AWS Security

Overview

AWS has a comprehensive suite of Security Services and an extensive White Paper.  You will want to deploy many of these services (they are managed by AWS); along with (depending if you are using an IaaS, PaaS, or blend of both) your own security models (based on your own firm’s Security Principles and Architecture).  AWS has partners who have built Security offerings.

Blue=Governance as well as Security

ServiceOverviewArea
AWS ArtifactCompliance, No cost, self-service portal for on-demand access to AWS’ compliance reportsCompliance, Audits, Governance
AWS Certificate ManagerProvision, manage, and deploy public and private SSL/TLS certificatesNetwork
AWS Cloud DirectoryOrganizational charts, course catalogs, and device registries, flexibility to create directories with hierarchies that span multiple dimensionsGovernance
AWS CloudHSMHardware based key storage for regulatory complianceAccess, Keys
AWS CloudTrailMonitors, provides history of access to all AWS resources including SDKs, CLI, Console can detect unusual activityMonitoring
Amazon CognitoIdentity management of all apps, often used with mobile application accessAccess, IAM
AWS ConfigAssesses, audits, evaluates the configuration of the deployed AWS resourcesCompliance, Audits
Amazon DetectiveIncident response, Investigate potential security issuesIncident reporting
AWS Directory ServiceIntegrates with AD, can be integrated on premise or used just in the cloud, allows AD permission-based access to resources (SSO, GPO, Workspaces etc)SSO
AWS Firewall ManagerCentralises the management and deployment of firewall configurations across the AWS accountsNetworks
AWS GuardDutyMonitors the accounts and environments, integrates with CloudTrail and VPC FlowsEnvironments
AWS IAMIdentity and Access Management, SSO for users, roles and groups including MFA, mandatory to set up and useIAM, Access, Governance
AWS IAM Access AnalyzerBased on least privilege provides an overview of resource usage by user and access based on existing policies (eg root vs OU)IAM
AWS InspectorChecks configuration, security, compliance of existing applications deployed on AWS, can be integrated into DevOpsEnvironments, Configuration
AWS IoT Device DefenderSecurity management for IoT devicesIoT Access
AWS Key Management Service (KMS)Key storage and managementAccess, Keys
AWS MacieUses Machine Learning to understand patterns of usage, access and threats to sensitive data eg S3 buckets, integrates with CloudWatchData
AWS OrganizationsAutomate account creation, create groups of accounts, apply policies to these groups for governanceEnvironmental Governance
AWS Resource Access ManagerAllows sharing of resources across accounts including AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resourcesConfigurations
AWS Secrets ManagerRotate, manage, and retrieve key secrets (access to EC2, environments)Keys, Access
AWS Security HubScans and consolidates security settings, issues, findings across all assets and security services in a centralised locationReporting, Monitoring, Governance
AWS ShieldInfrastructure protection, DDoS protectionNetwork
AWS Single Sign-OnSSO for end users, integrates with AD, access across accounts or applications for users, managed centrallySSO, Governance
AWS Web Application Firewall (WAF)Filters malicious web trafficApplications
CloudEndure Disaster RecoveryFast, automated, cost- effective disaster recoveryDR

For larger firms many of the above services will need to be used.  They form part of the overall security model.  NIST and CSBP (cloud security best practices) are mapped to these AWS services. 

AWS keeps an active Security Blog and should be consulted regularly.  An example is from the AWS Security Blog (July 2020); on how to secure data in the AWS Cloud, to meet various compliance and regulatory statutes (SEC and Financial authorities for instance).  Many of these ideas are also linked to cost reduction. 

Overview Diagram of AWS Security Services

A picture containing drawing

Description automatically generated

AWS covers a lot of the IT Stack and is focused on providing automation, alerts, integrated monitoring.  Clients will still need to develop a Security Model based on who they are; what tools they are using and the types of deployments (IaaS, PaaS, SaaS).  Data backup, AMI backup, Code backup, EBS and disk backup are also part of Security.  Key data and data types should be backed up within AWS to a 2nd region (the DR-Backup Region) and outside of AWS (in case AWS suffers a fabric failure).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.