AWS Security: An Introduction to your Cloud Computing Security
Shared Responsibility Model
Think that you can safeguard data and prevent hacking simply by enabling a security service and paying the monthly bill? Think again. Security in the cloud is a shared responsibility between AWS and the customer. AWS is responsible for “Security of the Cloud,” while customers are responsible for “Security in the Cloud.” AWS calls this dichotomy its “shared responsibility model.” For its part, AWS takes care of cloud physical infrastructure such as network and storage. If you are running an Amazon EC2 instance, for example, AWS will be responsible for the facilities where physical devices are hosted, the network infrastructure, and the virtualization infrastructure. The customer, on the other hand, is responsible for securing Amazon machine images, applying operating system patches and upgrades, securing data in rest or in transit, and securing credentials. AWS also offers an identity and access management (IAM) service so organizations can implement user access management for all AWS services. It’s important to remember that the customer’s role in the shared responsibility model varies according to the cloud service—Amazon VPC, Amazon S2 or Amazon EC2—they are planning to use.
Identity and Access Management: Basic Terminology and Best Practices
Identity and access management is an AWS service and extremely important for AWS Security that helps you approve and deny user access to various AWS resources. IAM ensures complete role-based access and control, ensuring that only authorized individuals can access resources. For example, if an individual is allowed to read, create, or edit a file, it depends on the access that has been granted to her. When you log in to your AWS account for the first time, by default you use root or super admin credentials. As a best practice, do not use root credentials for performing any non-administrative or administrative activity. Instead, create individual users or groups to perform specific tasks. Important IAM features include: letting others use your AWS account and resources without using your passwords, multi-factor authentication, identity federation, and a log trail of users who made requests to your resources in the AWS account. Finally, IAM is completely free: AWS does not charge user fees for the service. Below are several important IAM best practices to secure your AWS resources:- Grant least privilege: Make sure to grant minimum required permissions to individuals based on the task at hand. If the same individual has to perform additional activity later, privileges should be granted at that point in time instead of up front.
- Rotate credentials periodically: For your AWS security, there should be a clear requirement for all IAM users to regularly change their passwords and access keys. This will limit collateral damage in case of a password leak.
- MFA for high privilege users: All users with access to sensitive resources should use multi-factor authentication; they should also use one-time passwords along with a normal log-in username and password.
- Audit and remove unused credentials: In order to optimize your AWS security, there should be regular identification and deletion of unused credentials, passwords or access keys You can fetch the used credential details from the AWS console, or by downloading the credential report.
- Strong password policy: Administrators should define a strong password policy to minimize the possibility of a brute-force attack. All users must abide by this policy.
