In this post we will provide you gist of the AWS security and compliance model.
AWS is responsible for securing the underlying infra. While customer is responsible for anything you put on the cloud or connect to the cloud.
Amazon is responsible for the security config of it's product that are considered managed services e.g. dynamoDB, Amazon RDS, Amazon redshift, Amazon workspaces, Amazon EMR.
IAAS :- Amazon EC2 and Amazon VPC are completely under customer's control and thus customer has to take steps to make them secure and compliant.
Storage decommissioning :-
AWS uses the technique detailed in DoD 5220.22-M and NIST 800-88 to destroy data as part of decommissioning process.
AWS Services to secure the cloud
- AWS Config :- Manage configuration history and change notifications to enable security.
- AWS Service catalog :- Catalog allows you to centrally manage commonly-deployed IT services thus enabling users to deploy approved IT services in your organization.
- AWS Guard Duty:- Offers threat detection and continuous monitoring and malicious behaviors in your AWS accounts.
- AWS CloudHSM :- Protect your encryption keys with hardware security modules (HSM).
- Server-side Encryption :- If you prefer S3 to manage encryption process for you.
- AWS IAM :- Secure access through IAM Users, Groups and Roles. IAM roles can be mapped to AD groups also.
- Amazon Macie :- Use Machine learning to automatically discover and protect sensitive data.
- AWS CloudTrail :- Records all API calls to your AWS account either programmatically or through console.
AWS Artifact :- To get details of all the AWS compliance reports from third-party auditors.
Network security
- You can connect to AWS access point via http or https using SSL.
- AWS DirectConnect :- Private connectivity between yours and AWS datacenter.
- For customer who require additional security amazon provides Amazon VPC which provide private subnet within AWS cloud and the ability to use an IPsec VPN(Virtual private network) device to provide an encrypted tunnel between the amazon vpc and your data center.
- Amazon corporate network segregation:- Logically the amazon prod network is segregated from amazon corporate network by means of a complex set of network security/segregation devices.
Network Monitoring and Protection
Amazon protects from different type of attacks:-
DDoS:- A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to legitimate end users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. In case of a Distributed Denial of Service (DDoS) attack, and the attacker uses multiple compromised or controlled sources to generate the attack.
Man in the Middle attacks(MITM) :- In cryptography and computer security, a man-in-the-middle attack (often abbreviated MitM, MiM attack, MitMA or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
IP spoofing :- IP Spoofing is a technique used to gain unauthorized access to machines, whereby an attacker illicitly impersonate another machine by manipulating IP packets. IP Spoofing involves modifying the packet header with a forged (spoofed) source IP address, a checksum, and the order value.
Port Scanning :- Port scanner is an application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify services running on a host and exploit vulnerabilities.
AWS credentials types:-
- password
- Multi factor authentication (MFA)
- AWS Microsoft AD
- IAM roles
- access keys
- key pairs
- X.509 certificates:- X.509 are only used to sign SOAP-based requests . You can have AWS create a x.509 certificate and a private key that you can download, or you can upload your own certificate by using the security credentials page.
Automation :-
Amazon Inspector :- It's an automated security assessment service. It can be very helpful in finding vulnerabilities on OS and suggesting the patches.