In the previous chapter, we accomplished a lot of things. To begin with, we got a better understanding of what cloud computing actually is all about and how you as an end user can benefit by leveraging it. Later on in the chapter, you had a brief overview of AWS, its architecture, and its core service offerings and also learned how to sign up for it.
In this chapter, you are going to learn a bit more about how to secure and provide users access to your AWS infrastructure and services. The chapter will first talk about security in general, and how AWS provides some of the best security there is. Later on, we will look at an AWS core service called as Identity and Access Management (IAM) and find out how to create, manage, and administer users using it.
Security is a core requirement for any application whether it is hosted on an on-premise data center or a cloud such as AWS. It is a fundamental service that protects your applications and data from a variety of cyber-attacks, security breaches, accidental or deliberate data deletions, theft, and much more.
Most modern cloud providers offer security in a very similar way to traditional on-premise data centers with the same amount of control and compliance. The only difference is that in a traditional data center, you would have to deal with the complexities and costs of securing the hardware, whereas on the cloud, this task is performed by the cloud provider itself. This difference not only saves on overhead costs that every organization has to bear, but also reduces the time and effort it takes to monitor and protect all those resources.
So the obvious question lingering in your mind right now must be, ok, we signed up for AWS and now are going to run our applications and store all our data on it, but is all that really secure? Is it safe to use AWS? The answer is a big yes!
Let's take a quick look at some of the different layers of security that AWS uses to safeguard and protect its resources:
- Physical data center security: The AWS infrastructure, which includes the data centers, the physical hardware, and networks, is designed and managed according to security best practices and compliance guides. The data centers themselves are housed at non-disclosed locations and entry to them is strictly controlled, managed, logged, and audited on a regular basis.
- Virtualization and OS security: AWS regularly patches and updates virtualization and operating systems against a variety of attacks such as DDoS, and so on.
- Regulatory compliances: The AWS infrastructure is certified against security and data protection in accordance with various industry and government requirements. Here are a few compliances that AWS is certified against:
- SOC 1 (formerly SAS 70 Type II), SOC 2, and SOC 3
- FISMA, DIACAP, and FedRAMP
- ISO 27001
- HIPAA
To read the complete list, visit the AWSrisk and compliance whitepaper at http://aws.amazon.com/security/.
As you must have noticed by now, AWS provides a lot of security and protection for its hardware and its virtualization layers by providing patches, updates, performing regular audits and so on, but what about your applications and data? Who protects that? That's where AWS introduced the shared responsibility model.
According to this model, AWS provides secure infrastructure, services, and building blocks required while you, as an end user, are responsible for securing your operating system's data and applications. Think of it as a joint operation where you and AWS together ensure the security objectives are met.
Here is a simple depiction showing the shared responsibility model for AWS's infrastructure services:
Image Source: AWS security best practices whitepaper.
Remember, that this is a basic shared responsibility model, which is only valid for AWS's core infrastructure services such as EC2 and Amazon VPC. The model tends to change as you start using more abstracted services such as Amazon S3, Amazon DynamoDB, Amazon SES, and so on. Why? Well that's simple! The more abstracted services you use, the less control you have over them. For example, if you are using SES as a bulk e-mail-sending tool, you don't have to set up the infrastructure, the operating systems, and the platforms on which the SES service works. It's already done for you. So as an end user, all you need to worry about from the security point of view is how is your data going to be protected at rest or in transit, whether you are going to use encryption/decryption techniques, and so on; this is your part of the responsibility now.
AWS provides a few services and products that are specifically designed to help you secure your infrastructure on the cloud, such as IAM, AWS Multi-Factor Authentication (AWS MFA), AWSCloudTrail, and much more. In the next section, we will look into IAM and see how we can leverage it for ourselves.