Built-in Service Security Controls
Start course

When implementing different AWS services and architecting them within your environments, whether it be production, test or dev, do you know your security responsibilities for these services?

It is very likely that you are using services from three different classifications, which each have very different boundaries for enforcing security between the customer and AWS.

These classifications are:

  1. Infrastructure services
  2. Container services
  3. Abstract services

The level of responsibility around these services are defined within three different AWS Shared Responsibility Models, and it’s essential when using AWS you understand your level of responsibility when it comes to applying security.

This course focuses on Container and Abstract services. The primary Container services we look at are: RDS, EMR and Elastic Beanstalk and the primary Abstract services include: S3, DynamoDB, SQS and Glacier.

The lectures within this course will define and guide you through the following areas to help you apply the correct level of security to your Container and Abstract services.

What are AWS Abstract & Container Services?:  This lecture provides you with a clear understanding of what abstract and container services are within AWS. There is a clear divide between the two which must be understood as responsibilities around security is a key difference between them

Security Controls: Data at Rest and In Transit:  Here we will take a look some of the available options and best practises to help you maintain integrity and protection around your data when at rest, in transit and held within a number of container and abstract services

Security Controls: Network Segmentation:  In this lecture we look at how we can use the network infrastructure and architecture to connect and restrict access to our container and abstract services to increase security through a number of different controls

Identity & Access Management:  IAM is heavily used for both container and abstract services and plays a key part in authorisation and authentication for access and management, this lecture looks at how IAM can be used to help protect access across your services

Built-in Service Security Controls:  This lecture will briefly look at some of the service specific security controls that may not have been covered in the previous lectures that you can leverage to help secure you data and environment

If you have thoughts or suggestions for this course, please contact Cloud Academy at


Hello, and welcome to this short lecture, where we are going to take a look at a couple of the security controls that are built into different services and are available for you to configure and implement.

When using the service, you should look at how to correctly architect and implement the service using all of the features that are available to you, and helpful to meet your requirements. Many of the services within AWS have specialized components that can greatly enhance the security of your data. And as such, they should be explored.

Security of your data isn't always about encryption or preventing people from accessing it. For example, data security also ensures that the data is available when you need to access it. This durability of your data enhances your data security.

RDS is able to offer durability and availability of your data. For a feature that allows you to set up your database in readiness for a failover to take place. This is an optional element to configure when you create your database, and it is called Multi-AZ, Multiple Availability Zones. By enabling Multi-AZ, RDS will automatically configure a secondary database of your primary database in a different availability zone to that of your primary. In the event of the primary database becoming unavailable, RDS will automatically update any DNS entries, and redirect database traffic to the secondary database, which will then become the primary. This significantly enhances the reliability of your data within the database, securing its availability and durability.

With RDS being a managed service, it also has automatic backups and snapshots. Automatic backups enables point-in-time recovery, in allowing you to specify exactly what time you want to recover from within specific customizable parameters. In addition to these automatic backups, you can also create a snapshot of your entire database, which have to be initiated by a user. Once you have a snapshot, you can move and copy this between regions and, if required, create a new database from your snapshot.

S3 also has a number of built-in functionalities to help protect your data, including Multi-Factor Authentication Delete, known as MFA Delete. MFA Delete enforces additional security measures to be used when an object within a bucket is set for deletion. If a user wants to delete an object, then not only does that identity have to have the required delete object access for that object or bucket, but they also have to use an additional MFA device, virtual or physical, to obtain a six-digit code to confirm the deletion.

In this short lecture, I just wanted to give a couple of examples of how different services, whether they are container-based, or abstract, provide additional level of security. Among all of the other security features within AWS to help protect you, remember there are also features and components that you can use within each of the services to help you add additional levels of security to your environment.

Understand what your services are truly capable of, and what each of their features are. The likelihood is that there are unused features that would be of benefit to your AWS infrastructure.

That brings us to the end of this lecture. Coming up next, we will take a look at our previous lectures to summarize what we've learned.




About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.