AWS Security
AWS has a comprehensive suite of Security Services and an extensive White Paper. You will want to deploy many of these services (they are managed by AWS); along with (depending if you are using an IaaS, PaaS, or blend of both) your own security models (based on your own firm’s Security Principles and Architecture). AWS has partners who have built Security offerings.
Service |
Overview |
Area |
Compliance, No cost, self-service portal for on-demand access to AWS’ compliance reports |
Compliance, Audits, Governance |
|
Provision, manage, and deploy public and private SSL/TLS certificates |
Network |
|
Organizational charts, course catalogs, and device registries, flexibility to create directories with hierarchies that span multiple dimensions |
Governance |
|
Hardware based key storage for regulatory compliance |
Access, Keys |
|
Monitors, provides history of access to all AWS resources including SDKs, CLI, Console can detect unusual activity |
Monitoring |
|
Identity management of all apps, often used with mobile application access |
Access, IAM |
|
Assesses, audits, evaluates the configuration of the deployed AWS resources |
Compliance, Audits |
|
Incident response, Investigate potential security issues |
Incident reporting |
|
Integrates with AD, can be integrated on premise or used just in the cloud, allows AD permission-based access to resources (SSO, GPO, Workspaces etc) |
SSO |
|
Centralises the management and deployment of firewall configurations across the AWS accounts |
Networks |
|
Monitors the accounts and environments, integrates with CloudTrail and VPC Flows |
Environments |
|
Identity and Access Management, SSO for users, roles and groups including MFA, mandatory to set up and use |
IAM, Access, Governance |
|
Based on least privilege provides an overview of resource usage by user and access based on existing policies (eg root vs OU) |
IAM |
|
Checks configuration, security, compliance of existing applications deployed on AWS, can be integrated into DevOps |
Environments, Configuration |
|
Security management for IoT devices |
IoT Access |
|
Key storage and management |
Access, Keys |
|
Uses Machine Learning to understand patterns of usage, access and threats to sensitive data eg S3 buckets, integrates with CloudWatch |
Data |
|
Automate account creation, create groups of accounts, apply policies to these groups for governance |
Environmental Governance |
|
Allows sharing of resources across accounts including AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources |
Configurations |
|
Rotate, manage, and retrieve key secrets (access to EC2, environments) |
Keys, Access |
|
Scans and consolidates security settings, issues, findings across all assets and security services in a centralised location |
Reporting, Monitoring, Governance |
|
Infrastructure protection, DDoS protection |
Network |
|
SSO for end users, integrates with AD, access across accounts or applications for users, managed centrally |
SSO, Governance |
|
Filters malicious web traffic |
Applications |
|
Fast, automated, cost- effective disaster recovery |
DR |
For larger firms many of the above services will need to be used. They form part of the overall security model. NIST and CSBP (cloud security best practices) are mapped to these AWS services.
AWS keeps an active Security Blog and should be consulted regularly. An example is from the AWS Security Blog (July 2020); on how to secure data in the AWS Cloud, to meet various compliance and regulatory statutes (SEC and Financial authorities for instance). Many of these ideas are also linked to cost reduction.
Overview Diagram of AWS Security Services
AWS covers a lot of the IT Stack and is focused on providing automation, alerts, integrated monitoring. Clients will still need to develop a Security Model based on who they are; what tools they are using and the types of deployments (IaaS, PaaS, SaaS). Data backup, AMI backup, Code backup, EBS and disk backup are also part of Security. Key data and data types should be backed up within AWS to a 2nd region (the DR-Backup Region) and outside of AWS (in case AWS suffers a fabric failure).