Considering the importance of security in everything digital, the role of Security Architect/Specialist is a growing specialization in the cloud industry. If you are looking to further develop your understanding of AWS Security (or maybe you want to become an AWS Security specialist), you may be struggling with where to begin. I’ll admit, given the amount of information and the complexity of the topic, it can be difficult to know what to study and in what order. That’s exactly the challenge that I’ll tackle for you in this post: 3 steps to becoming an AWS Security Specialist.
Personally, I’ve always had a keen interest in security. Because it’s constantly evolving, there is always so much to learn. As new threats and exposures are discovered, new barriers, guards, and protective measures have to be designed and implemented.
Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
I’ve been particularly interested in how AWS provides and implements different security mechanisms to help us as customers secure the integrity, confidentiality, and availability of data we store within AWS.
AWS is devoted to developing new security services (and enhancing existing services) to increase the level of security that can be applied. In addition to the management services that are available, AWS offers a myriad of ways to help us optimize, control, monitor, and manage our infrastructure covering the areas mentioned above.
Step 1: Security Fundamentals
Knowing where to start all depends on the level of your current AWS knowledge. To appeal to the wider audience, I will suggest steps for increasing your AWS security knowledge from the perspective of someone who is fairly new to AWS. By doing so, you can take away what you need depending on your AWS experience, or you can use it as a starting point to becoming an AWS Security specialist.
Before you start to immerse yourself in the world of AWS security, I feel it’s important to gain a solid understanding of some of the fundamentals of the AWS architecture and its core services. For example:
- An understanding of the AWS Global Infrastructure
- The Shared Responsibility Models
- Different design patterns
- Encryption solutions
- Access Control methods
- Network connectivity configurations
- Some common AWS services such as VPC, EC2, S3, EBS, CloudTrail, and IAM
These topics are mainly covered by the AWS Solution Architect – Associate certification. By understanding these elements, you’ll have a solid foundation of the AWS infrastructure and framework and how services are architected. It’s important to have this awareness from a security standpoint as you need to know about any penetration points within the AWS infrastructure.
Step 2: Essential AWS Security Services
Next, I would focus on increasing your knowledge and awareness of the different security services that AWS offers. Today, the following services fall under the category of ‘Security, Identity, & Compliance,’ which would be a good place to start.
- Identity & Access Management (IAM)
- IAM allows you to control who and what can access your AWS resources and when through the use of identities, permissions, and a series of authentication and authorization methods.
- Amazon Inspector
- This helps you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment.
- AWS Certificate Manager
- Certificate Manager handles the responsibility of creating and managing SSL/TLS certificates for your web applications and sites.
- AWS Directory Service
- This service allows your directory-aware resources and workloads to use managed Active Directory within your environment.
- AWS WAF & Shield
- The WAF service helps prevent websites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting.
- Shield protects your web applications from Distributed Denial of Service (DDoS) attacks.
- AWS Artifact Portal
- Artifact provides on-demand access to security and compliance reports and select online agreements.
Although the following two services do not fall within the same console category as the ones above, these are also critical services for encrypting your data:
- AWS Key Management Service (KMS)
- This service allows you to easily encrypt your data with protected keys that cannot be exposed to anyone in plain text. The service is regionally based across all AZs in the region, making it highly available with full auditing functions to encrypt your data at AWS and within your applications.
- AWS CloudHSM
- Hardware Security Module, or HSM, is another service that encrypts your data with protected keys. With this dedicated appliance, you control the encryption keys and cryptographic operations performed by the HSM.
For each of the services listed above, you will want to understand the following:
- What the service does and what it is used for
- What it provides you from a security perspective
- When and where you might use the service
- How the service works by understanding the components within it and how they interact with each other and other services
Each service provides a very different function and feature set. One service that you will want to master is IAM. Because it tightly integrates with many of the other AWS services, a full understanding of IAM will help you manage access security throughout your entire AWS architecture.
These are not the only services that can help you mitigate, monitor, and manage security threats and exposures within your environment. In addition, I highly recommend at least an awareness of the following services, which can also be used to help mitigate security issues and help from an audit and governance perspective:
- AWS CloudTrail
- AWS CloudTrail gives you have the ability to capture and log AWS API calls made by users and/or services.
- AWS Config
- AWS Config provides visibility of your entire AWS infrastructure from a configuration perspective. It also acts as a resource inventory and a compliance checker, and it can manage configuration changes of your resources.
- Amazon CloudWatch
- CloudWatch is a monitoring service for cloud resources and the applications you run on AWS. CloudWatch can collect metrics, set and manage alarms, and automatically react to changes in your AWS resources.
- AWS Trusted Advisor
- Trusted Advisor is an AWS support tool that assists with cost reduction, performance optimization, and security improvements.
Although not defined as security services in their own right, these management services provide a level of monitoring, logging, analysis, and auditing to help you identify potential security threats and breaches and to align with specific compliance and governance controls. As mentioned earlier, monitoring and compliance are closely tied to cloud security.
To gain an upper hand in detecting, minimizing, and preventing any kind of security breach, you need to be able to track, log, and analyze as much as you can within your environment.
In addition to the services already mentioned, there is also a large number of built-in, service-specific security mechanisms that you will want to be familiar with, for example:
- Simple Storage Service (S3): Bucket Policies, Access Control Lists (ACLs), Lifecycle Policies, MFA Delete, Encryption (Server-Side, Client-Side), Access Logs
- Elastic Compute Cloud (EC2): Key Pairs, Access Keys, Security Groups
- Virtual Private Cloud (VPC): Network Access Control Lists (NACLs), Route Tables, Subnet design
- CloudFront: HMAC-SHA1 signatures, SSL enabled endpoints, Geo restriction
AWS has detailed information on service-specific security in this whitepaper on AWS Security.
Step 3: Other Security topics
As you start to navigate some of the topics and services recommended here, you will probably come across other security principles and methodologies (not just specific to AWS).
Here is just a sampling of other topics that you’ll want to understand in order to architect, design, and implement stronger security within your AWS environment:
- Encryption: Different encryption methods, how encryption works, encryption protocols, encryption of data in transit and at rest
- Layered Security: How to architect layered security and design methods from application-level to physical-level security
- Attack Methods: Distributed Denial of Service (DDos), SQL Injection, Cross-site scripting, etc.
- Risk Management: How to manage, mitigate and control risks, implement contingencies, and understand consequences
- Governance, Compliance & Certifications: For example, PCI DSS, HIPAA, SOC, FedRAMP, CSA, etc.
To fully understand and master all of the different services and security topics mentioned here will take a lot of time and effort. Trust me, it’s worth it.
Organizations will always need to protect their data and services running in the cloud, and they will continue to invest in services and professionals who fully understand those services, to ensure that their business data is not compromised in any way.
If you’re ready to start building your skills as an AWS Security specialist, I would highly recommend starting with the courses and learning paths linked throughout this post. In addition to these, I would also recommend taking the following learning paths:
The Cloud Academy Blog is also a great resource for different AWS Security topics, many of which I have written myself.
I also highly recommend reading AWS’s own security whitepapers.
If you have any questions, please leave them in the comments and I’ll be happy to answer them.
7 Key Cybersecurity Threats to Cloud Computing
When businesses consider cloud computing, one of the major advantages often cited is the fact that it can make your business more secure. In fact, in recent years many businesses have chosen to migrate to the cloud specifically for its security benefits. So, it might surprise you to lea...
DevSecOps: How to Secure DevOps Environments
Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...
Top 10 Things Cybersecurity Professionals Need to Know
There has been an increase in data breaches over the recent years. With almost 143 million Americans who have had their data compromised in data breaches. These breaches include all sorts of sensitive data, including financial information, election controversies, social security, just t...
AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security
If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog. It can be both d...
The Convergence of DevOps
IT has changed over the past 10 years with the adoption of cloud computing, continuous delivery, and significantly better telemetry tools. These technologies have spawned an entirely new container ecosystem, demonstrated the importance of strong security practices, and have been a catal...
How DevOps Increases System Security
The perception of DevOps and its role in the IT industry has changed over the last five years due to research, adoption, and experimentation. Accelerate: The Science of Lean Software and DevOps by Gene Kim, Jez Humble, and Nicole Forsgren makes data-backed predictions about how DevOps p...
New Security & Compliance Service: AWS Security Hub
This morning’s Andy Jassy keynote was followed by the announcement of over 20 new services across a spectrum of AWS categories, including those in Security and Compliance, Database, Machine Learning, and Storage. One service that jumped out to me was the AWS Security Hub, currently...
Interview: Q&A with John Visneski
Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...
Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for
John Visneski is the Head of Security and DPO at The Pokemon Company International. If you missed the webinar we organized in collaboration with John Visneski you can still watch it on demand, simply click here. The reasoning behind the popularity of this perspective is clear, if no...
Microsoft Ignites Cloud Industry With Nadella Keynote
On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...
4 Reasons You Need to Include Business Stakeholders in Cloud Training
Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...
Build a Security Culture Within Your Organization
At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture? At Xero, we...