AWS CCP Certification Essentials Part-08 (Security and Compliance concepts and IAM)

Shared Responsibility Model

Cloud computing has revolutionized the way businesses operate, providing unparalleled scalability, flexibility, and cost savings. However, it also brings new challenges to security and compliance. In the public cloud, there is a shared security responsibility between you and AWS. AWS is responsible for the security of the cloud, while you are responsible for security in the cloud.

Security of the Cloud

AWS is responsible for protecting and securing its infrastructure. This includes their global infrastructure elements such as regions, edge locations, and Availability Zones. AWS controls access to its data centres where your data resides, and maintains networking components such as generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more. AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.

Security in the Cloud

While AWS takes care of the security of the cloud, you are responsible for how the services are implemented and for managing your application data. This includes managing your application data, which includes encryption options, securing your account and API calls, rotating credentials, restricting internet access from your VPCs, patching the guest operating system (OS), which includes updates and security patches, managing application security and identity and access management, network traffic protection, and scanning for and patching vulnerabilities in your code.

Shared Responsibilities

There are some security responsibilities that are shared between you and AWS. These include patch management, configuration management, awareness, and training. It is important to understand these shared responsibilities to ensure that your applications and data are secure and compliant.

Well-Architected Framework

The Well-Architected Framework is a set of best practices and design principles for running workloads in the cloud. It consists of six pillars that provide guidance on how to design, operate, and optimize reliable, secure, efficient, and cost-effective systems in the cloud.

The six pillars of the Well-Architected Framework are:

1. Operational Excellence

This pillar focuses on creating applications that effectively support production workloads. This includes planning for and anticipating failure, deploying smaller, reversible changes, scripting operations as code, and learning from failure and refining.

2. Security

This pillar focuses on putting mechanisms in place that help protect your systems and data. This includes automating security tasks, encrypting data in transit and at rest, tracking who did what and when, assigning only the least privileges required, and ensuring security at all application layers.

3. Reliability

This pillar focuses on designing systems that work consistently and recover quickly. This includes recovering from failure automatically, reducing idle resources, scaling horizontally for resilience, managing change through automation, and testing recovery procedures.

4. Performance Efficiency

This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks. This includes using serverless architectures first, using multi-region deployments, delegating tasks to a cloud vendor, and experimenting with virtual resources.

5. Cost Optimization

This pillar focuses on delivering optimum and resilient solutions at the least cost to the user. This includes utilizing consumption-based pricing, measuring overall efficiency, implementing cloud financial management, and paying only for resources your application requires.

6. Sustainability

This pillar focuses on environmental impacts, especially energy consumption and efficiency. This includes understanding your impact, establishing sustainability goals, maximizing utilization, using managed services, and reducing downstream impact.

In conclusion, security and compliance are crucial factors in the public cloud. AWS has a shared responsibility model, and it is essential to understand your responsibilities in securing your applications and data. The Well-Architected Framework provides a comprehensive set of best practices for designing and optimizing work

Identity and Access Management

As more and more businesses move their operations to the cloud, it’s important to ensure that sensitive data and resources are kept secure. Identity and Access Management (IAM) is a service provided by Amazon Web Services (AWS) that helps businesses control access to their cloud resources. In this blog post, we’ll discuss the key features of IAM and how it can be used to secure your AWS environment.

IAM is a free global service provided by AWS that allows you to define who has access to your cloud resources and what they can do with them. By controlling access to your resources, you can help prevent unauthorized access and reduce the risk of data breaches. With IAM, you can create and manage identities for users, applications, and services, and grant them the permissions they need to perform their tasks.

Identities and Access

There are two main components of IAM: Identities and Access. Identities refer to who can access your resources, while Access refers to what resources they can access. The following are the key features of Identities and Access:

1. Identities:

• Root User: When you first create an AWS account, you begin with an identity known as the root user. The root user has complete access to all AWS resources and services.
• Individual Users: An IAM user is an identity that you create in AWS. It represents the person or application that interacts with AWS services and resources. By default, when you create a new IAM user in AWS, it has no permissions associated with it.
• Groups: An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
• Roles: An IAM role is an identity that you can assume to gain temporary access to permissions.

2. Access:

• Policies: An IAM policy is a JSON document that allows or denies permissions to AWS services and resources. IAM policies enable you to customize users’ levels of access to resources.
• AWS Managed Policies: AWS Managed Policies are pre-built policies that can be attached to users, groups, or roles. They cover common use cases, such as providing access to Amazon S3 buckets or DynamoDB tables.
• Customer Managed Policies: Customer Managed Policies are policies that you create and manage yourself. They can be attached to users, groups, or roles, and can be customized to meet your specific needs.
• Permissions Boundaries: Permissions Boundaries are policies that define the maximum permissions that a user or role can have. They can be used to enforce the principle of least privilege.

Authentication (“Who”) vs. Authorization (“What”)

In the world of cybersecurity, two terms that are often used interchangeably are authentication and authorization. However, they refer to different concepts. Authentication is the process of identifying yourself to a system. This can be done through a username, password, biometrics, or other means. Authorization, on the other hand, is the process of granting or denying access to resources based on your identity.

The Principle of Least Privilege

The principle of least privilege is an important concept in cybersecurity. It means that users should only be granted the minimum access necessary to perform their job functions. This reduces the risk of unauthorized access to sensitive information and resources. For example, if an employee only needs access to a specific folder in a network, they should not be given access to the entire network.

AWS Account Root User

Root user privileges

When you first create an AWS account, you begin with an identity known as the root user. This user has complete access to all resources in the account and should be used sparingly. The root user is accessed by signing in with the email address and password that you used to create your AWS account. It is important to create additional users and assign them specific permissions to limit the use of the root user.

IAM Users

IAM stands for Identity and Access Management. An IAM user is an identity that you create in AWS. It represents the person or application that interacts with AWS services and resources. It consists of a name and credentials. By default, when you create a new IAM user in AWS, it has no permissions associated with it. You must assign specific permissions to an IAM user to grant access to AWS resources.

IAM Policies

Example Policy

An IAM policy is a JSON document that allows or denies permissions to AWS services and resources. IAM policies enable you to customize users’ levels of access to resources. These policies can be attached to IAM users, groups, and roles.

IAM Groups

Sample IAM users and Groups diagram

An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy. Assigning IAM policies at the group level also makes it easier to adjust permissions when an employee transfers to a different job. For example, if an employee moves from the finance department to the marketing department, you can remove them from the finance group and add them to the marketing group, which has different permissions.

IAM Roles

An IAM role is an identity that you can assume to gain temporary access to permissions. Before an IAM user, application, or service can assume an IAM role, they must be granted permission to switch to the role. When someone assumes an IAM role, they abandon all previous permissions that they had under a previous role and assume the permissions of the new role. This allows for greater flexibility and security in granting temporary access to resources.

IAM Credential Report

The IAM credential report is a useful tool for auditing and compliance. It lists all users in your account and the status of their various credentials. This includes passwords, access keys, and MFA devices. By regularly reviewing this report, you can ensure that all users have strong credentials and are using MFA for added security. Additionally, it can help you identify and remediate any potential security risks.

In conclusion, AWS provides many tools and features to manage access and security. Understanding the concepts of authentication, authorization, the principle of least privilege, IAM users, groups, roles, policies, and the IAM credential report can help you to better secure your AWS environment. It is important to regularly review and update your security settings to ensure that your resources are protected.

That’s a good introduction “Security and Compliance” in AWS. Now we have put our foot into the deep waters 😁. Hope you have enjoyed this article! 😁 We will meet again with the next chapter. Cheers!! 🍻

References

AWS IAM | Identity and Access Management | Amazon Web Services

Security best practices in IAM

IAM user groups

IAM roles

Change the AWS Config Credential Report Frequency Trigger | AWS re:Post

AWS IAM | Identity and Access Management | Amazon Web Services

Shared Responsibility Model - Amazon Web Services (AWS)

https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf