Skip to main content

AWS Security Fundamentals eBook

As more and more organizations migrate to the cloud, security remains a top of mind concern. Just as in traditional IT infrastructures, data breaches from hackers can have a range of implications in the cloud, from financial losses to damage to the brand’s reputation and a loss of market share. As one of the most widely implemented cloud platforms available, Amazon Web Services offers a level of security that is widely recognized as being stringent and solid. In this post, we’ll take a close look at what security means in the cloud. Then, we’ll dig into some of the specifics of the AWS security model, based on our AWS Security Fundamentals eBook.

Security in the cloud

Security in the cloud is obviously different from that in a traditional IT environment. This can be a significant impediment to cloud adoption. In the 2017 State of the Cloud report by InformationWeek and Interop ITX, 60% of respondents listed security as one of their top concerns about the cloud. This is no surprise. When it comes to the cloud, organizations don’t know exactly where their data or their customer data resides. They may know the region or availability zone but they won’t be able to pinpoint exactly where it exists.
On the other end of the spectrum, for those already in the cloud, they might get a bit too complacent with the security support that they are getting (or assume that they are getting) from their provider. People think, “okay I’m using their services, I’ve been told that they are resilient.” What they don’t realize is that they still need to architect some of their own security on top of what they’re getting from their cloud platform. 

Why is security important in the cloud?

Let’s look at why security is important in the first place. One of the most important reasons for security is to prevent unauthorized people from accessing your data. Compliance (legal or regulatory) is another important reason. You might have data that must remain in a specific country or location. You may need to comply with certain government regulations such as ISO 27001 that requires you to be PCI compliant, and this might be established in your service level agreements or within your customer contractual agreements. Your customers may have certain requirements for how their data is stored. They might want it to be encrypted, whether at rest or in transit. They may have other specific encryption protocols that they want you to abide by.
You will want to take all of these factors into consideration when you’re thinking about security within the cloud.

Cloud security vs. on-premise security

Now, let’s look at how security in the cloud is different from on-premise security.
With your on-premise solution, you have more responsibility as an organization because you have full control over the estate of your infrastructure, which allows more nuanced control of the various aspects of security. The main difference is that everything is accessible to you. You can control who has access to your facilities, buildings, and data center, and you determine who is authorized and trusted to perform installations and maintenance for your infrastructure. You can resolve all of the issues yourself; it’s all self-contained.
However, in the cloud, this aspect of security is taken away from you. We aren’t allowed to gain access to their data centers or their availability zones.
With your on-premise solutions, you can specify exactly where your data is stored. You’ll know which customer data is in which data center and which rack, even down to a particular SAN. You have full visibility of the storage and where customer data is located. In the cloud, you don’t have as much control. You know roughly where it is but not precisely. When it comes to business continuity and disaster recovery and items such as off-site backup management, that entire process is down to you to architect within the facilities that you have. Within AWS for example, much of this is handled by design from their global infrastructure and their resilient services.

The AWS security model

Security is AWS’s number-one priority in every sense. It’s an area into which AWS pours huge capital and energy and near-constant attention. Serving over a million customers, AWS’s most stringent security standards are already being used for audit purposes by the most security-sensitive customers in the world. Facing so many requirements, AWS is certified and compliant across a huge range of security standards, including PCI DSS, ISO, and SOC.
AWS Services are deployed and distributed in exactly the same way throughout their entire global infrastructure. This means that a single user accessing a simple S3 bucket for document backups is covered by the same intense security standards as the largest and most demanding corporations and governmental agencies.
In the cloud, responsibilities are shared between the customer (you) and your cloud provider. AWS defines the security responsibilities for each party in its Shared Responsibility Model, which lies at the very foundation of AWS Security. You must decide how you want your resources to sit ‘in’ the cloud, while AWS guarantees the global security ‘of’ the Cloud (i.e., the hardware they provide to host and connect your resources). If you are looking for an overview of AWS shared responsibility model and importance of security, take a look at this recent webinar on AWS Security
A solid understanding of the AWS Shared Responsibility Model makes it easier to build and maintain a highly secure and reliable environment. Without knowing where you need to step in and take control of data security, you cannot properly define just how secure my environment is.

Who is responsible?

Let’s take a closer look at who is responsible for what in the AWS Shared Responsibility Model.
AWS responsibility: AWS is responsible for what is known as Security ‘of’ the Cloud. This covers their global infrastructure elements – Regions, Availability Zones, and Edge Locations, as well as the foundations of their services covering Compute, Storage, Database, and Network.
AWS owns and controls access to their Data Centers where your customer data resides. This covers physical access to all hardware and networking components, and any additional Data Centre facilities including generators, uninterruptible power supply (UPS) systems, power distribution units (PDUs), computer room air conditioning (CRAC) units and fire suppression systems. Some of the security compliance controls mentioned previously are based upon this physical access entry and control. Essentially, AWS is responsible for the components that make up the Cloud, any data put ‘into’ the cloud then becomes, you guessed it, your responsibility.
Customer responsibility: With the basic cloud infrastructure secured and maintained by AWS, the responsibility for what goes into the cloud falls on you. From the bottom of the stack, this covers both client and server side encryption and network traffic protection, and then moves up to the security of the operating system, network, and firewall configuration, followed by application security and identity and access management.
How much of this additional security you wish to implement is entirely your decision. What you choose may depend on the nature of your business or on existing controls you may already have in place. We recommend tightening security just enough to minimize exposure to external threats that could compromise your environment. The important point to remember is that, while AWS provides many powerful security controls, how and when to apply them is not AWS’s responsibility.

AWS Security Fundamentals eBook: Ready to learn more?

Now that you understand how security is different in the cloud, you’re probably ready to learn more about the specific security features that you need to know to get started. Our AWS Security Fundamentals eBook covers some of the most common and effective methods of implementing security in your VPC and across IAM and S3 services.
You will learn about:

  • Instance Level Security
    • AWS security groups: What they are and why they’re important
    • OS patch protocols, key pairs, and your various tenancy options
  • Network Level Security
    • Segmenting your VPC, Public and private subnets.AWS Network ACLs and their limitations
    • How to create bastion hosts, NAT instances
    • Introduction to AWS Virtual Private Cloud peering
  • Identity & Access Management
    • Groups, roles, policies
    • Federated Access
    • AWS Trusted Advisor
  • AWS Billing Controls and AWS Linked Accounts
  • Simple Storage Service (S3) Security
  • And a complete list of resources to get you started implementing your security requirements.

Download your free copy of AWS Security Fundamentals eBook 

Avatar

Written by

Cloud Academy Team

Related Posts

Avatar
John Chell
— June 13, 2019

AWS Certified Solutions Architect Associate: A Study Guide

The AWS Solutions Architect - Associate Certification (or Sol Arch Associate for short) offers some clear benefits: Increases marketability to employers Provides solid credentials in a growing industry (with projected growth of as much as 70 percent in five years) Market anal...

Read more
  • AWS
  • AWS Certifications
Chris Gambino and Joe Niemiec
Chris Gambino and Joe Niemiec
— June 11, 2019

Moving Data to S3 with Apache NiFi

Moving data to the cloud is one of the cornerstones of any cloud migration. Apache NiFi is an open source tool that enables you to easily move and process data using a graphical user interface (GUI).  In this blog post, we will examine a simple way to move data to the cloud using NiFi c...

Read more
  • AWS
  • S3
Avatar
Chandan Patra
— June 11, 2019

Amazon DynamoDB: 10 Things You Should Know

Amazon DynamoDB is a managed NoSQL service with strong consistency and predictable performance that shields users from the complexities of manual setup.Whether or not you've actually used a NoSQL data store yourself, it's probably a good idea to make sure you fully understand the key ...

Read more
  • AWS
  • DynamoDB
Avatar
Andrew Larkin
— June 6, 2019

The 11 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing.As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Sam Ghardashem
Sam Ghardashem
— May 15, 2019

Aviatrix Integration of a NextGen Firewall in AWS Transit Gateway

Learn how Aviatrix’s intelligent orchestration and control eliminates unwanted tradeoffs encountered when deploying Palo Alto Networks VM-Series Firewalls with AWS Transit Gateway.Deploying any next generation firewall in a public cloud environment is challenging, not because of the f...

Read more
  • AWS
Joe Nemer
Joe Nemer
— May 3, 2019

AWS Config Best Practices for Compliance

Use AWS Config the Right Way for Successful ComplianceIt’s well-known that AWS Config is a powerful service for monitoring all changes across your resources. As AWS Config has constantly evolved and improved over the years, it has transformed into a true powerhouse for monitoring your...

Read more
  • AWS
  • Compliance
Avatar
Francesca Vigliani
— April 30, 2019

Cloud Academy is Coming to the AWS Summits in Atlanta, London, and Chicago

Cloud Academy is a proud sponsor of the 2019 AWS Summits in Atlanta, London, and Chicago. We hope you plan to attend these free events that bring the cloud computing community together to connect, collaborate, and learn about AWS. These events are all about learning. You can learn how t...

Read more
  • AWS
  • AWS Summits
Paul Hortop
Paul Hortop
— April 2, 2019

How to Monitor Your AWS Infrastructure

The AWS cloud platform has made it easier than ever to be flexible, efficient, and cost-effective. However, monitoring your AWS infrastructure is the key to getting all of these benefits. Realizing these benefits requires that you follow AWS best practices which constantly change as AWS...

Read more
  • AWS
  • Monitoring
Joe Nemer
Joe Nemer
— April 1, 2019

AWS EC2 Instance Types Explained

Amazon Web Services’ resource offerings are constantly changing, and staying on top of their evolution can be a challenge. Elastic Cloud Compute (EC2) instances are one of their core resource offerings, and they form the backbone of most cloud deployments. EC2 instances provide you with...

Read more
  • AWS
  • EC2
Avatar
Nitheesh Poojary
— March 26, 2019

How DNS Works – the Domain Name System (Part One)

Before migrating domains to Amazon's Route53, we should first make sure we properly understand how DNS worksWhile we'll get to AWS's Route53 Domain Name System (DNS) service in the second part of this series, I thought it would be helpful to first make sure that we properly understand...

Read more
  • AWS
Avatar
Stuart Scott
— March 14, 2019

Multiple AWS Account Management using AWS Organizations

As businesses expand their footprint on AWS and utilize more services to build and deploy their applications, it becomes apparent that multiple AWS accounts are required to manage the environment and infrastructure.  A multi-account strategy is beneficial for a number of reasons as ...

Read more
  • AWS
  • Identity Access Management
Avatar
Sanket Dangi
— February 11, 2019

WaitCondition Controls the Pace of AWS CloudFormation Templates

AWS's WaitCondition can be used with CloudFormation templates to ensure required resources are running.As you may already be aware, AWS CloudFormation is used for infrastructure automation by allowing you to write JSON templates to automatically install, configure, and bootstrap your ...

Read more
  • AWS
  • CloudFormation