Skip to content

Security - Identity

AWS security services and solutions are focused on delivering the following key strategic benefits critical to helping you implement your organization’s optimal security posture.

  • Prevent : Define user permissions and identities, infrastructure protection and data protection measures for a smooth and planned AWS adoption strategy.
  • Detect : Gain visibility into your organization’s security posture with logging and monitoring services.
  • Respond : Automate incident response and recovery to help shift the primary focus of security teams from responding to analyzing the root cause.
  • Remediate : Leverage event-driven automation to quickly remediate and secure your AWS environment in near-real time.

AWS shared responsibility

Responsability is shared between AWS and Customer

  • AWS is reponsible for security OF the Cloud.
  • AWS is reponsible for security IN the Cloud.

AWS responsibility

AWS is responsible for security of the cloud.
This means AWS protects and secures the infrastructure that runs the services offered in the AWS Cloud. AWS is responsible for:

  • Protecting and securing AWS Regions, AZs and data centers, down to the physical security of the buildings.
  • Managing the hardware, software, and networking components that run AWS services, such as the physical servers, OS, virtualization layers, and AWS networking components.

The level of responsibility AWS has depends on the service. AWS classifies services into three categories:

  • Infrastructure services : It manages the underlying infrastructure and foundation services.
  • Container services : It manages the underlying infrastructure and foundation services, OS, and application platform.
  • Abstracted services : It operates the infrastructure layer, OS, and platforms, in addition to server-side encryption and data protection.

Customer responsibility

When using any AWS service, you’re responsible for properly configuring the service and your applications, in addition to ensuring that your data is secure.

A key concept is that customers maintain complete control of their data and are responsible for managing the security related to their content.
For example, you are responsible for the following:

  • Choosing a Region for AWS resources in accordance with data sovereignty regulations.
  • Implementing data-protection mechanisms, such as encryption and scheduled backups.
  • Using access control to limit who can access to your data and AWS resources.

Can you do this yourself in AWS ?

  • If yes, you are likely responsible : security groups, IAM, patching EC2/database ..
  • If not, AWS is likely responsible : DCs, cabling management, patching RDS OS ...
  • Encryption is a shared responsability

AWS services for Identy

  • Amazon Cognito is a service for simple and secure user sign-up, sign-in and access control to your web and mobile apps.

  • AWS Directory Service is a managed service offering that provides directories that contain information about your organization, including users, groups, computers, and other resources.

  • AWS IAM is an AWS service that helps you manage access to your AWS account and resources.
    It also provides a centralized view of who and what are allowed inside your AWS account (authentication), and who and what have permissions to use and work with your AWS resources (authorization).

  • IAM Identity Center is a cloud SSO service that allows for the central management of SSO access to multiple AWS accounts and business applications.

IAM

Securely control individual and group access to your AWS resources.
You can manage users and their level of access to the AWS console.

Some AWS IAM features:

  • Granular permissions : You can grant different permissions to different people for different resources.
  • Identity federation : You can allow users who already have passwords elsewhere : in your corporate network or with an internet identity provider
  • Multi-factor authentication (MFA) : You can add two-factor authentication to your account and to individual users for extra security.
  • Secure access to AWS resources for applications that run on Amazon EC2 : You can use IAM features to securely provide credentials for applications
  • Shared access to your AWS account : You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.

IAM Members

  • Root User (First-time access only) : When you create an AWS account, you create an AWS account root user identity.
    • It has full administrative access to AWS.
  • IAM users : Users within your AWS account. IAM users are granted long term credentials to your AWS resources.
  • Federating existing users : You can federate those user identities into AWS.
    IAM Groups : is a collection of users. Groups allow you to specify permissions for similar types of users.

Secure Root User

To ensure the safety of the root user, follow these best practices:

  • Choose a strong password for the root user.
  • Never share your root user password or access keys with anyone.
  • Disable or delete the access keys associated with the root user.
  • Do not use the root user for administrative tasks or everyday tasks.
  • Create an admin group for administrators and assign appropriate group.
  • Create user accounts for administrators and add them to the admin group.

IAM Policies

When you create an IAM users, they can't access anything in your account until you give them permission.
You give permissions to a user by creating an identity-based policy, which is a policy that is attached to the user or a group to which the user belongs.

Policy Document example - Administrator

{
    "Version": "2022-10-15",
    "Statement": [ {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
    } ]
}

Policies Types

Identity-based policies are permissions policies that you attach to an IAM identity, such as an IAM user, group, or role.
They control what actions the identity can perform, on which resources, and under what condition.

  • AWS/Customer Managed policies : Standalone identity-based policies that you can attach to multiple users, groups and role.
  • Inline policies : Policies that you create and manage and that are embedded directly into a single user, group or role.

Resource-based policies are permissions policies that you attach to a resource such as an Amazon S3 bucket or an IAM role trust policy.
They control what actions a specified principal can perform on that resource and under what conditions.

  • Resource-based policies are inline policies, and there are no managed resource-based policies.

Review Security best practices in IAM

Encryption

AWS data protection services provide encryption and key management and secure data while in transit.

Protection at rest

Data at rest represents any data that you persist, or store, for any duration of time.

When encrypting data, you have two options:

  • Client-side encrytion : Encrypt data before sending it to AWS.
  • Server-side encryption : AWS encrypts data on your behalf after it has been received by the service.

Protection in transit

Data in transit is any data that gets transmitted from one system to another.
This includes communication between resources within your environment and communication between other services and your end users.

AWS services for data protection

You can use the following AWS services to encrypt data and protect data both at rest and in transit.

  • AWS KMS (Key Management Service) : is a managed service that enables you to easily create and control the keys used for cryptographic operations.

    • It provides a HA key generation, storage, management, and auditing solution that allows you to encrypt or digitally sign data within your own app.

  • CloudHSM : helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware security module (HSM) instances within the AWS Cloud.

  • ACM (AWS Certificate Manager) : is a service that lets you easily provision, manage and deploy public and private SSL/TLS certificates.

  • Secrets Manager : is a secrets management service that helps you protect access to your applications, services and IT resources.

Security Services

Some security, protection services

AWS CloudTrail

AWS CloudTrail : Audit actions made against your applications.
It increases visibility into user and resource activity by recording AWS Console actions and API calls.

Amazon GuardDuty

GuardDuty is a threat detection service that uses ML to continuously monitor for malicious behavior.

AWS Control Tower

AWS Control Tower is a service that allows you to manage a multi-account AWS system and orchestrate several AWS services such as Organizations and IAM Identity Center.

It provides landing zones, which are environments that contain all the organizational units (OUs), users, and resources that you need to keep within compliance regulations.
Landing zones ensure best practices for security and compliance.

AWS WAF

You can define conditions by using characteristics of web requests sycg as:

  • IP that requests orignate/come from.
  • Country that requests orignate/come from.
  • values in requests headers.
  • Presence of SQL code.
  • Presenc eof script that is likely to be malicious.
  • Strings that appear in requests.

Amazon Macie

Amazon Macie uses ML and pattern matching to discover , classify, and protect sensitive data stored in S3.

  • Uses AI to recognize if S3 objects contain sensitive data such as PII, financial data.
  • Great for HIPPA and GDPR compliance.
  • Alerts you to unencrypted buckets, about public buckets.
  • Automate remediation actions using other services like Step Functions.
  • ...

Amazon Inspector - Detective

Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
It assesses applications for vulnerabilities or deviations from best pratices.

  • Network Assessments (VPC) : network configration analysis to checks for ports reachable from outside the VPC.
  • Host Assessments (EC2): Vulnerable software using CVE, host hardening and security best practices.
  • Inspector agent is required.

Detective

Using Detective, you can analyse, investigate and identify the Root cause of potential security issues our suspicious activities.
Detective pullls data in from AW resources and uses ML, statistical analysis and graph theory
to build a linked set of data that enables to quickly figure out the root cause of the issue.

Detective sources : it uses a number of sources including VPC Flow Logs, CloudTrail logs, GuardDuty finding, EKS audit logs ...

AWS Shield

Shield provides enhanced protection for your app running on ELB, CloudFront and Route 53 against DDos attacks.
It offers always-on, flow-based monitoring of network traffic and active application monitoring
to provide near real-time notifications of DDoS atatcks.

AWS Firewall Manager

AWS Firewall Manager is a security management service in a single pane of glass.
This allows you to centrally set up and manage firewall rules across multiple AWS accounts.

Using Firewall Manager, you can create new AWS WAF rules for your APP.
You can also mitigate DDOS attack using AWS Shield.

Store Secrets

Secrets Manager

[Secrets Manager](Secrets Manager is a service that securely stores,e ncrypts and rotates your database credentials, SSH keys, passwordsand other secrets.

  • Encryption in transit and at rest using KMS.
  • Automatically rotates credentials.
  • Apply fine-grained access control using IAM policies.
  • provides an API call to application to retrieve secret programmatically.

Parameter Store

Parameter Store is a capability of AWS Systems Manager that provides secure, hierachical storage for configuration data managemet and secrets management.
It can store data such as passwords, database strings, AMI IDs, license code as parameter values(in plain text or encrypted).

  • Free.
  • Limit to the number of parameters you can store(currently 10 000).
  • No key rotation.

Parameter Store VS Secrets Manager

  • To minimize cost : use Parameter Store
  • But if you need more than 10.000 params, key rotation, ability to generae password using CloudFormation... use Secret Manager

AWS Config

AWS Config is a fully managed service that enables you to assess, audit and evaluate the configuration of your AWS resources.

Example of usage: