Considering the importance of security in everything digital, the role of Security Architect/Specialist is a growing specialization in the cloud industry. If you are looking to further develop your understanding of AWS Security (or maybe you want to become an AWS Security specialist), you may be struggling with where to begin. I’ll admit, given the amount of information and the complexity of the topic, it can be difficult to know what to study and in what order. That’s exactly the challenge that I’ll tackle for you in this post: 3 steps to becoming an AWS Security Specialist.
Personally, I’ve always had a keen interest in security. Because it’s constantly evolving, there is always so much to learn. As new threats and exposures are discovered, new barriers, guards, and protective measures have to be designed and implemented.
Security is about much more than just data protection. In fact, it is a key element in a wide range of areas, some of which can be classified as follows:
I’ve been particularly interested in how AWS provides and implements different security mechanisms to help us as customers secure the integrity, confidentiality, and availability of data we store within AWS.
AWS is devoted to developing new security services (and enhancing existing services) to increase the level of security that can be applied. In addition to the management services that are available, AWS offers a myriad of ways to help us optimize, control, monitor, and manage our infrastructure covering the areas mentioned above.
Step 1: Security Fundamentals
Knowing where to start all depends on the level of your current AWS knowledge. To appeal to the wider audience, I will suggest steps for increasing your AWS security knowledge from the perspective of someone who is fairly new to AWS. By doing so, you can take away what you need depending on your AWS experience, or you can use it as a starting point to becoming an AWS Security specialist.
Before you start to immerse yourself in the world of AWS security, I feel it’s important to gain a solid understanding of some of the fundamentals of the AWS architecture and its core services. For example:
- An understanding of the AWS Global Infrastructure
- The Shared Responsibility Models
- Different design patterns
- Encryption solutions
- Access Control methods
- Network connectivity configurations
- Some common AWS services such as VPC, EC2, S3, EBS, CloudTrail, and IAM
These topics are mainly covered by the AWS Solution Architect – Associate certification. By understanding these elements, you’ll have a solid foundation of the AWS infrastructure and framework and how services are architected. It’s important to have this awareness from a security standpoint as you need to know about any penetration points within the AWS infrastructure.
Step 2: Essential AWS Security Services
Next, I would focus on increasing your knowledge and awareness of the different security services that AWS offers. Today, the following services fall under the category of ‘Security, Identity, & Compliance,’ which would be a good place to start.
- Identity & Access Management (IAM)
- IAM allows you to control who and what can access your AWS resources and when through the use of identities, permissions, and a series of authentication and authorization methods.
- Amazon Inspector
- This helps you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment.
- AWS Certificate Manager
- Certificate Manager handles the responsibility of creating and managing SSL/TLS certificates for your web applications and sites.
- AWS Directory Service
- This service allows your directory-aware resources and workloads to use managed Active Directory within your environment.
- AWS WAF & Shield
- The WAF service helps prevent websites and web applications from being maliciously attacked by common web attack patterns such as SQL injection and cross-site scripting.
- Shield protects your web applications from Distributed Denial of Service (DDoS) attacks.
- AWS Artifact Portal
- Artifact provides on-demand access to security and compliance reports and select online agreements.
Although the following two services do not fall within the same console category as the ones above, these are also critical services for encrypting your data:
- AWS Key Management Service (KMS)
- This service allows you to easily encrypt your data with protected keys that cannot be exposed to anyone in plain text. The service is regionally based across all AZs in the region, making it highly available with full auditing functions to encrypt your data at AWS and within your applications.
- AWS CloudHSM
- Hardware Security Module, or HSM, is another service that encrypts your data with protected keys. With this dedicated appliance, you control the encryption keys and cryptographic operations performed by the HSM.
For each of the services listed above, you will want to understand the following:
- What the service does and what it is used for
- What it provides you from a security perspective
- When and where you might use the service
- How the service works by understanding the components within it and how they interact with each other and other services
Each service provides a very different function and feature set. One service that you will want to master is IAM. Because it tightly integrates with many of the other AWS services, a full understanding of IAM will help you manage access security throughout your entire AWS architecture.
These are not the only services that can help you mitigate, monitor, and manage security threats and exposures within your environment. In addition, I highly recommend at least an awareness of the following services, which can also be used to help mitigate security issues and help from an audit and governance perspective:
- AWS CloudTrail
- AWS CloudTrail gives you have the ability to capture and log AWS API calls made by users and/or services.
- AWS Config
- AWS Config provides visibility of your entire AWS infrastructure from a configuration perspective. It also acts as a resource inventory and a compliance checker, and it can manage configuration changes of your resources.
- Amazon CloudWatch
- CloudWatch is a monitoring service for cloud resources and the applications you run on AWS. CloudWatch can collect metrics, set and manage alarms, and automatically react to changes in your AWS resources.
- AWS Trusted Advisor
- Trusted Advisor is an AWS support tool that assists with cost reduction, performance optimization, and security improvements.
Although not defined as security services in their own right, these management services provide a level of monitoring, logging, analysis, and auditing to help you identify potential security threats and breaches and to align with specific compliance and governance controls. As mentioned earlier, monitoring and compliance are closely tied to cloud security.
To gain an upper hand in detecting, minimizing, and preventing any kind of security breach, you need to be able to track, log, and analyze as much as you can within your environment.
In addition to the services already mentioned, there is also a large number of built-in, service-specific security mechanisms that you will want to be familiar with, for example:
- Simple Storage Service (S3): Bucket Policies, Access Control Lists (ACLs), Lifecycle Policies, MFA Delete, Encryption (Server-Side, Client-Side), Access Logs
- Elastic Compute Cloud (EC2): Key Pairs, Access Keys, Security Groups
- Virtual Private Cloud (VPC): Network Access Control Lists (NACLs), Route Tables, Subnet design
- CloudFront: HMAC-SHA1 signatures, SSL enabled endpoints, Geo restriction
AWS has detailed information on service-specific security in this whitepaper on AWS Security.
Step 3: Other Security topics
As you start to navigate some of the topics and services recommended here, you will probably come across other security principles and methodologies (not just specific to AWS).
Here is just a sampling of other topics that you’ll want to understand in order to architect, design, and implement stronger security within your AWS environment:
- Encryption: Different encryption methods, how encryption works, encryption protocols, encryption of data in transit and at rest
- Layered Security: How to architect layered security and design methods from application-level to physical-level security
- Attack Methods: Distributed Denial of Service (DDos), SQL Injection, Cross-site scripting, etc.
- Risk Management: How to manage, mitigate and control risks, implement contingencies, and understand consequences
- Governance, Compliance & Certifications: For example, PCI DSS, HIPAA, SOC, FedRAMP, CSA, etc.
To fully understand and master all of the different services and security topics mentioned here will take a lot of time and effort. Trust me, it’s worth it.
Organizations will always need to protect their data and services running in the cloud, and they will continue to invest in services and professionals who fully understand those services, to ensure that their business data is not compromised in any way.
If you’re ready to start building your skills as an AWS Security specialist, I would highly recommend starting with the courses and learning paths linked throughout this post. In addition to these, I would also recommend taking the following learning paths:
The Cloud Academy Blog is also a great resource for different AWS Security topics, many of which I have written myself.
I also highly recommend reading AWS’s own security whitepapers.
If you have any questions, please leave them in the comments and I’ll be happy to answer them.
New Content: Platforms, Programming, and DevOps – Something for Everyone
This month our team of expert certification specialists released three new or updated learning paths, 16 courses, 13 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon....
Cloud Academy’s AWS re:Invent 2020 Recap & Highlights
Now that the dust has settled on re:Invent 2020 — probably the most uniquely delivered AWS conference ever — we think it’s high time we get you a healthy recap of the top highlights from the three weeks. After all, no one’s really asking people to pay attention to every technologica...
Docker Image Security: Get it in Your Sights
For organizations and individuals alike, the adoption of Docker is increasing exponentially with no signs of slowing down. Why is this? Because Docker provides a whole host of features that make it easy to create, deploy, and manage your applications. This useful technology is especiall...
VPN Encryption: How to Find the Best Solution
Each day there are 2.5 quintillion bytes of data created. People in all corners of the earth use the internet all day, every day. When we browse social media, conduct transactions, and search the web, we're leaving behind a digital footprint. Encryption helps you protect the data yo...
Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More
This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...
6 Ways to Prevent a Data Breach
The cloud is a new territory for the digital world. But with all of its benefits, there also come risks and dangers. If your business depends on the cloud to store data, you’re probably facing a number of problems about how to best secure your data. According to studies, as many as 95 p...
Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More
Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...
OWASP Top 10 Vulnerabilities
Over the last few years, more than 10,000 Open Web Application Security Project (OWASP) vulnerabilities have been reported into the Common Vulnerabilities and Exposures (CVE®) database each year. This is a list of common identifiers for publicly known cybersecurity vulnerabilities. Curr...
Blog Digest: AWS Breaking News, Azure DevOps, AWS Study Guide, 8 Ways to Prevent a Ransomware Attack, and More
New articles by topic AWS Azure Data Science Google Cloud Cloud Adoption Platform Updates & New Content Security Women in Tech AWS Breaking News: All AWS Certification Exams Now Available Online As an Advanced AWS Technology Partner, C...
8 Ways to Protect Your Data From a Ransomware Attack
Ransomware attacks have continued to grow both in scope and audacity over the past several years. This type of malware has become one of the biggest cybersecurity threats for enterprises, and experts predict the situation is only going to get worse. The WannaCry ransomware incident o...
Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more
With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...
Azure Security: Best Practices You Need to Know
When it comes to Azure Security best practices, where do you begin? In a lot of ways, Azure is very similar to any other data center. But with that said, Azure can also be very different. Securing Azure can pose many unique challenges. The security of resources hosted in Azure is of the...