AWS and customers share security responsibility, with AWS securing infrastructure and customers securing applications and data. AWS provides security services like WAF for blocking attacks and Shield for DDoS protection. Trusted Advisor provides account security advice while Inspector checks EC2 instance configurations for vulnerabilities.
2. AWS Cloud Security
2
▪ Cloud security at AWS is the highest priority. As an AWS customer,
you will benefit from a data center and network architecture built
to meet the requirements of the most security-sensitive
organizations.
▪ An advantage of the AWS cloud is that it allows customers to scale
and innovate, while maintaining a secure environment. Customers
pay only for the services they use, meaning that you can have the
security you need, but without the upfront expenses, and at a
lower cost than in an on-premises environment.
3. AWS Compliance & Security
3
▪ Security and Compliance is a shared responsibility between AWS and the
customer.
▪ This shared model can help relieve customer’s operational burden as AWS
operates, manages and controls the components from the host operating
system and virtualization layer down to the physical security of the facilities in
which the service operates.
▪ The customer assumes responsibility and management of the guest operating
system (including updates and security patches), other associated application
software as well as the configuration of the AWS provided security group
firewall.
▪ Customers should carefully consider the services they choose as their
responsibilities vary depending on the services used, the integration of those
services into their IT environment, and applicable laws and regulations.
▪ The nature of this shared responsibility also provides the flexibility and
customer control that permits the deployment. As shown in the chart below,
this differentiation of responsibility is commonly referred to as Security “of” the
Cloud versus Security “in” the Cloud.
4. AWS Compliance & Security
4
▪ AWS responsibility “Security of the Cloud” - AWS is responsible
for protecting the infrastructure that runs all of the services
offered in the AWS Cloud.This infrastructure is composed of the
hardware, software, networking, and facilities that runAWS Cloud
services.
▪ Customer responsibility “Security in the Cloud” – Customer
responsibility will be determined by the AWS Cloud services that a
customer selects.This determines the amount of configuration
work the customer must perform as part of their security
responsibilities. For example, services such as Amazon Elastic
Compute Cloud (Amazon EC2), AmazonVirtual Private Cloud
(AmazonVPC), and Amazon S3 are categorized as Infrastructure as
a Service (IaaS) and, as such, require the customer to perform all of
the necessary security configuration and management tasks
5. AWS Compliance & Security
5
▪ AWS responsibility “Security of the Cloud” - AWS is responsible
for protecting the infrastructure that runs all of the services
offered in the AWS Cloud.This infrastructure is composed of the
hardware, software, networking, and facilities that runAWS Cloud
services.
▪ Customer responsibility “Security in the Cloud” – Customer
responsibility will be determined by the AWS Cloud services that a
customer selects.This determines the amount of configuration
work the customer must perform as part of their security
responsibilities. For example, services such as Amazon Elastic
Compute Cloud (Amazon EC2), AmazonVirtual Private Cloud
(AmazonVPC), and Amazon S3 are categorized as Infrastructure as
a Service (IaaS) and, as such, require the customer to perform all of
the necessary security configuration and management tasks
7. AWS Compliance & Security
7
▪ Inherited Controls – Controls which a customer fully inherits from AWS.
– Physical and Environmental controls
▪ Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but in
completely separate contexts or perspectives. In a shared control, AWS provides the requirements
for the infrastructure and the customer must provide their own control implementation within their
use of AWS services. Examples include:
– Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure,
but customers are responsible for patching their guest OS and applications.
– Configuration Management – AWS maintains the configuration of its infrastructure devices, but
a customer is responsible for configuring their own guest operating systems, databases, and
applications.
– Awareness &Training - AWS trains AWS employees, but a customer must train their own
employees.
▪ Customer Specific – Controls which are solely the responsibility of the customer based on the
application they are deploying within AWS services. Examples include:
– Service and Communications Protection or Zone Security which may require a customer to
route or zone data within specific security environments.
8. AWS WAF
8
▪ AWSWAF is a web application firewall that lets you monitor the
HTTP and HTTPS requests that are forwarded toAmazon
CloudFront or an Application Load Balancer.
▪ AWSWAF also lets you control access to your content.
▪ Based on conditions that you specify, such as the IP addresses
that requests originate from or the values of query strings,
CloudFront or an Application Load Balancer responds to requests
either with the requested content or with an HTTP 403 status
code (Forbidden).
▪ You also can configure CloudFront to return a custom error page
when a request is blocked.
9. AWS WAF Working
9
▪ You use AWS WAF to control how Amazon CloudFront or an Application
Load Balancer responds to web requests.You start by creating
conditions, rules, and web access control lists (web ACLs).You define
your conditions, combine your conditions into rules, and combine the
rules into a web ACL.
– Conditions
▪ Conditions define the basic characteristics that you want AWSWAF to watch for in web
requests
– Rules
▪ You combine conditions into rules to precisely target the requests that you want to
allow, block, or count. AWSWAF provides two types of rules
– Web ACLs
▪ After you combine your conditions into rules, you combine the rules into a web ACL.
This is where you define an action for each rule—allow, block, or count—and a default
action
– A default action
▪ The default action determines whetherAWSWAF allows or blocks a request that
doesn't match all the conditions in any of the rules in the web ACL.
10. AWS Shield
10
▪ AWS provides AWS Shield Standard and AWS Shield Advanced for
protection against DDoS attacks.
▪ AWS Shield Standard is automatically included at no extra cost
beyond what you already pay forAWSWAF and your other AWS
services.
▪ For added protection against DDoS attacks, AWS offersAWS
Shield Advanced.
▪ AWS Shield Advanced provides expanded DDoS attack protection
for yourAmazon EC2 instances, Elastic Load Balancing load
balancers, CloudFront distributions, and Route 53 hosted zones.
11. AWS Shield Working
11
▪ A distributed denial of service (DDoS) attack is an attack in which
multiple compromised systems attempt to flood a target, such as
a network or web application, with traffic. A DDoS attack can
prevent legitimate users from accessing a service and can cause
the system to crash due to the overwhelming traffic volume.
▪ AWS provides two levels of protection against DDoS attacks: AWS
Shield Standard and AWS Shield Advanced.
– AWS Shield Standard
– AWS Shield Advanced
12. AWS Shield Working
12
▪ AWS Shield Standard
– All AWS customers benefit from the automatic protections of AWS Shield
Standard, at no additional charge.
– AWS Shield Standard defends against most common, frequently occurring
network and transport layer DDoS attacks that target your web site or
applications.
– WhileAWS Shield Standard helps protect allAWS customers, you get
particular benefit if you are using Amazon CloudFront and Amazon Route 53.
– These services receive comprehensive availability protection against all
known infrastructure (Layer 3 and 4) attacks.
13. AWS Shield Working
13
▪ AWS Shield Advanced
– For higher levels of protection against attacks targeting your web
applications running on Amazon EC2, Elastic Load Balancing (ELB),
CloudFront, and Route 53 resources, you can subscribe to AWS Shield
Advanced.
– AWS ShieldAdvanced provides expanded DDoS attack protection for these
resources.
14. AWS Trusted Advisor
14
▪ Trusted Advisor provides advice about yourAWS Account in the
areas of:
– Cost Optimization
– FaultTolerance
– Performance
– Service Limits
– Security
It highlights potential problems with the way you use AWS.
15. AWS Inspector
15
▪ Amazon Inspector checks the configuration of EC2 instances. An
agent runs on EC2 instances and checks operating system
patches, known vulnerabilities, and common issues.
16. AWS Inspector vs Trusted
Advisor
16
▪ Trusted Advisor applies to the AWS account and AWS services
▪ Amazon Inspector applies to the content of multiple EC2
instances
17. AWS Inspector vs Trusted
Advisor
17
▪ Trusted Advisor applies to the AWS account and AWS services
▪ Amazon Inspector applies to the content of multiple EC2
instances