Skip to main content

AWS Security Fundamentals eBook

As more and more organizations migrate to the cloud, security remains a top of mind concern. Just as in traditional IT infrastructures, data breaches from hackers can have a range of implications in the cloud, from financial losses to damage to the brand’s reputation and a loss of market share. As one of the most widely implemented cloud platforms available, Amazon Web Services offers a level of security that is widely recognized as being stringent and solid. In this post, we’ll take a close look at what security means in the cloud. Then, we’ll dig into some of the specifics of the AWS security model, based on our AWS Security Fundamentals eBook.

Security in the cloud

Security in the cloud is obviously different from that in a traditional IT environment. This can be a significant impediment to cloud adoption. In the 2017 State of the Cloud report by InformationWeek and Interop ITX, 60% of respondents listed security as one of their top concerns about the cloud. This is no surprise. When it comes to the cloud, organizations don’t know exactly where their data or their customer data resides. They may know the region or availability zone but they won’t be able to pinpoint exactly where it exists.
On the other end of the spectrum, for those already in the cloud, they might get a bit too complacent with the security support that they are getting (or assume that they are getting) from their provider. People think, “okay I’m using their services, I’ve been told that they are resilient.” What they don’t realize is that they still need to architect some of their own security on top of what they’re getting from their cloud platform. 

Why is security important in the cloud?

Let’s look at why security is important in the first place. One of the most important reasons for security is to prevent unauthorized people from accessing your data. Compliance (legal or regulatory) is another important reason. You might have data that must remain in a specific country or location. You may need to comply with certain government regulations such as ISO 27001 that requires you to be PCI compliant, and this might be established in your service level agreements or within your customer contractual agreements. Your customers may have certain requirements for how their data is stored. They might want it to be encrypted, whether at rest or in transit. They may have other specific encryption protocols that they want you to abide by.
You will want to take all of these factors into consideration when you’re thinking about security within the cloud.

Cloud security vs. on-premise security

Now, let’s look at how security in the cloud is different from on-premise security.
With your on-premise solution, you have more responsibility as an organization because you have full control over the estate of your infrastructure, which allows more nuanced control of the various aspects of security. The main difference is that everything is accessible to you. You can control who has access to your facilities, buildings, and data center, and you determine who is authorized and trusted to perform installations and maintenance for your infrastructure. You can resolve all of the issues yourself; it’s all self-contained.
However, in the cloud, this aspect of security is taken away from you. We aren’t allowed to gain access to their data centers or their availability zones.
With your on-premise solutions, you can specify exactly where your data is stored. You’ll know which customer data is in which data center and which rack, even down to a particular SAN. You have full visibility of the storage and where customer data is located. In the cloud, you don’t have as much control. You know roughly where it is but not precisely. When it comes to business continuity and disaster recovery and items such as off-site backup management, that entire process is down to you to architect within the facilities that you have. Within AWS for example, much of this is handled by design from their global infrastructure and their resilient services.

The AWS security model

Security is AWS’s number-one priority in every sense. It’s an area into which AWS pours huge capital and energy and near-constant attention. Serving over a million customers, AWS’s most stringent security standards are already being used for audit purposes by the most security-sensitive customers in the world. Facing so many requirements, AWS is certified and compliant across a huge range of security standards, including PCI DSS, ISO, and SOC.
AWS Services are deployed and distributed in exactly the same way throughout their entire global infrastructure. This means that a single user accessing a simple S3 bucket for document backups is covered by the same intense security standards as the largest and most demanding corporations and governmental agencies.
In the cloud, responsibilities are shared between the customer (you) and your cloud provider. AWS defines the security responsibilities for each party in its Shared Responsibility Model, which lies at the very foundation of AWS Security. You must decide how you want your resources to sit ‘in’ the cloud, while AWS guarantees the global security ‘of’ the Cloud (i.e., the hardware they provide to host and connect your resources). If you are looking for an overview of AWS shared responsibility model and importance of security, take a look at this recent webinar on AWS Security
A solid understanding of the AWS Shared Responsibility Model makes it easier to build and maintain a highly secure and reliable environment. Without knowing where you need to step in and take control of data security, you cannot properly define just how secure my environment is.

Who is responsible?

Let’s take a closer look at who is responsible for what in the AWS Shared Responsibility Model.
AWS responsibility: AWS is responsible for what is known as Security ‘of’ the Cloud. This covers their global infrastructure elements – Regions, Availability Zones, and Edge Locations, as well as the foundations of their services covering Compute, Storage, Database, and Network.
AWS owns and controls access to their Data Centers where your customer data resides. This covers physical access to all hardware and networking components, and any additional Data Centre facilities including generators, uninterruptible power supply (UPS) systems, power distribution units (PDUs), computer room air conditioning (CRAC) units and fire suppression systems. Some of the security compliance controls mentioned previously are based upon this physical access entry and control. Essentially, AWS is responsible for the components that make up the Cloud, any data put ‘into’ the cloud then becomes, you guessed it, your responsibility.
Customer responsibility: With the basic cloud infrastructure secured and maintained by AWS, the responsibility for what goes into the cloud falls on you. From the bottom of the stack, this covers both client and server side encryption and network traffic protection, and then moves up to the security of the operating system, network, and firewall configuration, followed by application security and identity and access management.
How much of this additional security you wish to implement is entirely your decision. What you choose may depend on the nature of your business or on existing controls you may already have in place. We recommend tightening security just enough to minimize exposure to external threats that could compromise your environment. The important point to remember is that, while AWS provides many powerful security controls, how and when to apply them is not AWS’s responsibility.

AWS Security Fundamentals eBook: Ready to learn more?

Now that you understand how security is different in the cloud, you’re probably ready to learn more about the specific security features that you need to know to get started. Our AWS Security Fundamentals eBook covers some of the most common and effective methods of implementing security in your VPC and across IAM and S3 services.
You will learn about:

  • Instance Level Security
    • AWS security groups: What they are and why they’re important
    • OS patch protocols, key pairs, and your various tenancy options
  • Network Level Security
    • Segmenting your VPC, Public and private subnets.AWS Network ACLs and their limitations
    • How to create bastion hosts, NAT instances
    • Introduction to AWS Virtual Private Cloud peering
  • Identity & Access Management
    • Groups, roles, policies
    • Federated Access
    • AWS Trusted Advisor
  • AWS Billing Controls and AWS Linked Accounts
  • Simple Storage Service (S3) Security
  • And a complete list of resources to get you started implementing your security requirements.

Download your free copy of AWS Security Fundamentals eBook 

Written by

Related Posts

— November 28, 2018

Two New EC2 Instance Types Announced at AWS re:Invent 2018 – Monday Night Live

Let’s look at what benefits these two new EC2 instance types offer and how these two new instances could be of benefit to you. Both of the new instance types are built on the AWS Nitro System. The AWS Nitro System improves the performance of processing in virtualized environments by...

Read more
  • AWS
  • EC2
  • re:Invent 2018
— November 21, 2018

Google Cloud Certification: Preparation and Prerequisites

Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...

Read more
  • AWS
  • Azure
  • Google Cloud
Khash Nakhostin
— November 13, 2018

Understanding AWS VPC Egress Filtering Methods

Security in AWS is governed by a shared responsibility model where both vendor and subscriber have various operational responsibilities. AWS assumes responsibility for the underlying infrastructure, hardware, virtualization layer, facilities, and staff while the subscriber organization ...

Read more
  • Aviatrix
  • AWS
  • VPC
— November 10, 2018

S3 FTP: Build a Reliable and Inexpensive FTP Server Using Amazon’s S3

Is it possible to create an S3 FTP file backup/transfer solution, minimizing associated file storage and capacity planning administration headache?FTP (File Transfer Protocol) is a fast and convenient way to transfer large files over the Internet. You might, at some point, have conf...

Read more
  • Amazon S3
  • AWS
— October 18, 2018

Microservices Architecture: Advantages and Drawbacks

Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs).Microservices have become increasingly popular over the past few years. The modular architectural style,...

Read more
  • AWS
  • Microservices
— October 2, 2018

What Are Best Practices for Tagging AWS Resources?

There are many use cases for tags, but what are the best practices for tagging AWS resources? In order for your organization to effectively manage resources (and your monthly AWS bill), you need to implement and adopt a thoughtful tagging strategy that makes sense for your business. The...

Read more
  • AWS
  • cost optimization
— September 26, 2018

How to Optimize Amazon S3 Performance

Amazon S3 is the most common storage options for many organizations, being object storage it is used for a wide variety of data types, from the smallest objects to huge datasets. All in all, Amazon S3 is a great service to store a wide scope of data types in a highly available and resil...

Read more
  • Amazon S3
  • AWS
— September 18, 2018

How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy

One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...

Read more
  • AWS
  • Azure
  • Google Cloud
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Machine Learning
— August 17, 2018

How to Use AWS CLI

The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services.So you’ve been using AWS for awhile and finally feel comfortable clicking your way through all the services....

Read more
  • AWS
Albert Qian
— August 9, 2018

AWS Summit Chicago: New AWS Features Announced

Thousands of cloud practitioners descended on Chicago’s McCormick Place West last week to hear the latest updates around Amazon Web Services (AWS). While a typical hot and humid summer made its presence known outside, attendees inside basked in the comfort of air conditioning to hone th...

Read more
  • AWS
  • AWS Summits
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • serverless