Considering the importance of security in everything digital, the role of Security Architect/Specialist is a growing specialization in the cloud industry. If you are looking to further develop your understanding of AWS Security (or maybe you want to become an AWS Security specialist), you may be struggling with where to begin. I’ll admit, given the amount of information and the complexity of the topic, it can be difficult to know what to study and in what order. That’s exactly the challenge that I’ll tackle for you in this post: 3 steps to becoming an AWS Security Specialist.
Personally, I’ve always had a keen interest in security. Because it’s constantly evolving, there is always so much to learn. As new threats and exposures are discovered, new barriers, guards, and protective measures have to be designed and implemented.
Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
I’ve been particularly interested in how AWS provides and implements different security mechanisms to help us as customers secure the integrity, confidentiality, and availability of data we store within AWS.
AWS is devoted to developing new security services (and enhancing existing services) to increase the level of security that can be applied. In addition to the management services that are available, AWS offers a myriad of ways to help us optimize, control, monitor, and manage our infrastructure covering the areas mentioned above.
Step 1: Security Fundamentals
Knowing where to start all depends on the level of your current AWS knowledge. To appeal to the wider audience, I will suggest steps for increasing your AWS security knowledge from the perspective of someone who is fairly new to AWS. By doing so, you can take away what you need depending on your AWS experience, or you can use it as a starting point to becoming an AWS Security specialist.
Before you start to immerse yourself in the world of AWS security, I feel it’s important to gain a solid understanding of some of the fundamentals of the AWS architecture and its core services. For example:
- An understanding of the AWS Global Infrastructure
- The Shared Responsibility Models
- Different design patterns
- Encryption solutions
- Access Control methods
- Network connectivity configurations
- Some common AWS services such as VPC, EC2, S3, EBS, CloudTrail, and IAM
These topics are mainly covered by the AWS Solution Architect – Associate certification. By understanding these elements, you’ll have a solid foundation of the AWS infrastructure and framework and how services are architected. It’s important to have this awareness from a security standpoint as you need to know about any penetration points within the AWS infrastructure.
Step 2: Essential AWS Security Services
Next, I would focus on increasing your knowledge and awareness of the different security services that AWS offers. Today, the following services fall under the category of ‘Security, Identity, & Compliance,’ which would be a good place to start.
- Identity & Access Management (IAM)
- IAM allows you to control who and what can access your AWS resources and when through the use of identities, permissions, and a series of authentication and authorization methods.
- Amazon Inspector
- This helps you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment.
- AWS Certificate Manager
- Certificate Manager handles the responsibility of creating and managing SSL/TLS certificates for your web applications and sites.
- AWS Directory Service
- This service allows your directory-aware resources and workloads to use managed Active Directory within your environment.
- AWS WAF & Shield
- The WAF service helps prevent websites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting.
- Shield protects your web applications from Distributed Denial of Service (DDoS) attacks.
- AWS Artifact Portal
- Artifact provides on-demand access to security and compliance reports and select online agreements.
Although the following two services do not fall within the same console category as the ones above, these are also critical services for encrypting your data:
- AWS Key Management Service (KMS)
- This service allows you to easily encrypt your data with protected keys that cannot be exposed to anyone in plain text. The service is regionally based across all AZs in the region, making it highly available with full auditing functions to encrypt your data at AWS and within your applications.
- AWS CloudHSM
- Hardware Security Module, or HSM, is another service that encrypts your data with protected keys. With this dedicated appliance, you control the encryption keys and cryptographic operations performed by the HSM.
For each of the services listed above, you will want to understand the following:
- What the service does and what it is used for
- What it provides you from a security perspective
- When and where you might use the service
- How the service works by understanding the components within it and how they interact with each other and other services
Each service provides a very different function and feature set. One service that you will want to master is IAM. Because it tightly integrates with many of the other AWS services, a full understanding of IAM will help you manage access security throughout your entire AWS architecture.
These are not the only services that can help you mitigate, monitor, and manage security threats and exposures within your environment. In addition, I highly recommend at least an awareness of the following services, which can also be used to help mitigate security issues and help from an audit and governance perspective:
- AWS CloudTrail
- AWS CloudTrail gives you have the ability to capture and log AWS API calls made by users and/or services.
- AWS Config
- AWS Config provides visibility of your entire AWS infrastructure from a configuration perspective. It also acts as a resource inventory and a compliance checker, and it can manage configuration changes of your resources.
- Amazon CloudWatch
- CloudWatch is a monitoring service for cloud resources and the applications you run on AWS. CloudWatch can collect metrics, set and manage alarms, and automatically react to changes in your AWS resources.
- AWS Trusted Advisor
- Trusted Advisor is an AWS support tool that assists with cost reduction, performance optimization, and security improvements.
Although not defined as security services in their own right, these management services provide a level of monitoring, logging, analysis, and auditing to help you identify potential security threats and breaches and to align with specific compliance and governance controls. As mentioned earlier, monitoring and compliance are closely tied to cloud security.
To gain an upper hand in detecting, minimizing, and preventing any kind of security breach, you need to be able to track, log, and analyze as much as you can within your environment.
In addition to the services already mentioned, there is also a large number of built-in, service-specific security mechanisms that you will want to be familiar with, for example:
- Simple Storage Service (S3): Bucket Policies, Access Control Lists (ACLs), Lifecycle Policies, MFA Delete, Encryption (Server-Side, Client-Side), Access Logs
- Elastic Compute Cloud (EC2): Key Pairs, Access Keys, Security Groups
- Virtual Private Cloud (VPC): Network Access Control Lists (NACLs), Route Tables, Subnet design
- CloudFront: HMAC-SHA1 signatures, SSL enabled endpoints, Geo restriction
AWS has detailed information on service-specific security in this whitepaper on AWS Security.
Step 3: Other Security topics
As you start to navigate some of the topics and services recommended here, you will probably come across other security principles and methodologies (not just specific to AWS).
Here is just a sampling of other topics that you’ll want to understand in order to architect, design, and implement stronger security within your AWS environment:
- Encryption: Different encryption methods, how encryption works, encryption protocols, encryption of data in transit and at rest
- Layered Security: How to architect layered security and design methods from application-level to physical-level security
- Attack Methods: Distributed Denial of Service (DDos), SQL Injection, Cross-site scripting, etc.
- Risk Management: How to manage, mitigate and control risks, implement contingencies, and understand consequences
- Governance, Compliance & Certifications: For example, PCI DSS, HIPAA, SOC, FedRAMP, CSA, etc.
To fully understand and master all of the different services and security topics mentioned here will take a lot of time and effort. Trust me, it’s worth it.
Organizations will always need to protect their data and services running in the cloud, and they will continue to invest in services and professionals who fully understand those services, to ensure that their business data is not compromised in any way.
If you’re ready to start building your skills as an AWS Security specialist, I would highly recommend starting with the courses and learning paths linked throughout this post. In addition to these, I would also recommend taking the following learning paths:
The Cloud Academy Blog is also a great resource for different AWS Security topics, many of which I have written myself.
I also highly recommend reading AWS’s own security whitepapers.
If you have any questions, please leave them in the comments and I’ll be happy to answer them.