Module 4: AWS Cloud Security

AWS Academy Cloud Foundations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module overview
Topics Activities
• AWS shared responsibility model • AWS shared responsibility model activity
• AWS Identity and Access Management (IAM)
• Securing a new AWS account Demo
• Securing accounts • Recorded demonstration of IAM
• Securing data on AWS
• Working to ensure compliance
Lab
• Introduction to AWS IAM

Knowledge check

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 2
Module objectives
After completing this module, you should be able to:
• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Identify the steps to securing a new AWS account
• Explore IAM users and groups
• Recognize how to secure AWS data
• Recognize AWS compliance programs
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3
Section 1: AWS shared responsibility model
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 5
AWS responsibility: Security of the cloud

AWS responsibilities:
• Physical security of data centers
AWS services • Controlled, need-based access

• Hardware and software infrastructure

Compute Storage Database Networking
• Storage decommissioning, host operating system
(OS) access logging, and auditing
AWS Global Regions
Infrastructure
Availability Zones • Network infrastructure
Edge locations
• Intrusion detection

• Virtualization infrastructure
• Instance isolation

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6
Customer responsibility: Security in the cloud

Customer responsibilities:
• Amazon Elastic Compute Cloud (Amazon EC2)
Customer data instance operating system
• Including patching, maintenance
Applications, IAM • Applications
Operating system, network, and firewall • Passwords, role-based access, etc.
configuration • Security group configuration
Client-side Network
data Server-side traffic • OS or host-based firewalls
encryption encryption protection
• Including intrusion detection or prevention systems
and data (file system or (encryption,
integrity data) integrity, • Network configurations
authentication identity)
Customer-configurable • Account management
• Login and permission settings for each user

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 7
Service characteristics and security responsibility (1 of 2)

Example services managed by the customer Infrastructure as a service (IaaS)

• Customer has more flexibility over configuring
networking and storage settings
• Customer is responsible for managing more aspects
of the security
Amazon Amazon Elastic Amazon
EC2 Block Store Virtual Private Cloud • Customer configures the access controls
(Amazon EBS) (Amazon VPC)

Platform as a service (PaaS)

Example services managed by AWS • Customer does not need to manage the underlying
infrastructure
• AWS handles the operating system, database
patching, firewall configuration, and disaster
recovery
AWS Amazon AWS Elastic • Customer can focus on managing code or data
Lambda Relational Database Beanstalk
Service (Amazon
RDS)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 8
Service characteristics and security responsibility (2 of 2)

SaaS examples Software as a service (SaaS)

• Software is centrally hosted
• Licensed on a subscription model or pay-as-you-
go basis.
AWS Trusted AWS Amazon Chime
Advisor Shield • Services are typically accessed via web browser,
mobile app, or application programming interface
(API)
• Customers do not need to manage the
infrastructure that supports the service

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 9
Activity: AWS shared
responsibility model

Photo by Pixabay from

Pexels.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 10
Activity: Scenario 1 of 2
Consider this deployment. Who is responsible – AWS or the customer?
AWS Cloud 1. Upgrades and patches to 6. Oracle upgrades or
Virtual Private Cloud the operating system on patches If the Oracle
(VPC) the EC2 instance? instance runs as an
Amazon RDS instance?
2. Physical security of the
data center? 7. Oracle upgrades or
patches If Oracle runs on
3. Virtualization an EC2 instance?
Amazon Simple Amazon Oracle infrastructure?
Storage EC2 instance 8. S3 bucket access
4. EC2 security group configuration?
Service settings?
(Amazon S3)
5. Configuration of
AWS Global Infrastructure applications that run on
the EC2 instance?

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 11
Activity: Scenario 1 of 2 Answers
Consider this deployment. Who is responsible – AWS or the customer?
AWS Cloud 1. Upgrades and patches to 6. Oracle upgrades or
Virtual Private Cloud the operating system on patches If the Oracle
the EC2 instance? instance runs as an
(VPC)
• ANSWER: The customer Amazon RDS instance?
2. Physical security of the data • ANSWER: AWS
center? 7. Oracle upgrades or
Amazon Simple • ANSWER: AWS patches If Oracle runs on
Amazon Oracle
Storage 3. Virtualization an EC2 instance?
EC2 instance
Service infrastructure? • ANSWER: The
(Amazon S3) • ANSWER: AWS customer
AWS Global Infrastructure 4. EC2 security group 8. S3 bucket access
settings? configuration?
• ANSWER: The customer • ANSWER: The
customer
5. Configuration of
applications that run on the
EC2 instance?
• ANSWER: The customer

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 12
Activity: Scenario 2 of 2
Consider this deployment. Who is responsible – AWS or the customer?
Secure Shell
1. Ensuring that the AWS 6. Ensuring network
(SSH) keys
Management Console is isolation between AWS
AWS Command not hacked? customers' data?
AWS Line Interface 2. Configuring the subnet? 7. Ensuring low-latency
Management (AWS CLI) network connection
Console Internet 3. Configuring the VPC? between the web server
gateway 4. Protecting against and the S3 bucket?
VPC
network outages in AWS 8. Enforcing multi-factor
Subnet Regions? authentication for all user
5. Securing the SSH keys logins?

Web server on
Amazon EC2

S3 bucket
with objects

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 13
Activity: Scenario 2 of 2 Answers
Consider this deployment. Who is responsible – AWS or the customer?
Secure Shell
1. Ensuring that the AWS 6. Ensuring network
(SSH) keys
Management Console is isolation between AWS
AWS Command not hacked? customers' data?
AWS Line Interface • ANSWER: AWS • ANSWER: AWS
Management (AWS CLI)
Console 2. Configuring the subnet? 7. Ensuring low-latency
Internet network connection
• ANSWER: The
VPC gateway
customer between the web server
and the S3 bucket?
Subnet 3. Configuring the VPC? • ANSWER: AWS
• ANSWER: The
customer 8. Enforcing multi-factor
Web server on authentication for all user
4. Protecting against logins?
Amazon EC2 network outages in AWS • ANSWER: The
Regions? customer
• ANSWER: AWS
S3 bucket 5. Securing the SSH keys
with objects • ANSWER: The
customer
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 14
 • AWS and the customer share security responsibilities:
Section 1 key • AWS is responsible for security of the cloud
takeaways • Customer is responsible for security in the cloud
• AWS is responsible for protecting the infrastructure—
including hardware, software, networking, and facilities—that
run AWS Cloud services
• For services that are categorized as infrastructure as a
service (IaaS), the customer is responsible for performing
necessary security configuration and management tasks
• For example, guest OS updates and security patches, firewall, security
group configurations

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 15
Section 2: AWS Identity and Access
Management (IAM)
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
• Use IAM to manage access to AWS resources –
• A resource is an entity in an AWS account that you can work with
• Example resources; An Amazon EC2 instance or an Amazon S3 bucket

• Example – Control who can terminate Amazon EC2 instances

AWS Identity and

• Define fine-grained access rights – Access Management
• Who can access the resource (IAM)

• Which resources can be accessed and what can the user do to the resource
• How resources can be accessed

• IAM is a no-cost AWS account feature

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 17
IAM: Essential components

A person or application that can authenticate with an

AWS account.
IAM user

A collection of IAM users that are granted identical

authorization.
IAM group

The document that defines which resources can be

accessed and the level of access to each resource.
IAM policy

Useful mechanism to grant a set of permissions for

IAM role making AWS service requests.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 18
Authenticate as an IAM user to gain access
When you define an IAM user, you select what types of access the user is permitted to use.

Programmatic access
• Authenticate using:
• Access key ID
• Secret access key AWS CLI AWS Tools
and SDKs
• Provides AWS CLI and AWS SDK access

AWS Management Console access

• Authenticate using:
• 12-digit Account ID or alias
AWS Management
• IAM user name Console
• IAM password
• If enabled, multi-factor authentication (MFA) prompts for an authentication code.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 19
IAM MFA
• MFA provides increased security.

• In addition to username and password, MFA requires a unique authentication

code to access AWS services.

Username and
password

MFA token

AWS Management Console

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 20
Authorization: What actions are permitted

After the user or application is connected to the AWS account, what are they allowed to do?

EC2
Full
instances
acces
s

Read-
only S3 bucket
IAM user,
IAM group,
or IAM role
IAM policies

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 21
IAM: Authorization
• Assign permissions by creating an IAM policy.

• Permissions determine which resources and operations are allowed:

• All permissions are implicitly denied by default.

• If something is explicitly denied, it is never allowed.

Best practice: Follow the principle of least privilege.

IAM
permissions

Note: The scope of IAM service configurations is global. Settings apply across all AWS Regions.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 22
IAM policies
• An IAM policy is a document that defines permissions
• Enables fine-grained access control
• Two types of policies – identity-based and resource-based
• Identity-based policies – IAM entities
• Attach a policy to any IAM entity
• An IAM user, an IAM group, or an IAM role Attach to
IAM user
one of
• Policies specify:
• Actions that may be performed by the entity
• Actions that may not be performed by the entity IAM IAM group
policy
• A single policy can be attached to multiple entities
• A single entity can have multiple policies attached to it IAM role

• Resource-based policies
• Attached to a resource (such as an S3 bucket)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 23
IAM policy example

{
"Version": "2012-10-17", Explicit allow gives users access to a specific
"Statement":[{ DynamoDB table and…
"Effect":"Allow",
"Action":["DynamoDB:*","s3:*"],
"Resource":[
"arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name",
"arn:aws:s3:::bucket-name", …Amazon S3 buckets.
"arn:aws:s3:::bucket-name/*"]
}, Explicit deny ensures that the users cannot use any other AWS
{ actions or resources other than that table and those buckets.
"Effect":"Deny",
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name”,
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"]
} An explicit deny statement takes
] precedence over an allow statement.
}
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 24
Resource-based policies

• Identity-based policies are attached to a

user, group, or role
• Resource-based policies are attached AWS
to a resource (not to a user, group or Account
role) IAM user S3 bucket
MaryMajor photos
• Characteristics of resource-based
attached Defined inline
policies – on the bucket
• Specifies who has access to the resource
and what actions they can perform on it
Identity-based Resource-
• The policies are inline only, not managed policy based policy
• Resource-based policies are supported Policy grants list, Policy grants user
only by some AWS services read objects to the MaryMajor list, read
photos bucket objects

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 25
IAM permissions
How IAM determines permissions:

Is the permission Is the permission

explicitly denied ? No explicitly allowed ? No Deny

Implicit deny

Yes Yes

Deny Allow

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 26
IAM groups

• An IAM group is a collection of IAM AWS

account
users
• A group is used to grant the same IAM group: IAM group: IAM group:
permissions to multiple users Admins Developers Testers

• Permissions granted by attaching IAM policy Carlos Salazar Li Juan Zhang Wei
or policies to the group
Márcia Oliveira Mary Major John Stiles
• A user can belong to multiple groups
Richard Roe Li Juan
• There is no default group

• Groups cannot be nested

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 27
IAM roles
• An IAM role is an IAM identity with specific permissions
• Similar to an IAM user
• Attach permissions policies to it
• Different from an IAM user IAM role

• Not uniquely associated with one person

• Intended to be assumable by a person, application, or service
• Role provides temporary security credentials
• Examples of how IAM roles are used to delegate access –
• Used by an IAM user in the same AWS account as the role
• Used by an AWS service—such as Amazon EC2—in the same account as the role
• Used by an IAM user in a different AWS account than the role

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 28
Example use of an IAM role

Scenario: AWS Cloud

• An application that runs on an EC2 Application has
instance needs access to an S3 bucket permissions to
Amazon EC2 instance access the S3
bucket
Application
3
Solution: Amazon S3
Role assumed by bucket
• Define an IAM policy that grants access 2
the EC2 instance photos
to the S3 bucket.
• Attach the policy to a role
attached
• Allow the EC2 instance to assume the IAM role IAM policy
1
role grants access
to photos
bucket

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 29
 • IAM policies are constructed with JavaScript Object
Section 2 key Notation (JSON) and define permissions.
takeaways • IAM policies can be attached to any IAM entity.
• Entities are IAM users, IAM groups, and IAM roles.

• An IAM user provides a way for a person, application,

or service to authenticate to AWS.
• An IAM group is a simple way to attach the same
policies to multiple users.
• An IAM role can have permissions policies attached to
it and can be used to delegate temporary access to
users or applications.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 30
Recorded demo: IAM

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 31
Section 3: Securing a new AWS account
Module 4: AWS Cloud Security

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS account root user access versus IAM access

Account IAM • Best practice: Do not use the AWS

root user account root user except when
necessary.
• Access to the account root user
requires logging in with the email
address (and password) that you used
to create the account.
• Example actions that can only be
done with the account root user:
• Update the account root user password
• Change the AWS Support plan
• Restore an IAM user's permissions
• Change account settings (for example,
contact information, allowed Regions)

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 33
Securing a new AWS account: Account root user
Step 1: Stop using the account root user as soon as possible.
• The account root user has unrestricted access to all your resources.

• To stop using the account root user:

1. While you are logged in as the account root user, create an IAM user for yourself.
Save the access keys if needed.
2. Create an IAM group, give it full administrator permissions, and add the IAM user to
the group.
3. Disable and remove your account root user access keys, if they exist.
4. Enable a password policy for users.
5. Sign in with your new IAM user credentials.
6. Store your account root user credentials in a secure place.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 34
Securing a new AWS account: MFA
Step 2: Enable multi-factor authentication (MFA).
• Require MFA for your account root user and for all IAM users.
• You can also use MFA to control access to AWS service APIs.

• Options for retrieving the MFA token –

• Virtual MFA-compliant applications:
• Google Authenticator.
• Authy Authenticator (Windows phone app).
• U2F security key devices:
MFA token
• For example, YubiKey.
• Hardware MFA options:
• Key fob or display card offered by Gemalto.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 35
Securing a new AWS account: AWS CloudTrail
Step 3: Use AWS CloudTrail.
• CloudTrail tracks user activity on your account.
• Logs all API requests to resources in all supported services your account.
• Basic AWS CloudTrail event history is enabled by default and is free.
• It contains all management event data on latest 90 days of account activity.
• To access CloudTrail –
1. Log in to the AWS Management Console and choose the CloudTrail service.
2. Click Event history to view, filter, and search the last 90 days of events.
• To enable logs beyond 90 days and enable specified event alerting, create a trail.
1. From the CloudTrail Console trails page, click Create trail.
2. Give it a name, apply it to all Regions, and create a new Amazon S3 bucket for log storage.
3. Configure access restrictions on the S3 bucket (for example, only admin users should have
access).

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 36
Securing a new AWS account: Billing reports
Step 4: Enable a billing report, such as the AWS Cost and Usage
Report.

• Billing reports provide information about your use of AWS resources and estimated
costs for that use.

• AWS delivers the reports to an Amazon S3 bucket that you specify.

• Report is updated at least once per day.

• The AWS Cost and Usage Report tracks your AWS usage and provides
estimated charges associated with your AWS account, either by the hour or by the
day.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 37
Section 3 key Best practices to secure an AWS account:
• Secure logins with multi-factor authentication (MFA).
takeaways
• Delete account root user access keys.
• Create individual IAM users and grant permissions
according to the principle of least privilege.
• Use groups to assign permissions to IAM users.
• Configure a strong password policy.
• Delegate using roles instead of sharing credentials.
• Monitor account activity by using AWS CloudTrail.

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. 52