Amazon Web Services (AWS) have wide security landscape (network, storage, auditing, reacting, application level, etc). Identity and Access Management (IAM) part is most useful for developers and can be simplified as 3 parts: Who (Principal) can do what (Action) and where (Resource).
IAM is a good example of a security implementation for a large scale system. Compared with simple PHP website it differs in:
1. Decision per deployment unit: Monolithic vs Distributed.
* E.g. Symfony framework makes security decision during request: so easy for security data per session (e.g. CSRF).
* E.g. AWS CloudFormation use signed HTTP headers and makes decisions asynchronously per resource/service: so easy for latency optimizations.
2. Ensuring requirements: Traditional vs Cloud-native.
E.g. GDPR requires to protect personal data, resulting in storage encryption requirement.
* For a small system/team this can be enforced via Code reviews (traditional approach).
* For complex systems cloud-native ideas (design for computer automation, because humans scale slower) fits better – e.g. via AWS Organization Policy to restrict creation of not encrypted S3 bucket.
3. Grouping permissions: Hierarchical vs graph-based.
* Permission grouping usually mirrors (human) organizational hierarchy.
* Despite hierarchical (organization, account, group, user, role, policy), AWS have graph-based permission grouping: “assume-role”. This is similar to GitHub permissions: for simple read access long living login, for collaborator addition – additional password check. “assume-role” pattern could increase visibility (auditing), because permissions could be grouped to specific resource/time/path.
Presentation ends with links to reproducible demonstration.
____________________
Video recording: https://youtu.be/6TJOhkl5_ZA (Lithuanian language)
Event: https://www.facebook.com/events/1372904749549057/
4. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
5. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
14. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
15. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
33. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
34. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
40. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
41. What is AWS
Cloud vs Hosting
Core security tools
Introduction
By comparison
By example
Monolithic vs distributed
Traditional vs cloud-native
Hierarchical vs graph-based
Upload from frontend
Automation without root
44. ● AWS Best practices:
https://aws.amazon.com/architecture/well-architected/
● Summaries as illustrations:
https://www.awsgeek.com/
● Community managed resources:
https://github.com/open-guides/og-aws#security-and-iam
● Thinking about the Cloud: from application perspective:
http://shop.oreilly.com/product/0636920072768.do
● Thinking about the Cloud: from infrastructure tools perspective:
http://shop.oreilly.com/product/0636920075837.do
References and further reading