Main Principles of Security in AWS Cloud
While discussing the Security of Amazon Web Services which is a collection of over 200 fully managed services. The first thing that needs to be established in this case is that it is a formidable task to secure all of the resources offered by AWS at the moment. Services that are totally different in nature from each other yet overlapping in terms of communication.
Yet it is crucial for AWS Cloud users to understand the fundamental structure of Cloud Security provided by AWS. Only then they can hope to secure their resources.
Rule of Thumb of Security in AWS
Security is not one person’s responsibility it is a collective obligation for all. Hence AWS has introduced its Shared Responsibility Model for Security and Compliance. The model states that responsibility to secure AWS Resources must be shared between the following:
Security is Everyone's Job!
- Customer Responsibility
- AWS Responsibility
The Triad of AWS Cloud Security
There is no way AWS is going to stop growing its services. And in fact, AWS is also providing a great collection of Security tools as well. Which makes it feel like a great task to secure AWS resources.
Though the three hellhounds of Security for Amazon Web Services are strong enough to guard your AWS resources. These include:
- Identity Access Management (IAM)
- Virtual Private Cloud (VPC)
- Key Management Service (KMS)
As the first step is to guard the castle itself. Identity and Management System (IAM) plays a vital role as a permission management tool in controlling access to the AWS Infrastructure.
You can devise a perfect authentication system for both Users and AWS Resources (acting as API calling entities). Every single resource in AWS is accessible via API. IAM provides you with the ability to secure and authorize these API calls. IAM provides the following features that provide a complete security infrastructure required to secure every API call that can be made to or from AWS Resources:
For a further deep dive into Identity Access Management: Read this Article
Network is the most important part to secure your AWS Resources. The data transit needs to be made secure in order to make sure that your resources and your data is secure. Virtual Private Cloud is the Virtual Network that holds your AWS resources.
The network part of VPCs is a separate discussion hence in this article you will only find the security part of the VPC Networking.
- These are Stateful Firewalls.
- In terms of VPC Security they act as Instant level Firewall. Inbound Traffic is implicitly denied and you can allow traffic by ports. protocols and sources.
- Scope of Security group spans across Region.
Network Access Control List (NACL)
- These are Stateless Firewalls.
- They acts as Subnet Level Firewall. Inbound Traffic is implicitly allowed unless explicitly denied.
- Scope spans across Subnet.
AWS Key Management Service (KMS) helps you encrypt your data at rest. And it provides integration with all of the AWS resources that are going to hold your data.
KMS is capable if encrypting any data unless the service has its own encryption system like S3 which houses its own separate system of encryption specific to its own structure and functionality.
KMS has two main functions:
- To Encrypt and Decrypt your data
- To guard your Encryption Key
Encryption/Decryption of your Data
The first part is relatively easy since AWS KMS provides you three options:
- AWS Managed Keys: Where you can use AWS generated default keys to encrypt your data.
- Customer Managed Keys: Where you can generate your dedicated KMS Keys.
- BYOK (Bring Your Own Key): Third option that Amazon provides you is that you can import your own customer key.
Guarding your Data Key
For the second part AWS is responsible for keeping your keys. AWS has two ways to store your keys:
- AWS Standard Key Store: That uses envelope encryption to keep your keys safe.
- Custom Key Store: Aws provides another dedicated store service for your KMS keys. It keeps your keys safe in your own Custom Key Store that uses Cloud HSM to store your Keys.