AWS CLF-CO2 : Security and Compliance

Disclaimer

This blog is part of a 4 part series covering the 2024 AWS (CLF-CO2) study guide. While there is tremendous value in going through this blog even if you are not writing the exam , please be aware that the content is centered around the exam.

As with any exam , the curriculum and the course content will evolve over time , please pay attention to when this blog was written and take into account that the exam and its content may have changed.

AWS Shared Responsibility Model

The AWS Shared Responsibility Model outlines the division of responsibilities between AWS and its customers to ensure the security and compliance of their cloud environments. Understanding this model is crucial for effectively managing and securing your applications and data in AWS.

Components of the AWS Shared Responsibility Model

1. AWS Responsibilities (“Security of the Cloud”):
   • Infrastructure Security: AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
   • Physical Security: AWS manages physical security of data centers.
   • Network Security: AWS secures the network infrastructure, including network devices, firewalls, and encryption for data in transit.
   • Hardware and Software Maintenance: AWS is responsible for maintaining and patching the physical hardware and software that host cloud services.
2. Customer Responsibilities (“Security in the Cloud”):
   • Data Security: Customers are responsible for securing their data, including classifying their assets and using tools provided by AWS to ensure the confidentiality, integrity, and availability of their data.
   • Application Security: Customers must manage the security of their applications, including implementing appropriate security controls.
   • Identity and Access Management (IAM): Customers must manage user access and permissions to AWS resources using IAM policies and best practices.
   • Configuration Management: Customers must configure security settings for the services and applications they use, including applying patches and updates to their operating systems and applications.
   • Network Configuration: Customers are responsible for securing their own network configurations, such as managing VPC security groups and network access control lists (ACLs).
3. Shared Responsibilities:
   • Patching: While AWS manages the patching of the infrastructure, customers are responsible for patching their operating systems, applications, and anything they install on their instances.
   • Configuration of Services: Both AWS and customers share responsibility for the configuration of certain managed services. For example, AWS manages the infrastructure and foundational services, while customers must configure and manage their specific applications and settings within the service.
   • Compliance: Both AWS and customers share the responsibility for meeting compliance requirements. AWS provides compliant infrastructure and services, and customers must ensure their own compliance within the cloud environment, including following industry-specific regulations and standards.

Shifting Responsibilities Depending on the Service Used

The division of responsibilities between AWS and the customer can shift depending on the specific AWS service being used:

1. Amazon EC2 (Infrastructure as a Service – IaaS):
   • AWS: Manages the physical infrastructure, including servers, storage, and networking.
   • Customer: Responsible for the guest operating system, application software, and configuration of the EC2 instance, including security patches and updates.
2. Amazon RDS (Managed Database Service):
   • AWS: Manages the physical infrastructure, operating system, and database software (patching and backups).
   • Customer: Responsible for the data, database schema, and network configurations, such as VPC settings, security groups, and IAM policies.
3. AWS Lambda (Function as a Service – FaaS):
   • AWS: Manages the infrastructure, including server maintenance, patching, and scaling.
   • Customer: Responsible for the code and runtime environment, including ensuring the code is secure and follows best practices.

AWS Compliance and Governance Concepts:

• Benefits of Cloud Security: Cloud-based encryption provides data security for both data in transit (being transferred) and at rest (stored). AWS’s scalable infrastructure ensures high levels of protection for customer data.
• Logging and Monitoring: AWS provides tools for capturing and locating logs related to security, such as AWS CloudTrail for tracking user activity and Amazon CloudWatch for monitoring application performance.
• AWS Compliance Information: AWS Artifact serves as a centralized resource where customers can access compliance reports and documentation to meet their specific regulatory needs.
• Geographic or Industry Compliance Needs: Understanding compliance needs across different regions or industries is crucial, given varied legal requirements and data privacy regulations. AWS provides compliance mapping tools to guide customers in achieving compliance in their area.
• Securing Resources on AWS: AWS offers several tools for securing cloud resources, including:
  • Amazon Inspector: Automated security assessment to identify vulnerabilities.
  • AWS Security Hub: Centralized view of security alerts and compliance status.
  • Amazon GuardDuty: Threat detection and monitoring.
  • AWS Shield: DDoS protection.
• Encryption Options: Encryption is key to securing data in AWS. It includes encryption in transit (e.g., SSL/TLS for secure transmission) and encryption at rest (e.g., AWS Key Management Service for encrypted storage).
• Governance and Compliance Services:
  • Monitoring: Amazon CloudWatch offers monitoring to help maintain service health and performance.
  • Auditing: Services like AWS CloudTrail, AWS Audit Manager, and AWS Config provide auditing and tracking capabilities to ensure compliance.
  • Reporting: Access reports are useful for identifying policy compliance and spotting unauthorized access attempts.

Identity and Access Management (IAM):

• Protecting the Root User Account: The AWS root account has unrestricted access to the account, so it is crucial to secure it. Protect it with strong passwords, enable multi-factor authentication (MFA), and avoid using it for daily operations.
• Principle of Least Privilege: Always apply the principle of least privilege, granting only the necessary permissions to users, groups, and roles required for their tasks.
• AWS IAM Identity Center (AWS Single Sign-On): Simplifies access management by allowing centralized identity and access control across multiple AWS accounts and applications.
• Access Keys, Password Policies, and Credential Storage:
  • Access Keys: Avoid using long-lived access keys for programmatic access; instead, leverage IAM roles.
  • Password Policies: Enforce strong password policies to improve security.
  • Credential Storage: Use services like AWS Secrets Manager or AWS Systems Manager to securely store credentials and avoid hardcoding sensitive information.
• Authentication Methods in AWS:
  • Multi-Factor Authentication (MFA): Adds an extra layer of security to user and root accounts.
  • IAM Identity Center (Single Sign-On): Enables centralized access management.
  • Cross-Account IAM Roles: Securely share resources between AWS accounts.
• Groups, Users, Policies:
  • Groups: Simplify access control by assigning permissions to groups of users.
  • Users: Individually identify each person or application that needs access.
  • Custom Policies and Managed Policies: Use custom policies for specific needs, while managed policies simplify role assignment.
• Tasks Exclusive to Root User:
  • Manage account settings like billing information.
  • Close the AWS account.
  • Restore or delete specific resources like the root access keys.
• Root User Protection:
  • MFA: Use multi-factor authentication to add security.
  • Access Policies: Limit the number of people with access to the root account.
  • Audit Activity: Regularly monitor and log root account activity.
• Types of Identity Management (e.g., Federated):
  • Federated Access: Allows users to access AWS resources using external identity providers (e.g., corporate credentials via SAML or social media logins).
  • Local IAM Users and Roles: AWS-native management for granting access to applications and services

Security Capabilities Provided by AWS:

• Security-Related Documentation: AWS offers comprehensive security-related documentation, including whitepapers, best practice guides, and technical documentation. These help customers understand the security features and configuration of AWS services.
• AWS Security Features and Services:
  • Security Groups and Network ACLs: Virtual firewalls to control inbound and outbound traffic to resources in a Virtual Private Cloud (VPC).
  • AWS Web Application Firewall (WAF): Protects web applications by filtering and blocking common web exploits.
• Third-Party Security Products from AWS Marketplace:
  • AWS Marketplace provides third-party security products that integrate seamlessly with AWS services, helping customers enhance their security posture.
• Sources of AWS Security Information:
  • AWS Knowledge Center: Contains frequently asked questions and troubleshooting tips on security.
  • AWS Security Center: A hub for whitepapers, compliance information, and general security best practices.
  • AWS Security Blog: Offers insights into the latest security features, services, and industry trends.
• Using AWS Services to Identify Security Issues:
  • AWS Trusted Advisor: Provides recommendations on best practices to improve security.
  • AWS Security Hub: Offers a unified dashboard to monitor security alerts across multiple services.
  • Amazon Inspector: An automated security assessment service that helps identify vulnerabilities.
  • AWS Config: Monitors and records configurations and changes for compliance purposes.
  • Amazon GuardDuty: Uses machine learning to detect unauthorized access and suspicious activity.