Cloud (Amazon
aspects of the security
Store
(Amazon VPC) • Customer configures the access controls
EBS)
Example services managed by AWS
Platform as a service (PaaS)
• Customer does not need to manage the
underlying infrastructure
AWS Amazon AWS • AWS handles the operating system,
Lambda Relational Elastic database patching, firewall configuration,
Database Service Beanstalk and disaster recovery
(Amazon RDS) • Customer can focus on managing code or
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 8
eserved. data
Service characteristics and security
responsibility (continued)
SaaS examples Software as a service (SaaS)
• Software is centrally hosted
• Licensed on a subscription model or pay-as-
you-go basis.
AWS Trusted AWS Amazon Chime • Services are typically accessed via web
Advisor Shield browser, mobile app, or application
programming interface (API)
• Customers do not need to manage the
infrastructure that supports the service

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 9

eserved.
Activity: AWS
shared
responsibility
model

Photo by Pixabay from

Pexels.

10 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
Activity: Scenario 1 of 2
Consider this deployment. Who is responsible – AWS or the
customer? 1. Upgrades and patches to 6. Oracle upgrades or
AWS Cloud
Virtual Private Cloud the operating system on patches If the Oracle
(VPC) the EC2 instance? instance runs as an
• ANSWER: The Amazon RDS instance?
customer • ANSWER: AWS
2. Physical security of the 7. Oracle upgrades or
Amazon Oracle data center? patches If Oracle runs on
Amazon
Simple • ANSWER: AWS an EC2 instance?
EC2 instance
Storage • ANSWER: The
3. Virtualization customer
Service infrastructure?
(Amazon S3) AWS Global • ANSWER: AWS 8. S3 bucket access
configuration?
Infrastructure 4. EC2 security group • ANSWER: The
settings? customer
• ANSWER: The
customer
5. Configuration of
applications that run on
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r
eserved.
the EC2 instance? 11
 Activity: Scenario 2 of 2
Consider this deployment. Who is responsible – AWS or the
customer?
Secure Shell
1. Ensuring that the AWS 6. Ensuring network
(SSH) keys
Management Console is isolation between AWS
AWS Command not hacked? customers' data?
AWS Line Interface • ANSWER: AWS • ANSWER: AWS
Management (AWS CLI)
Console 2. Configuring the subnet? 7. Ensuring low-latency
Internet network connection
• ANSWER: The
VPC gatewa between the web server
customer
y and the S3 bucket?
Subnet 3. Configuring the VPC? • ANSWER: AWS
• ANSWER: The
customer 8. Enforcing multi-factor
authentication for all
Web server on
4. Protecting against user logins?
Amazon EC2 network outages in AWS • ANSWER: The
Regions? customer
• ANSWER: AWS
S3 bucket 5. Securing the SSH keys
with objects • ANSWER: The
customer
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 12
eserved.
 • AWS and the customer share security
Section 1 key responsibilities:

takeaways
• AWS is responsible for security of the
cloud
• Customer is responsible for security in the
cloud
• AWS is responsible for protecting
the infrastructure—including hardware,
software, networking, and facilities—that
run AWS Cloud services
• For services that are categorized as
infrastructure as a service (IaaS), the
customer is responsible for
performing necessary security
configuration and management
tasks
• For example, guest OS updates and security
patches, firewall, security group configurations
13 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights r
eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Section 2: AWS Identity and Access

Management (IAM)

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
AWS Identity and Access Management
(IAM)
• Use IAM to manage access to AWS resources –
• A resource is an entity in an AWS account that you can work with
• Example resources; An Amazon EC2 instance or an Amazon S3
bucket

• Example – Control who can terminate Amazon EC2

instances AWS Identity and
Access Management
(IAM)
• Define fine-grained access rights –
• Who can access the resource
• Which resources can be accessed and what can the user do to
the resource
• How resources can be accessed

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 15

• IAM is a no-cost AWS account feature

eserved.
IAM: Essential components

A person or application that can authenticate

with an AWS account.
IAM user

A collection of IAM users that are granted

identical authorization.
IAM group

The document that defines which resources

can be accessed and the level of access to
IAM policy each resource.
Useful mechanism to grant a set of
IAM role permissions for making AWS service requests.

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights

16
reserved.
Authenticate as an IAM user to gain
access
When you define an IAM user, you select what types of access the user is
permitted to use.

Programmatic access
• Authenticate using:
• Access key ID AWS CLI AWS Tools
and SDKs
• Secret access key
• Provides AWS CLI and AWS SDK access

AWS Management Console access

• Authenticate using:
• 12-digit Account ID or alias AWS Management
• IAM user name Console

• IAM password
• If enabled, multi-factor authentication (MFA) prompts for an authentication code.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 17
eserved.
IAM MFA
• MFA provides increased security.

• In addition to user name and password, MFA

requires a unique authentication code to access AWS
services.

User name
and
password

MFA token

AWS Management
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 18
eserved. Console
Authorization: What actions are
permitted
After the user or application is connected to the AWS account, what are they allowed to do?

EC2
Full
instances
acces
s

Read-
only S3 bucket
IAM user,
IAM
group,
or IAM role IAM policies

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights

19
reserved.
 IAM: Authorization

• Assign permissions by creating an IAM policy.

• Permissions determine which resources and operations

are allowed:
• All permissions are implicitly denied by default.
• If something is explicitly denied, it is never allowed.
IAM
Best practice: Follow the principle of least privilege. permissions

Note: The scope of IAM service configurations is global. Settings apply across all
AWS Regions.

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 20

eserved.
IAM policies

• An IAM policy is a document that defines

permissions
• Enables fine-grained access control
IAM entities
• Two types of policies – identity-based and resource-
based
Attach to
IAM user
• Identity-based policies – one of
• Attach a policy to any IAM entity
• An IAM user, an IAM group, or an IAM role
IAM IAM group
• Policies specify: policy
• Actions that may be performed by the entity
• Actions that may not be performed by the entity IAM role
• A single policy can be attached to multiple entities
• A single entity can have multiple policies attached to it
• Resource-based policies
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 21
eserved.• Attached to a resource (such as an S3 bucket)
 IAM policy example
{
"Version": "2012-10-17", Explicit allow gives users access to a
"Statement":[{ specific DynamoDB table and…
"Effect":"Allow",
"Action":["DynamoDB:*","s3:*"],
"Resource":[
"arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name",
"arn:aws:s[Link]ucket-name", …Amazon S3 buckets.
"arn:aws:s[Link]ucket-name/*"]
},
Explicit deny ensures that the users cannot use any
{
other AWS actions or resources other than that table and
"Effect":"Deny",
those buckets.
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name”,
"arn:aws:s[Link]ucket-name",
"arn:aws:s[Link]ucket-name/*"]
} An explicit deny statement takes
] precedence over an allow statement.
}
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 22
eserved.
Resource-based policies

• Identity-based policies are

attached to a user, group, or
role AWS
• Resource-based policies are IAM user
Account
S3
attached to a resource (not to a MaryMajo bucket
user, group or role) r photos
Defined inline
attached
• Characteristics of resource- on the bucket
based policies –
• Specifies who has access to the Identity- Resource-
resource and what actions they can based based
perform on it Policypolicy
grants list, policy
Policy grants
• The policies are inline only, not read objects to user MaryMajor
managed the photos list, read objects
bucket
• Resource-based policies are
supported only by some AWS
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r
eserved.
23
IAM permissions

How IAM determines permissions:

Is the permission Is the permission

explicitly denied ? No explicitly allowed ? No Deny

Implicit deny

Yes Yes

Deny Allow

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 24

eserved.
IAM groups

• An IAM group is a collection of AWS

account
IAM users
• A group is used to grant the same IAM group: IAM group: IAM group:
Admins Developer Testers
permissions to multiple users s
• Permissions granted by attaching IAM Carlos Salazar Li Juan Zhang Wei
policy or policies to the group
Márcia Oliveira Mary Major John Stiles
• A user can belong to multiple
Richard Roe Li Juan
groups
• There is no default group

• Groups cannot be nested

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 25
eserved.
IAM roles

• An IAM role is an IAM identity with specific permissions

• Similar to an IAM user
• Attach permissions policies to it
IAM role
• Different from an IAM user
• Not uniquely associated with one person
• Intended to be assumable by a person, application, or service
• Role provides temporary security credentials
• Examples of how IAM roles are used to delegate access
–
• Used by an IAM user in the same AWS account as the role
• Used by an AWS service—such as Amazon EC2—in the same account as the
role
© 2019 • Used
Amazon by an
Web Services, Inc. or IAM user
its Affiliates. inr a different AWS account than the role
All rights 26
eserved.
Example use of an IAM role

Scenario: AWS Cloud

• An application that runs on an EC2 Application
instance needs access to an S3 has
bucket Amazon EC2 instance permissions to
access the S3
Application bucket
3
Solution: Amazon
• Define an IAM policy that grants Role assumed by S3 bucket
2 photos
access to the S3 bucket. the EC2 instance
• Attach the policy to a role
attached
• Allow the EC2 instance to assume IAM role IAM policy
the role 1
grants
access to
photos
bucket

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 27

eserved.
 • IAM policies are constructed with
Section 2 key JavaScript Object Notation (JSON) and
takeaways define permissions.
• IAM policies can be attached to any IAM
entity.
• Entities are IAM users, IAM groups, and
IAM roles.
• An IAM user provides a way for a
person, application, or service to
authenticate to AWS.
• An IAM group is a simple way to
attach the same policies to multiple
users.
• An IAM role can have permissions
policies attached to it, and can be
used to delegate temporary access to
28 users or applications.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r
eserved.
 Recorded
demo: IAM

29 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Section 3: Securing a new AWS account

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
AWS account root user access versus
IAM access
Account IAM • Best practice: Do not use the AWS
root user account root user except when
Integrates with necessary.
other AWS • Access to the account root user
services
requires logging in with the email
Identity address (and password) that you used
federation to create the account.
Privileges cann
ot • Example actions that can only be
be controlled Secure access
for done with the account root user:
applications
Full access to a
• Update the account root user password
ll Granular
resources • Change the AWS Support plan
permissions
• Restore an IAM user's permissions
• Change account settings (for example,
contact information, allowed Regions)

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 31

eserved.
Securing a new AWS account: Account
root user
Step 1: Stop using the account root user as soon as
possible.
• The account root user has unrestricted access to all your resources.

• To stop using the account root user:

1. While you are logged in as the account root user, create an IAM
user for yourself. Save the access keys if needed.
2. Create an IAM group, give it full administrator permissions, and
add the IAM user to the group.
3. Disable and remove your account root user access keys, if they
exist.
4. Enable a password policy for users.
5. Sign in with your new IAM user credentials.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 32

6. Store your account root user credentials in a secure place.

eserved.
Securing a new AWS account: MFA

Step 2: Enable multi-factor authentication (MFA).

• Require MFA for your account root user and for all IAM users.
• You can also use MFA to control access to AWS service APIs.

• Options for retrieving the MFA token –

• Virtual MFA-compliant applications:
• Google Authenticator.
• Authy Authenticator (Windows phone app).
• U2F security key devices:
MFA token
• For example, YubiKey.
• Hardware MFA options:
• Key fob or display card offered by Gemalto.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 33
eserved.
Securing a new AWS account: AWS
CloudTrail
Step 3: Use AWS CloudTrail.
• CloudTrail tracks user activity on your account.
• Logs all API requests to resources in all supported services your account.
• Basic AWS CloudTrail event history is enabled by default and is free.
• It contains all management event data on latest 90 days of account activity.
• To access CloudTrail –
1. Log in to the AWS Management Console and choose the CloudTrail service.
2. Click Event history to view, filter, and search the last 90 days of events.
• To enable logs beyond 90 days and enable specified event
alerting, create a trail.
1. From the CloudTrail Console trails page, click Create trail.
2. Give it a name, apply it to all Regions, and create a new Amazon S3 bucket for
log storage.
3. Configure access restrictions on the S3 bucket (for example, only admin users
© 2019 Amazonshould have
Web Services, Inc. access).
or its Affiliates. All rights r 34
eserved.
 Securing a new AWS account: Billing
reports
Step 4: Enable a billing report, such as the AWS Cost and
Usage Report.
• Billing reports provide information about your use of AWS resources
and estimated costs for that use.

• AWS delivers the reports to an Amazon S3 bucket that you specify.

• Report is updated at least once per day.

• The AWS Cost and Usage Report tracks your AWS usage and
provides estimated charges associated with your AWS account, either
by the hour or by the day.

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 35

eserved.
 Best practices to secure an AWS
Section 3 key account:
takeaways • Secure logins with multi-factor
authentication (MFA).
• Delete account root user access
keys.
• Create individual IAM users and
grant permissions according to the
principle of least privilege.
• Use groups to assign permissions to
IAM users.
• Configure a strong password policy.
• Delegate using roles instead of
sharing credentials.
50 • Monitor account
© 2019 activity
eserved.
[Link]
Amazon Web Services, or its Affiliates. All rights r
Lab 1:
Introduction to
IAM

51 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
Lab 1: Tasks

• Task 1: Explore the Users and

Groups.

AWS Identity and

• Task 2: Add Users to Groups. Access Management
(IAM)

• Task 3: Sign-In and Test Users.

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 52

eserved.
Lab 1: Final product

Account
AWS
account
Users Groups

user-1 user-2 user-3 EC2-Admin EC2-Support S3-Support

user-2

Amazon EC2
read-only
Amazon EC2 – IAM inline IAM managed
access
View, start, and policy policy S3 read-
stop access only access

user-3 user-1

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 53

eserved.
 Begin Lab 1: Introduction to AWS IAM

~ 40 minutes

Begin Lab 1:
Introduction to AWS
IAM

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 54

eserved.
Lab debrief:
Key
takeaways

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 55

eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Section 4: Securing accounts

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
AWS Organizations

• AWS Organizations enables you to consolidate multiple

AWS accounts so that you centrally manage them.
AWS
Organizations
• Security features of AWS Organizations:

• Group AWS accounts into organizational units (OUs) and

attach different access policies to each OU.

• Integration and support for IAM

• Permissions to a user are the intersection of what is allowed by AWS
Organizations and what is granted by IAM in that account.

• Use service control policies to establish control over the AWS

services and API actions that each AWS account can access

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 57

eserved.
AWS Organizations: Service control
policies
• Service control policies (SCPs) offer centralized control
over accounts.
• Limit permissions that are available in an account that is part of an
organization.

• Ensures that accounts comply with access control guidelines.

• SCPs are similar to IAM permissions policies –

• They use similar syntax.
• However, an SCP never grants permissions.
• Instead, SCPs specify the maximum permissions for an
organization.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 58
eserved.
AWS Key Management Service (AWS
KMS)
AWS Key Management Service (AWS KMS) features:
• Enables you to create and manage encryption keys

• Enables you to control the use of encryption across AWS services

and in your applications.
• Integrates with AWS CloudTrail to log all key usage.

• Uses hardware security modules (HSMs) that are validated by

Federal Information Processing Standards (FIPS) 140-2 to protect
AWS Key
keys Management
Service (AWS KMS)
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 59
eserved.
Amazon Cognito

Amazon Cognito features:

• Adds user sign-up, sign-in, and access control to your web
and mobile applications.
• Scales to millions of users.

• Supports sign-in with social identity providers, such as Facebook,

Google, and Amazon; and enterprise identity providers, such as
Microsoft Active Directory via Security Assertion Markup Language
(SAML) 2.0.

Amazon Cognito
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 60
eserved.
AWS Shield

• AWS Shield features:

• Is a managed distributed denial of service (DDoS) protection service

• Safeguards applications running on AWS

• Provides always-on detection and automatic inline mitigations

• AWS Shield Standard enabled for at no additional cost. AWS Shield
Advanced is an optional paid service.

• Use it to minimize application downtime and latency.

AWS Shield

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 61

eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Section 5: Securing data on AWS

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
Encryption of data at rest

• Encryption encodes data with a secret key, which

makes it unreadable
• Only those who have the secret key can decode the data
• AWS KMS can manage your secret keys

• AWS supports encryption of data at rest

• Data at rest = Data stored physically (on disk or on tape)
• You can encrypt data stored in any service that is supported
by AWS KMS, including:
• Amazon S3
• Amazon EBS
• Amazon Elastic File System (Amazon EFS)
• Amazon RDS managed databases
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 63
eserved.
Encryption of data in transit

• Encryption of data in transit (data moving across a

network)
• Transport Layer Security (TLS)—formerly SSL—is an open
standard protocol
• AWS Certificate Manager provides a way to manage, deploy, and
renew TLS or SSL certificates
• Secure HTTP (HTTPS) creates a secure tunnel
• Uses TLS or SSL for the bidirectional exchange of data
• AWS services support data in transit encryption.
AWS Cloud Corporate data AWS Cloud
• Two examples: center
TLS encrypted
data traffic TLS or SSL
encrypted Amazon S3
Amazon EC2 Amazon EFS AWS Storage Gateway

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 64

eserved.
Securing Amazon S3 buckets and
objects
• Newly created S3 buckets and objects are private and
protected by default.
• When use cases require sharing data objects on Amazon S3
–
• It is essential to manage and control the data access.
• Follow the permissions that follow the principle of least privilege
and consider using Amazon S3 encryption.
• Tools and options for controlling access to S3 data include –
• Amazon S3 Block Public Access feature: Simple to use.
• IAM policies: A good option when the user can authenticate using IAM.
• Bucket policies
• Access control lists (ACLs): A legacy access control mechanism.
© 2019 • AWS
Amazon Trusted
Web Services, Advisor
Inc. or its Affiliates. All rights r bucket permission check: A free feature. 65
eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Section 6: Working to ensure compliance

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
AWS compliance programs

• Customers are subject to many different security and compliance regulations and
requirements.
• AWS engages with certifying bodies and independent auditors to provide
customers with detailed information about the policies, processes, and
controls that are established and operated by AWS.

• Compliance programs can be broadly categorized –

• Certifications and attestations
• Assessed by a third-party, independent auditor
• Examples: ISO 27001, 27017, 27018, and ISO/IEC 9001
• Laws, regulations, and privacy
• AWS provides security features and legal agreements to support compliance
• Examples: EU General Data Protection Regulation (GDPR), HIPAA
• Alignments and frameworks
• Industry- or function-specific security or compliance requirements
• Examples: Center for Internet Security (CIS), EU-US Privacy Shield certified
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 67
eserved.
 AWS Config

• Assess, audit, and evaluate

AWS
Config
Example AWS Config Dashboard view the configurations of AWS
resources.
• Use for continuous monitoring of
configurations.
• Automatically evaluate
recorded configurations versus
desired configurations.
• Review configuration changes.
• View detailed configuration
histories.
• Simplify compliance auditing
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r
and security analysis. 68
eserved.
AWS Artifact

• Is a resource for compliance-related

information
AWS
Artifact • Provide access to security and compliance reports,
and select online agreements
• Can access example downloads:
• AWS ISO certifications
• Payment Card Industry (PCI) and Service Organization
Control (SOC) reports
• Access AWS Artifact directly from the AWS
Management Console
• Under Security, Identify & Compliance, click Artifact.
© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 69
eserved.
Section 6 key • AWS security compliance
takeaways programs provide information
about the policies, processes, and
controls that are established and
operated by AWS.

• AWS Config is used to assess,

audit, and evaluate the
configurations of AWS resources.

• AWS Artifact provides access to

security and compliance reports.
70 © 2019 Amazon Web Services, Inc. or its Affiliates. All rights r
eserved.
M o d u l e 4 : AW S C l o u d S e c u r i t y

Module wrap-up

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r

eserved.
Module summary

In summary, in this module you learned how to:

• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Identify the steps to securing a new AWS account
• Explore IAM users and groups
• Recognize how to secure AWS data
• Recognize AWS compliance programs

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 75

eserved.
Complete the knowledge check

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 76

eserved.
Sample exam question

Which of the following is AWS's responsibility under the

AWS shared responsibility model?

A. Configuring third-party applications

B. Maintaining physical hardware
C. Securing application access and data
D. Managing custom Amazon Machine Images (AMIs)

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights

77
reserved.
Additional resources

• AWS Cloud Security home page

• AWS Security Resources

• AWS Security Blog

• Security Bulletins

• Vulnerability and Penetration testing

• AWS Well-Architected Framework – Security pillar

• AWS documentation - IAM Best Practices

© 2019 Amazon Web Services, Inc. or its Affiliates. All rights r 78
eserved.
Thank you

© 2019 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without
prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. Corrections or feedback on the course,
please email us at: aws-course-feedback@[Link]. For all other questions, contact us at: [Link] All
trademarks are the property of their owners.