AWS

Introduction

AWS Security Best Practices: Abstract and Container Services

Intermediate
Course completed!
Check

Watch Preview
icon enterprise Created with Sketch.
Work for a company?
Try Cloud Academy for Teams!
Grow your team's cloud skill with the Enterprise Training program.
1/7
56m
265

When implementing different AWS services and architecting them within your environments, whether it be production, test or dev, do you know your security responsibilities for these services?

It is very likely that you are using services from three different classifications, which each have very different boundaries for enforcing security between the customer and AWS.

These classifications are:

  1. Infrastructure services
  2. Container services
  3. Abstract services

The level of responsibility around these services are defined within three different AWS Shared Responsibility Models, and it’s essential when using AWS you understand your level of responsibility when it comes to applying security.

This course focuses on Container and Abstract services. The primary Container services we look at are: RDS, EMR and Elastic Beanstalk and the primary Abstract services include: S3, DynamoDB, SQS and Glacier.

The lectures within this course will define and guide you through the following areas to help you apply the correct level of security to your Container and Abstract services.

What are AWS Abstract & Container Services?:  This lecture provides you with a clear understanding of what abstract and container services are within AWS. There is a clear divide between the two which must be understood as responsibilities around security is a key difference between them

Security Controls: Data at Rest and In Transit:  Here we will take a look some of the available options and best practises to help you maintain integrity and protection around your data when at rest, in transit and held within a number of container and abstract services

Security Controls: Network Segmentation:  In this lecture we look at how we can use the network infrastructure and architecture to connect and restrict access to our container and abstract services to increase security through a number of different controls

Identity & Access Management:  IAM is heavily used for both container and abstract services and plays a key part in authorisation and authentication for access and management, this lecture looks at how IAM can be used to help protect access across your services

Built-in Service Security Controls:  This lecture will briefly look at some of the service specific security controls that may not have been covered in the previous lectures that you can leverage to help secure you data and environment


Do you have questions on this course? Contact our cloud experts in our community forum.

Glossary

AES-256 Encryption: AES (acronym of Advanced Encryption Standard) is a symmetric encryption algorithm. The algorithm was developed by two Belgian cryptographers Joan Daemen and Vincent Rijmen. AES was designed to be efficient in both hardware and software and supports a block length of 128 bits and key lengths of 128, 192, and256 bits.

Source: aesencryption.net/

AMI: An Amazon Machine Image (AMI) provides the information required to launch an instance, which is a virtual server in the cloud. You specify an AMI when you launch an instance, and you can launch as many instances from the AMI as you need. You can also launch instances from as many different AMIs as you need

Source: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

API: In computer programming, an application programming interface (API) is a set of subroutine definitions, protocols, and tools for building application software. In general terms, it's a set of clearly defined methods of communication between various software components.

Source: https://en.wikipedia.org/wiki/Application_programming_interface

AWS CLI: The AWS Command Line Interface (CLI) is a unified tool to manage your AWSservices. With just one tool to download and configure, you can control multipleAWS services from the command line and automate them through scripts.

Source: https://aws.amazon.com/cli/

CIDR: CIDR (Classless Inter-Domain Routing, sometimes called super netting) is a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes

Source: searchnetworking.techtarget.com/definition/CIDR

Hadoop: Hadoop is an open source, a Java-based programming framework that supports the processing and storage of extremely large data sets in a distributed computing environment. It is part of the Apache project sponsored by the Apache Software Foundation

Source: searchcloudcomputing.techtarget.com/definition/Hadoop

HDFS: The Hadoop Distributed File System (HDFS) is a distributed file system designed to run on commodity hardware. It has many similarities with existing distributed file systems. However, the differences from other distributed file systems are significant. HDFS is highly fault-tolerant and is designed to be deployed on low-cost hardware.

Source: https://hadoop.apache.org/docs/r1.2.1/hdfs_design.html

HTTPS: Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure.' It means all communications between your browser and the website are encrypted.

Source: https://www.instantssl.com/ssl-certificate-products/https.html

Java: Java is a general-purpose computer programming language that is concurrent, class-based, object-oriented, and specifically designed to have as few implementation dependencies as possible. It is intended to let application developers "write once, run anywhere" (WORA), meaning that compiled Java code can run on all platforms that support Java without the need for recompilation.

Source: https://en.wikipedia.org/wiki/Java_(programming_language)

JSON: JSON (JavaScript Object Notation) is a minimal, readable format for structuring data. It is used primarily to transmit data between a server and web application, as an alternative to XML.

Source: developers.squarespace.com/what-is-json/

LUKS: In computing, the Linux Unified Key Setup or LUKS is a disk encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

Source: https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

MFA: Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.

Source: searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

MS-AD: Active Directory (AD) is a directory service thatMicrosoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.

Source: https://en.wikipedia.org/wiki/Active_Directory

NNE: Native network encryption gives you the ability to encrypt database connections, without the configuration overhead of TCP/IP and SSL/TLS and without the need to open and listen on different ports.

Source: https://oracle-base.com/articles/misc/native-network-encryption-for-database-connections

PHP: PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Source: php.net/manual/en/intro-whatis.php

RDP: Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Source: https://en.wikipedia.org/wiki/Remote_Desktop_Protocol

SASL: Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.

Source: https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer

SDK: A software development kit (SDK or "devkit") is typically a set of software development tools that allows the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar development platform.

Source: https://en.wikipedia.org/wiki/Software_development_kit

Spark: Apache Spark is a fast, in-memory data processing engine with elegant and expressive development APIs to allow data workers to efficiently execute streaming, machine learning or SQL workloads that require fast iterative access to datasets.

Source: hortonworks.com/apache/spark/

SSE-S3: Server-Side Encryption for AWS S3 allowing you to store objects in an encrypted format using the AES-256 Encryption algorithm

Source: https://aws.amazon.com/blogs/aws/new-amazon-s3-server-side-encryption/

SSH: SSH, also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer. SSH also refers to the suite of utilities that implement the protocol.

Source: searchsecurity.techtarget.com/definition/Secure-Shell

SSL/TLS: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL," are cryptographic protocols that provide communications security over a computer network.

Source: https://en.wikipedia.org/wiki/Transport_Layer_Security

TCP: TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

Source: www.webopedia.com/TERM/T/TCP.html

TDE: Transparent Data Encryption (often abbreviated to TDE) is a technology employed by Microsoft, IBM and Oracle to encrypt database files. TDE offers encryption at the file level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media.

Source: https://en.wikipedia.org/wiki/Transparent_Data_Encryption

VPC: VPCs and Subnets. A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWScloud. You can launch your AWS resources, such asAmazon EC2 instances, into your VPC.

Source: docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html

X.509 Certificate: In cryptography, X.509 is an important standard for public key infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the Transport Layer Security protocol used to secure the web and email communication.

Source: https://en.wikipedia.org/wiki/X.509


Transcripts are available as part of your Cloud Academy membership.

Sign-up for a 7-day free trial