An Introduction to AWS Security
Amazon understands that a major concern for many organizations considering moving to public (or hybrid) clouds is security. As a result, it has taken great pains to ensure that incredible levels of security are available for your organization, including massive efforts around confidentiality, integrity, and availability (CIA). The CIA triad, or security triad, is illustrated in Figure 8-1.
Figure 8-1 The Security Triad
Next, we’ll look at some of the main approaches that Amazon takes to secure AWS.
The first is keeping customer data as safe as possible. Amazon ensures a resilient and highly available infrastructure. High levels of the latest security technologies are deployed, and strong safeguards are in place for every aspect of Amazon’s security responsibilities.
With AWS, you can take advantage of rapid innovations in security technology at scale. This includes the robust Identity and Access Management (IAM) system, encryption of data at rest and in transit, and segmentation services.
With AWS security, you pay for what you need. This permits high levels of security with controlled and elastic capacity and costs.
AWS also ensures diverse compliance support to offer adherence to governance, oversight, and automation.
In addition, AWS follows the Shared Responsibility Model, which divides responsibility clearly between the customer (you) and Amazon. This allows you to leverage Amazon’s incredible expertise in secure infrastructures and technology knowledge. However, you must have expertise in securing components within AWS services. For example, you would be responsible for patching some of your virtual machine (EC2) deployments.
Note
Amazon keeps the hardware on which your virtual machines reside highly secure.
Specific security products and features encompass a variety of tools and monitoring resources, including the following:
Robust network security: Amazon provides built-in firewalling, encryption in transit, private connectivity options, and built-in distributed denial-of-service (DDoS) mitigation.
Efficient security tools: Tools are available for management of resource commissioning and decommissioning, inventory and configuration management, and implementing best practices.
Data encryption at every level: This includes database systems, key management, hardware-based storage options, and API support.
Access control and management: Amazon offers IAM, multifactor authentication, federation support, integration of IAM into all services, and API support.
Monitoring and logging tools: Amazon provides deep visibility into API calls, log aggregation tools, alerts, and reduced risks. You can use AWS CloudTrail to monitor all actions that have transpired in and around your AWS solutions.
AWS Marketplace: Amazon offers anti-malware, intrusion prevention systems (IPSs), and policy management tools in the AWS Marketplace (see Figure 8-2).
Figure 8-2 The AWS Marketplace
AWS gives you the ability to encrypt data at every phase of its use: at rest, in transit, and in use. It also provides services that specialize in securing your workloads. Here are just some of them:
Amazon Inspector: This security assessment service helps users identify potential vulnerabilities and security issues in EC2 instances and applications. The service automates the process of assessing security and compliance by analyzing the behavior of applications, identifying common security misconfigurations, and generating detailed findings reports. Amazon Inspector simplifies the task of maintaining a secure environment by providing actionable insights, allowing you to proactively address security concerns and enhance the overall resilience of your AWS resources.
AWS Security Hub: This comprehensive security service provides a centralized view of security alerts and compliance status across multiple AWS accounts. It aggregates, organizes, and prioritizes findings from various AWS services, as well as supported third-party security tools, enabling users to efficiently manage and respond to potential security threats within AWS environments.
Amazon GuardDuty: This is a managed threat detection service that continuously monitors and analyzes the network and account activities within your AWS environment. Leveraging machine learning and threat intelligence, GuardDuty detects unusual or suspicious behavior, such as unauthorized access or malicious activity, providing real-time alerts to help you quickly respond to potential security threats. By automating the detection of security anomalies, GuardDuty helps users enhance the overall security posture of AWS resources and helps protect them against various cyber threats.
AWS Shield: AWS Shield is a managed DDoS protection service that is designed to safeguard your applications and websites from malicious and volumetric DDoS attacks. Shield provides automatic detection and mitigation of DDoS attacks, helping to ensure the availability and uninterrupted performance of applications by dynamically scaling resources and applying advanced filtering techniques to absorb and mitigate the impact of malicious traffic.