1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Certified Developer for AWS- Deployment and Security

Shared Security model

Shared Security model
1h 59m

In this course we learn to

Recognize and implement secure procedures for optimum cloud deployment and maintenance.
Demonstrate ability to implement the right architecture for development, testing, and staging environments. 

Shared Security model
Compliance and best practices
Identity and Access Management (IAM)
Protecting data at Rest / In Transit
Identity Federation
Threat Mitigation
Amazon CloudFront Security

Deployment Services

Demonstrate ability to implement the right architecture for development, testing, and staging environments.
Understand the core AWS services, uses, and basic architecture best practices
Amazon CodeDeploy
Amazon CodePipeLine
Amazon CodeCommit

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


So here's our agenda for this module. We'll look at security in the cloud. We'll look at the AWS shared responsibility security model. We'll look at AWS security best practices. Then we'll go into the AWS identity and access management or IAM. We'll look at IAM best practices. And then we'll walk through some common delegation and identity federation use cases that can crop up from time to time. And let's look at protecting data at rest, protecting data in transit, and we'll do a walk through of detective controls. Such as threat mitigation, Ddos mitigation, and how to ensure we test and implement our security plan. And we'll wrap up with a quick walk through of some Amazon CloudFront security, which does always seem to crop up. Alright. So, security in the cloud is composed of four key areas. Number one, data protection. Where we're protecting data in transit and at rest. Number two, privilege management. Controlling who has access to what and when. Number three, infrastructure protection. Ensuring a network in the base infrastructure is protected from compromise. And number four, detective controls. Monitoring what happens at all levels of the environment and being able to detect and inform of any erroneous or unusual activity. So AWS provides a shared responsibility security model for infrastructure services. It's important you recognize and understand the shared responsibility model for the exam. Now questions might be around identifying which security task would be completed by AWS and which may be the responsibility of the customer? Now, a simple way I like to remember who does what, is that AWS manages security of the cloud, and customers manage security in the cloud. So AWS provides a secure infrastructure and foundation for compute, storage, network, and database services. Regions, availability zones, and end points are some of the components of the AWS secure global infrastructure. Now, that includes the facilities, the physical security of the hardware, network, and the virtualization infrastructure. So everything else on top of that is the responsibility of the customer. So let's break this down a bit. AWS manages the security of facilities, physical security of hardware, network infrastructure, virtualization infrastructure. So if we are defining an information security management plan for example, we could consider AWS the owner of those assets for the purpose of our ISMS Asset definitions. Now, customers are responsible for the security of Amazon machine images, operating systems, application, data in transit, and data at rest, data stores, credentials, and policies, and most importantly configuration. Now the shared responsibility model means AWS customers are responsible for protecting the confidentiality, integrity, and availability, of their data in the AWS cloud. And for meeting any business requirements for information protection. So, when we apply the shared responsibility security model to those four areas we looked at for cloud security, three out of the four tasks will be tasks customers need to do. Data protection, privilege management, and monitoring will be the responsibility of the customer. With AWS managing infrastructure protection out of that grid. Now AWS provides a range of security services and tools that customers can use to secure assets within AWS services. Services such as server side encryption, HSM keys, cloud watch, and cloud trail to name a few. Customers retain control of what security they choose to protect their own content. Platform, applications, systems and networks. So it's by choice. AWS manages the regions, availability zones, and edge locations. While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. So, let's go through some common areas where people tend to get tripped up. Data at rest and in transit is the responsibility of the customer. Yes, it's easy to assume that because AWS manages the infrastructure, they should surely manage the security of your data at rest and in transit right? Well, customer data is the responsibility of the customer. AWS does not audit or read data volumes. It is our responsibility to ensure any data we store in AWS is encrypted and secured. So that means in transit and at rest. Network traffic protection is the responsibility of the customer. It is up to us to encrypt traffic in and out of our instances. So you need to enable elastic low balancing to terminate or pass through SSL connections, for example. Route 53 and elastic low balances support SSL so it's not difficult to set up HTTPS communications to protect data in transit. However, you do need to do it. It's not something that's done automatically for you by AWS by default. So it's the responsibility of the customer. Now server side encryption is the responsibility of the customer. Yes, AWS encrypts S3 objects as part of providing a managed service with S3. However, you need to implement EBS encryption to protect your data in volumes, right? So client side data and data integrity is the responsibility of the customer. Operating systems are the responsibility of the customer. Yes, AWS provides machine images and they go to great lengths to ensure that those images have the latest patches and security ciphers et cetera. But once you provision and start that machine image, it becomes your responsibility to keep it patched and secure. So AWS provides services like security groups, and network access control lists. However, you also need to consider running firewall appliances to protect those service from the public domain. Platform and application management is the responsibility of the customer. Yes, AWS provides a secure platform, however it is our responsibility to ensure it stays that way. So any platform patch or update is your responsibility. Unless you are running RDS, which is a managed service. So AWS maintains things like Oracle and SQL server patches and versions for you. For abstracted services, such as Amazon S3 and Amazon Dynamo DB, AWS operates the infrastructure layer, the operating system, the platforms. And you access the end points to store and retrieve data. So Amazon S3 and Dynamo DB are tightly integrated with IAM. And you are responsible for managing a data and for using IAM tools to apply access control level type permissions to individual resources at the platform level. Or permissions based on user identity. Well user responsibility at the IAM user or group level, for Amazon S3, you can also use platform provided encryption of data at rest. Or platform provided HTTPS encapsulation to protect data in transit to and from the service. Now platform compliance, data encryption at rest and in transit, auditing tools such as Amazon Cloud Watch, Cloud trail, and AWS config enable detective controls inside of that.

About the Author
Andrew Larkin
Head of Content
Learning Paths

Andrew is fanatical about helping business teams gain the maximum ROI possible from adopting, using, and optimizing Public Cloud Services. Having built  70+ Cloud Academy courses, Andrew has helped over 50,000 students master cloud computing by sharing the skills and experiences he gained during 20+  years leading digital teams in code and consulting. Before joining Cloud Academy, Andrew worked for AWS and for AWS technology partners Ooyala and Adobe.