AWS: Security in the Cloud
Welcome back to another segment of AWS learning for the cloud practitioner course. This will be the last segment of my AWS series and I’m glad that you’ve stuck along for the journey! This week’s blog is about security in the cloud and who’s responsible for security between AWS and the customer.
Security
AWS follows a shared responsibility model and it goes as follows:
AWS manages security OF the cloud. Security IN the cloud is the responsibility of the customer.
AWS is responsible for protecting the infrastructure that runs all the services offered by AWS. The infrastructure is composed of hardware, software, networking, and facilities that run AWS Services.
The customers responsibility depends on the AWS Services being used by the customer. This determines the configuration a customer would need to set as part of their security responsibility. Encryption is a shared responsibility.
An exam tip I received during my curriculum is if you can do it in the AWS console, it’s most likely your responsibility. If you cannot do it through the console, AWS is likely responsible.
AWS WAF & AWS SHIELD
Web Application Firewall (WAF) helps protect your web application from common web exploits that could affect app availability, compromise security, or consume excessive resources. This resource is used to protect against hackers.
Shield is a managed Distributed Denial of Service ( DDOS) protection service that safeguards web applications in the cloud. This protects against DDOS attacks which is where someone maliciously sends you so much traffic that your web services come to a halt.
AWS Inspector v. AWS Trusted Advisor v. Cloud Trail
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS and installed on EC2 instances.
Trust Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment.
CloudTrail increases visibility into your user and resources activity by recording AWS Management Console actions and API calls.
CloudWatch v. AWS Configuration
CloudWatch monitors services and AWS resources and apps on AWS. CloudWatch is used with EC2.
AWS Config is a detailed view of configs of resources in AWS account. This shows how resources are related, how they were configured in the past, and how they change overtime.
Athena v. Macie
Athena is an interactive query service that enables you to analyze and query data located in S3 using standard SQL. This is serverless and pay per query per TB. This can be used to query log files in S3, to generate business reports on data stored in S3, to analyze AWS cost and usage reports, and to run queries on click stream data.
Let’s talk about personally identifiable information or PII which are personal data used to establish individual identity. This data can be exploited and requires Macie.
Macie is a security services that uses machine learning and natural language processing to discover, classify, and protect sensitive data stored in S3. Macie used AI to recognize sensitive data in S3 and can also analyze cloudtrail logs.
