AWS Academy Cloud Foundations

Module 4: AWS Cloud Security

Module overview

Topics Activities
• AWS shared responsibility model • AWS shared responsibility model activity
• AWS Identity and Access Management (IAM)
• Securing a new AWS account Demo
• Securing accounts • Recorded demonstration of IAM
• Securing data on AWS
• Working to ensure compliance
Lab
• Introduction to AWS IAM

Knowledge
check
2
Module objectives

After completing this module, you should be able to:

• Recognize the shared responsibility model
• Identify the responsibility of the customer and AWS
• Recognize IAM users, groups, and roles
• Describe different types of security credentials in IAM
• Identify the steps to securing a new AWS account
• Explore IAM users and groups
• Recognize how to secure AWS data
• Recognize AWS compliance programs

3
Module 4: AWS Cloud Security

Section 1: AWS Shared Responsibility Model

 Security
• Security is a consideration of every person and company
• In this course we are interested in commercial computing but the
rules are just as correct for YOU at home
• The main themes of security are CIA
• Confidentiality
• The data stored is secured to only the people which need
access
• Integrity
• The data which is stored is correct and not modified in an
unauthorised way
• Availability
• A service which you are using will be available whenever you
need it
5
 Lack of Security - Consequences
• Consider the consequences of a lack of following the CIA principles
• Financial impact
• https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-adm
inistration-shedding-1300-jobs

• Commercial secrets given to competitors

• https://arstechnica.com/information-technology/2020/08/intel-is-investigati
ng-the-leak-of-20gb-of-its-source-code-and-private-data/
• GDPR Prosecution
• https://tech.newstatesman.com/security/firms-are-paying-hackers-millions-
to-cover-up-gdpr-breaches-researchers-claim

• Loss of trust
• https://www.bbc.co.uk/news/technology-53771942
• Expense/time to resolve 6
AWS shared responsibility model

7
AWS responsibility: Security of the cloud

AWS responsibilities:
• Physical security of data centers
AWS services • Controlled, need-based access
• https://www.theregister.com/2022/01/13/
aws_planning_app_oxford/
Compute Storage Database Networking
• Hardware and software infrastructure
AWS Global Regions • Storage decommissioning, host operating
Infrastructure system (OS) access logging, and auditing
Availability Zones
Edge locations
• Network infrastructure
• Intrusion detection

• Virtualization infrastructure
• Instance isolation
8
Customer responsibility: Security in the
cloud
Customer responsibilities:
• Amazon Elastic Compute Cloud (Amazon EC2)
Customer data instance operating system
• Including patching, maintenance
Applications, IAM • Applications
• Passwords, role-based access, etc.
Operating system, network, and firewall configuration
• Security group configuration

Client-side data Server-side

Network traffic • OS or host-based firewalls
protection • Including intrusion detection or prevention
encryption and encryption
(encryption, systems
data integrity (file system or
integrity,
authentication data)
identity) • Network configurations
Customer-configurable • Account management
• Login and permission settings for each user

9
Service characteristics and security
responsibility
Example services managed by the customer Infrastructure as a service (IaaS)
• Customer has more flexibility over configuring
networking and storage settings
• Customer is responsible for managing more
Amazon Amazon Amazon aspects of the security
EC2 Elastic Block Virtual Private Cloud
(Amazon VPC) • Customer configures the access controls
Store (Amazon
EBS)

Example services managed by AWS Platform as a service (PaaS)

• Customer does not need to manage the
underlying infrastructure
• AWS handles the operating system, database
patching, firewall configuration, and disaster
AWS Amazon AWS Elastic recovery
Lambda Relational Database Beanstalk
Service (Amazon • Customer can focus on managing code or data
RDS)
10
Service characteristics and security
responsibility (continued)
SaaS examples Software as a service (SaaS)
• Software is centrally hosted
• Licensed on a subscription model or pay-as-you-
go basis.
AWS Trusted AWS Shield Amazon Chime • Services are typically accessed via web browser,
Advisor mobile app, or application programming interface
(API)
• Customers do not need to manage the
infrastructure that supports the service

11
 Security Consideration
• A simple example to follow for the shared responsibility model is a
house which YOU rent
• The landlord provides
• Locks on double glazed windows
• 5 point lock on the door
• Burglar alarm
• Security camera giving a 360 view of the property
• You then go out on Friday evening and leave the front door open!
• When you get burgled is this the fault of the landlord ?
 Security Consideration
• A simple example to follow for the shared responsibility model is a
house which YOU rent
• The landlord provides
• Locks on double glazed windows
• 5 point lock on the door
• Burglar alarm
• Security camera giving a 360 view of the property
• You then go out of Friday evening and leave the front door open!
• When you get burgled is this the fault of the landlord ?
• Simply NO, they have provided everything you simply did not
use what is provided
• This is similar to the Shared responsibility model
• You need to decide what is right for YOUR company in
terms of security in the cloud
 Shared Responsibility Summary
• Example company for security !
Activity: AWS shared
responsibility model

Photo by Pixabay from Pexels.

15
 Activity: Scenario 1 of 2
Consider this deployment. Who is responsible – AWS or the customer?
AWS Cloud 1. Upgrades and patches to the 6. Oracle upgrades or patches If
Virtual Private Cloud operating system on the EC2 the Oracle instance runs as an
instance? Amazon RDS instance?
(VPC)
• ANSWER: The customer • ANSWER: AWS
2. Physical security of the data 7. Oracle upgrades or patches If
center? Oracle runs on an EC2
• ANSWER: AWS instance?
Amazon Simple Amazon Oracle • ANSWER: The customer
Storage EC2 instance 3. Virtualization infrastructure?
Service • ANSWER: AWS 8. S3 bucket access
(Amazon S3) configuration?
4. EC2 security group settings? • ANSWER: The customer
AWS Global Infrastructure • ANSWER: The customer
5. Configuration of applications
that run on the EC2 instance?
• ANSWER: The customer

16
Activity: Scenario 2 of 2
Consider this deployment. Who is responsible – AWS or the customer?
Secure Shell
1. Ensuring that the AWS 6. Ensuring network isolation
(SSH) keys
Management Console is not between AWS customers' data?
AWS Command hacked? • ANSWER: AWS
AWS Line Interface • ANSWER: AWS
Management 7. Ensuring low-latency network
(AWS CLI) 2. Configuring the subnet? connection between the web
Console Internet
• ANSWER: The customer server and the S3 bucket?
VPC gateway • ANSWER: AWS
3. Configuring the VPC?
Subnet • ANSWER: The customer 8. Enforcing multi-factor
authentication for all user
4. Protecting against network logins?
outages in AWS Regions? • ANSWER: The customer
Web server on
Amazon EC2 • ANSWER: AWS
5. Securing the SSH keys
• ANSWER: The customer

S3 bucket
with objects
17
 • AWS and the customer share security
Section 1 key responsibilities:
• AWS is responsible for security of the cloud
takeaways • Customer is responsible for security in the cloud
• AWS is responsible for protecting the
infrastructure—including hardware, software,
networking, and facilities—that run AWS Cloud
services
• For services that are categorized as
infrastructure as a service (IaaS), the
customer is responsible for performing
necessary security configuration and
management tasks
• For example, guest OS updates and security patches,
firewall, security group configurations

18
Module 4: AWS Cloud Security

Section 2: AWS Identity and Access Management

(IAM)
IAM: Video

20
AWS Identity and Access Management (IAM)

• Use IAM to manage access to AWS resources –

• A resource is an entity in an AWS account that you can work with
• Example resources; An Amazon EC2 instance or an Amazon S3 bucket

• Example – Control who can terminate Amazon EC2 instances

AWS Identity and

• Define fine-grained access rights – Access Management
• Who can access the resource (IAM)
• Which resources can be accessed and what can the user do to the resource
• How resources can be accessed

• IAM is a no-cost AWS account feature

21
IAM: Essential components

A person or application that can authenticate with an

IAM user AWS account.

A collection of IAM users that are granted identical

authorization.
IAM group

The document that defines which resources can be

accessed and the level of access to each resource.
IAM policy

Useful mechanism to grant a set of permissions for

IAM role
making AWS service requests.
22
Authenticate as an IAM user to gain access

When you define an IAM user, you select what types of access the user is permitted to use.

Programmatic access
• Authenticate using:
• Access key ID
AWS CLI AWS Tools
• Secret access key and SDKs
• Provides AWS CLI and AWS SDK access

AWS Management Console access

• Authenticate using:
• 12-digit Account ID or alias
• IAM user name AWS Management
Console
• IAM password
• If enabled, multi-factor authentication (MFA) prompts for an authentication code.

23
IAM MFA
• MFA provides increased security.

• In addition to user name and password, MFA requires a

unique authentication code to access AWS services.

User name and

password

MFA token

AWS Management Console

24
Example of Google MFA
• Here is a screen grab of the Google MFA software

25
https://medium.com/@richb_/easy-two-factor-authentication-2fa-with-google-authenticator-php-108388a1ea23
Authorization: What actions are
permitted
After the user or application is connected to the AWS account, what are they allowed to do?

EC2
Full
instances
access

Read
-only S3 bucket
IAM user,
IAM group,
or IAM role
IAM policies

26
 IAM: Authorization

• Assign permissions by creating an IAM policy.

• Permissions determine which resources and operations are allowed:

• All permissions are implicitly denied by default.
• If something is explicitly denied, it is never allowed.

Best practice: Follow the principle of least privilege. IAM

permissions

Note: The scope of IAM service configurations is global. Settings apply across all AWS Regions.

27
IAM policies

• An IAM policy is a document that defines permissions

• Enables fine-grained access control
• Two types of policies – identity-based and resource-based IAM entities
• Identity-based policies –
• Attach a policy to any IAM entity Attach to
IAM user
• An IAM user, an IAM group, or an IAM role one of
• Policies specify:
• Actions that may be performed by the entity
IAM IAM group
• Actions that may not be performed by the entity
policy
• A single policy can be attached to multiple entities
• A single entity can have multiple policies attached to it IAM role

• Resource-based policies
• Attached to a resource (such as an S3 bucket)
28
 IAM policy example
{
"Version": "2012-10-17", Explicit allow gives users access to a specific
"Statement":[{ DynamoDB table and…
"Effect":"Allow",
"Action":["DynamoDB:*","s3:*"],
"Resource":[
"arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name",
"arn:aws:s3:::bucket-name", …Amazon S3
"arn:aws:s3:::bucket-name/*"]
buckets.
},
Explicit deny ensures that the users cannot use any other AWS
{
actions or resources other than that table and those buckets.
"Effect":"Deny",
"Action":["dynamodb:*","s3:*"],
"NotResource":["arn:aws:dynamodb:region:account-number-without-hyphens:table/table-name”,
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"]
} An explicit deny statement takes
] precedence over an allow statement.
}
29
Resource-based policies

• Identity-based policies are attached

to a user, group, or role
• Resource-based policies are AWS Account
attached to a resource (not to a user, IAM user S3 bucket
group or role) MaryMajor photos
• Characteristics of resource-based attached Defined inline
policies – on the bucket
• Specifies who has access to the
resource and what actions they can
Identity-based Resource-based
perform on it policy policy
• The policies are inline only, not Policy grants list, Policy grants user
managed read objects to the MaryMajor list, read
• Resource-based policies are photos bucket objects
supported only by some AWS
services 30
IAM permissions

How IAM determines permissions:

Is the permission Is the permission

explicitly denied ? No explicitly allowed ? No Deny

Implicit deny

Yes Yes

Deny Allow

31
IAM groups

• An IAM group is a collection of IAM AWS

account
users
• A group is used to grant the same IAM group: IAM group: IAM group:
Admins Developers Testers
permissions to multiple users
• Permissions granted by attaching IAM policy Carlos Salazar Li Juan Zhang Wei
or policies to the group
Márcia Oliveira Mary Major John Stiles
• A user can belong to multiple groups
Richard Roe Li Juan
• There is no default group

• Groups cannot be nested

IAM roles

• An IAM role is an IAM identity with specific permissions

• Similar to an IAM user
• Attach permissions policies to it
IAM role
• Different from an IAM user
• Not uniquely associated with one person
• Intended to be assumable by a person, application, or service
• Role provides temporary security credentials
• Examples of how IAM roles are used to delegate access –
• Used by an IAM user in the same AWS account as the role
• Used by an AWS service—such as Amazon EC2—in the same account as the role
• Used by an IAM user in a different AWS account than the role

33
Example use of an IAM role

Scenario: AWS Cloud

• An application that runs on an EC2 Application has
instance needs access to an S3 bucket permissions to
Amazon EC2 instance access the S3
bucket
Solution: Application
3
• Define an IAM policy that grants access Amazon S3
bucket
to the S3 bucket. 2
Role assumed by
the EC2 instance photos
• Attach the policy to a role
• Allow the EC2 instance to assume the
attached
role IAM role IAM policy
1
grants access
to photos
bucket

34
Example use of an IAM role

35
 • IAM policies are constructed with
Section 2 key JavaScript Object Notation (JSON) and
define permissions.
takeaways • IAM policies can be attached to any IAM entity.
• Entities are IAM users, IAM groups, and IAM
roles.
• An IAM user provides a way for a person,
application, or service to authenticate to
AWS.
• An IAM group is a simple way to attach
the same policies to multiple users.
• An IAM role can have permissions policies
attached to it, and can be used to delegate
temporary access to users or applications.

36
 Recorded
demo: IAM

37
Module 4: AWS Cloud Security

Section 3: Securing a new AWS account

AWS account root user access versus IAM
access
Account IAM • Best practice: Do not use the AWS
root user account root user except when
necessary.
Integrates with o
ther • Access to the account root user
AWS services
requires logging in with the email
address (and password) that you used
Identity federatio
n to create the account.
Privileges canno
t be Secure access fo
• Example actions that can only be
controlled r
applications done with the account root user:
Full access to all • Update the account root user password
resources Granular • Change the AWS Support plan
permissions
• Restore an IAM user's permissions
• Change account settings (for example,
contact information, allowed Regions)

39
Securing a new AWS account: Account root
user
Step 1: Stop using the account root user as soon as possible.
• The account root user has unrestricted access to all your resources.

• To stop using the account root user:

1. While you are logged in as the account root user, create an IAM user for
yourself. Save the access keys if needed.
2. Create an IAM group, give it full administrator permissions, and add the IAM
user to the group.
3. Disable and remove your account root user access keys, if they exist.
4. Enable a password policy for users.
5. Sign in with your new IAM user credentials.
6. Store your account root user credentials in a secure place.
40
Securing a new AWS account: MFA

Step 2: Enable multi-factor authentication (MFA).

• Require MFA for your account root user and for all IAM users.
• You can also use MFA to control access to AWS service APIs.

• Options for retrieving the MFA token –

• Virtual MFA-compliant applications:
• Google Authenticator.
• Authy Authenticator (Windows phone app).
• U2F security key devices:
MFA token
• For example, YubiKey.
• Hardware MFA options:
• Key fob or display card offered by Gemalto.
41
Securing a new AWS account: AWS
CloudTrail
Step 3: Use AWS CloudTrail.
• CloudTrail tracks user activity on your account.
• Logs all API requests to resources in all supported services your account.
• Basic AWS CloudTrail event history is enabled by default and is free.
• It contains all management event data on latest 90 days of account activity.
• To access CloudTrail –
1. Log in to the AWS Management Console and choose the CloudTrail service.
2. Click Event history to view, filter, and search the last 90 days of events.
• To enable logs beyond 90 days and enable specified event alerting, create
a trail.
1. From the CloudTrail Console trails page, click Create trail.
2. Give it a name, apply it to all Regions, and create a new Amazon S3 bucket for log storage.
3. Configure access restrictions on the S3 bucket (for example, only admin users should have
access).
42
 Securing a new AWS account: Billing
reports
Step 4: Enable a billing report, such as the AWS Cost and Usage
Report.
• Billing reports provide information about your use of AWS resources and
estimated costs for that use.

• AWS delivers the reports to an Amazon S3 bucket that you specify.

• Report is updated at least once per day.

• The AWS Cost and Usage Report tracks your AWS usage and provides
estimated charges associated with your AWS account, either by the hour or by
the day.

43
Thank you

This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or
selling is prohibited. Corrections or feedback on the course, please email us at: [email protected]. For all other questions, contact us at:
https://aws.amazon.com/contact-us/aws-training/. All trademarks are the property of their owners.