Security at AWS is job zero. AWS is architected to be one of the most secure cloud environments with a host of built-in security features that allows it to eliminate most of the security overhead that is traditionally associated with IT infrastructure. Security is considered a shared responsibility between AWS and AWS customers where both of them work together to achieve their security objectives. We have looked at various services, tools, features, and third-party solutions provided by AWS to secure your assets on AWS. All customers share the following benefits of AWS security without any additional charges or resources:
An enterprise running business-critical applications on AWS cannot afford to compromise on the security of these applications or the AWS environment where these applications are running. As per Gartner, by 2020, 95% of all security breaches or incidents in cloud will be due to customer error and not from the cloud provider.
Security is a core requirement for any Information Security Management System (ISMS) to prevent information from unauthorized access; theft, deletion, integrity compromise, and so on. A typical ISMS is not required to use AWS, however, AWS has a set of best practices lined up under the following topics to address widely adopted approaches for ensuring security for ISMS. You can use this approach if you have an ISMS in place.
For more information on best practices on securing your ISMS, refer to the AWS Security Center at https://aws.amazon.com/security/. You can also use AWS Security Center for staying updated with the most common security issues and solutions to address these issues.
Security by design: There are the following two broad aspects of security in AWS:
Security by design is a four-phase systematic approach to ensure continuous security, compliance, and real-time auditing at scale. It is applicable for the security of AWS environment that allows for automation of security controls and streamlined audit processes. It allows customers to imbibe security and compliance reliably coded into AWS account. The following are four-phases of the Security by design approach:
Security in AWS is distributed at multiple layers such as AWS products and services, data security, application security, and so on. It is imperative to follow best practices for securing all such products and services to avoid getting your resources compromised in the AWS cloud.
Security is the number one priority for AWS and it is a shared responsibility between AWS and its customers. Security is imperative for all workloads deployed in the AWS environment. In AWS, storage is cheap, it should be used to store all logs and relevant records. It is recommended to use AWS managed services and in-built reporting services as much as possible for security to offload heavy lifting and enabling automation.
In this lesson, we will go over security best practices in AWS. These best practices are a combination of AWS recommendations, as well as expert advice and most common practices to follow in order to secure your AWS environment.
Our objective is to have a minimum security baseline for our workloads in the AWS environment by following these best practices that are spread across AWS services, products, and features. These security measures allow you to get visibility into the AWS usage and AWS resources and take corrective actions when required. They also allow automation at multiple levels, such as at the infrastructure level or at the application level to enable continuous monitoring and continuous compliance for all workloads deployed in AWS along with all AWS resources used in your AWS account.
We will learn about security best practices for the following topics:
We will also look at Cloud Adoption Framework (CAF) that helps organizations embarking on their cloud journey with standards, best practices, and so on.
We will learn about the security perspective of CAF along with the following four components:
One of the first and most important requirements and security best practice to follow is to know about the AWS shared security responsibility model. Ensure that all stakeholders understand their share of security in AWS.
AWS is responsible for the security of cloud and underlying infrastructure that powers AWS cloud, and customers are responsible for security in the cloud, for anything they put in, and build on top of the AWS global infrastructure.
It is imperative to have clear guidelines about this shared security responsibility model in your organization. Identify resources that fall under your share of responsibilities, define activities that you need to perform, and publish a schedule of these activities to all stakeholders. The following figure shows the AWS shared security responsibility model:
IAM provides secure access control in your AWS environment to interact with AWS resources in a controlled manner:
3.145.40.189