top

Search

AWS Tutorials

AWS places cloud security as its highest priority. The user data stored in the data center and the network architecture associated with it is built in the most security-centric way. One of the major advantages of using AWS cloud is scalability. It allows users to scale their applications while maintaining a secure environment around it. The customers pay only for services and resources that they use, and security is not an upfront expense.  AWS provides flexibility and agility in all the security control associated with the application. AWS Cloud uses a shared responsibility model. The security of the cloud is managed by AWS, but the security of user data inside the cloud is the responsibility of the user. This means the user has the control to secure their content by implementing control specifications on content, platform, applications, systems and networks.  AWS also provisions guidance and expertise with the help of online resources, personnel and partners. It provisions advisories for current issues of users, as well as provides opportunities to work with AWS when users come across security issues. A wide variety of tools and features are present in Amazon that help the consumers meet their security goals. It provides security specific tools and features across areas such as network security, configuration management, access control, and data encryption.  AWS environments are audited continuously and certified from accreditation bodies across multiple geographies and verticals. The user can leverage the automated tools present in the AWS environment which can be used for asset inventory and privileged access reporting.  Features of AWS security:Data Security: AWS infrastructure safeguards user data to help protect the user’s privacy. The data is stored in highly secure AWS data centers.  Compliance requirements are met: AWS manages multiple compliance programs with respect to their infrastructure. This means the user specific segment’s compliance is already complete and up-to-date.  Cost-effective: Users only pay for the storage, resources, and service that they use. The highest security standard is maintained even though the user doesn’t manage or explicitly pay for such a facility.  Scalability: Security is scalable, which means it scales out based on the user’s requirements and cloud usage. Irrespective of the size of the application, AWS infrastructure has been designed to keep the user data safe.  Cloud security consists of three parts: Data monitoring Gaining visibility Access Management The ‘Cloud Monitoring’ tool is used to constantly analyse the data that flows into the cloud application. As soon as something irregular happens, or a threshold is reached or a condition is met, the tool notifies the user about these irregularities. This can be understood as ‘Gaining visibility’ into the irregular situation. This can be done with the help of tools that are present in AWS.  The user can either take action or configure the system in such a way that the cloud application automatically takes action when it encounters irregularities. The Cloud Monitoring tool also has advanced machine learning application which logs in the data flow.  In AWS cloud, data monitoring is done with the help of AWS CloudWatch.  Gaining visibility is handled with the help of AWS CloudTrail.  Access management is taken care of by AWS IAM.   Now let us look at every service one at a time: CloudWatch Monitoring toolCloudWatch Monitoring is a service offered by Amazon that helps monitor the AWS resources and the user applications which run on AWS in real-time. It can also be used to gather and keep a track on the metrics, where metrics refers to variables which can be measured for the resources and applications that the user uses.  CloudWatch page automatically displays the metrics with respect to every AWS service which the user is associated with. Users are also able to create customized dashboards that help display metrics about specific applications. They can also be used to display a customized collection of metrics which are chosen by the user.  Alarms can be created by the user that help in monitoring the metrics and sending notifications regarding the state of the metrics. These alarms can also be used to automatically make certain changes to the AWS resources which are being monitored by the user when a certain condition is met or a threshold is reached.  An example would be monitoring the usage of CPU and disk reads and writes of the Amazon EC2 instance.  This data can be used to understand whether additional instances need to be launched to handle the increase in load.  The same data can also be used to stop instances which are not being used, and thereby helps in saving costs.  CloudWatch helps provide system-wide visibility into the utilization of resources, how the application performs and the health of the operations which take place in the system.CloudTrail to gain visibilityIt can be used to monitor calls that are made to Amazon CloudWatch API for that specific user’s account. These calls include the ones made by AWS Management Console, AWS CLI and other AWS services. When the CloudTrail logging is enabled, CloudWatch can be used to write the log file to an Amazon S3 bucket which is specified by the user when CloudTrail is configured. It helps enable governance, compliance and operational and risk auditing of the user’s AWS account. Actions performed by a user, a role or an AWS service is record as an event in CloudTrail, and these events also include actions which have been taken in the AWS Management Console, AWS CLI, AWS SDK and AWS APIs.  When an AWS account is created, CloudTrail is automatically enabled on it. Whenever an activity occurs in this user account, it is recorded as a CloudTrail event. The events can be viewed by visiting the CloudTrail console-> Event history tab.CloudTrail can be used to view, search, download, archive, analyse and respond to activities that take place across the AWS infrastructure. The person or the operation that took action can be identified, the resources upon which changes were made can be identified, and the event which occurred can also be identified. These details allow in the analysis of the activities in the AWS account.  To record an ongoing event in the AWS account, a trail can be created. A trail allows the CloudTrail service to provide log files to an Amazon S3 bucket. When a trail is created, it will be applied across all AWS Regions.  IAM to manage accessAWS IAM (Identity and Access Management) is a web service facilitated by Amazon that helps the user in securely controlling access to the resources of AWS. IAM can be used to control who gets authenticated to sign-in and who gets the authorization (has permissions) to use the resources provisioned by AWS.  An IAM role can be created with the help of AWS Management Console, AWS CLI, Tools for Windows PowerShell or IAM API.If AWS Management Console is used to create an IAM role, a wizard guides the user through the entire steps. The steps while using the Console are slightly different in comparison to other methods.  IAM role is similar to user, since it is an identity which provides permission policies which are used to determine the operations which the identity can do within AWS. A role doesn’t have any credentials, such as password or access keys attached to it. It can be uniquely associated with a user since a role is basically used to be assumed by a user for a specific task or when need.  An IAM user can assume a specific role to be granted specific permissions to perform specific tasks. A role can be assigned to a federated user who can sign in with the help of an external identity provider instead of using IAM. AWS uses the details passed via the identity provider so as to determine the role that can be mapped to the federated user.  An application that runs on Amazon Elastic Cloud Compute (EC2) instance and makes requests to AWS: An IAM role can be created that can be attached to the EC2 instance so as to provide temporary security credentials to the applications which run on this instance. When an application uses these credentials in AWS, it gets the ability to perform all operations that would be allowed by the policies which are attached to the role.  An application that runs on mobile and makes requests to AWS: An identity provider such as Login with Amazon, or Amazon Cognito or Facebook or Google can be used to authenticate users and map them to an IAM role. Applications can be used to provide the role with temporary security credentials which have the required permissions (based on the policies that are attached to the role).  IAM is a web service which helps in securely controlling access to AWS resources of the users. IAM can be used to control which users use the account holder’s AWS resources (known as authentication) and which resources could be used in which ways (known as authorization).  AWS IAM identitiesIAM identities are created to provide authentication to people and process in the AWS accounts.  IAM root user When an AWS account is created for the first time, the user signs in with a single identity which has access to all the AWS services and resources in the account. This identity is known as ‘AWS account root user’. This root user can be accessed by signing in with the email address and password that was used while creation of the account.  The root user is not recommended to be used for everyday tasks, not even the administrative ones. The root user has to be securely locked away and used only to perform specific account and service management related tasks.  IAM user The entity which is created in the AWS account is an IAM user, which represents a person or a service that uses IAM user to interact with AWS. One of the uses of IAM users is to provide people the ability to sign into their AWS Management Console to perform interactive tasks and programmatic requests to other Amazon services with the help of an API or using the CLI.  A user has a name, a password that is used to sign into the AWS Management Console and about 2 access keys which can be used in conjunction with the API or CLI. When an IAM user is created, it can be granted certain permissions after it has been made as a member if a group which has the appropriate permission policies attached to it, or by directly attaching the policies to the user.  Permissions can be cloned from an existing IAM user which will automatically make the new user as a member of the same group, and attaches the policies to the user.  IAM group It is a collection of IAM users, which is made to specify permissions for a specific collection of users. This makes it easy to manage the permissions for those users. If a permission is assigned to a group, any user of that group automatically has the same permissions.  AWS IAM role use cases IAM allows the user to manage access to the Amazon services and resources in a secure method. With the help of IAM, the user can create and manage AWS users and groups, provide permissions to allow and deny access to AWS resources. IAM feature can be used with AWS account at no additional cost. The charges are incurred only when Amazon services are used by the users.  Granular access control to AWS resourcesIAM allows users to control access to AWS service APIs and to certain resources. It also allows the user to plug in specific conditions such as time of the day when the user can control AWS, based on their originating OP address, whether they use SSL, whether they authenticate with the help of an MFA (Multi-factor authentication) device.   MFA for highly privileged users An AWS environment can be protected with the help of AWS MFA, which is a security feature that is enabled at no extra cost. This feature augments the username and password credentials. MFA expects the user to prove that they have the physical possession of a hardware MFA token or an MFA enabled mobile device. This can be proven by the user when they provide a valid MFA code.  Management of access control for mobile applications with Web Identity Providers The user can enable mobile and browser-based applications to securely access the AWS resource. This can be done by requesting for temporary security credentials that can be used to provide access to certain specific AWS resources for a specific period of time (which is also configured beforehand).  Integration with the corporate directory of the user IAM can be used to grant specific permissions to the employees and applications. This is known as federated access which is provided to access the AWS Management Console and Amazon service APIS with the help of the user’s existing identity system such as Microsoft Active Directory. Any Identity management solution can be used that comes with support for SAML 2.0. Conclusion In this post, we understood various components of cloud security and saw how these components work hand in hand to protect user data.  
logo

AWS Tutorials

What is AWS Security - Features and components

AWS places cloud security as its highest priority. The user data stored in the data center and the network architecture associated with it is built in the most security-centric way. One of the major advantages of using AWS cloud is scalability. It allows users to scale their applications while maintaining a secure environment around it. The customers pay only for services and resources that they use, and security is not an upfront expense.  

AWS provides flexibility and agility in all the security control associated with the application. AWS Cloud uses a shared responsibility model. The security of the cloud is managed by AWS, but the security of user data inside the cloud is the responsibility of the user. This means the user has the control to secure their content by implementing control specifications on content, platform, applications, systems and networks.  

AWS also provisions guidance and expertise with the help of online resources, personnel and partners. It provisions advisories for current issues of users, as well as provides opportunities to work with AWS when users come across security issues. A wide variety of tools and features are present in Amazon that help the consumers meet their security goals. It provides security specific tools and features across areas such as network security, configuration management, access control, and data encryption.  

AWS environments are audited continuously and certified from accreditation bodies across multiple geographies and verticals. The user can leverage the automated tools present in the AWS environment which can be used for asset inventory and privileged access reporting.  

Features of AWS security:

  • Data Security: AWS infrastructure safeguards user data to help protect the user’s privacy. The data is stored in highly secure AWS data centers.  
  • Compliance requirements are met: AWS manages multiple compliance programs with respect to their infrastructure. This means the user specific segment’s compliance is already complete and up-to-date.  
  • Cost-effective: Users only pay for the storage, resources, and service that they use. The highest security standard is maintained even though the user doesn’t manage or explicitly pay for such a facility.  
  • Scalability: Security is scalable, which means it scales out based on the user’s requirements and cloud usage. Irrespective of the size of the application, AWS infrastructure has been designed to keep the user data safe.  

Cloud security consists of three parts: 

  1. Data monitoring 
  2. Gaining visibility 
  3. Access Management 

The ‘Cloud Monitoring’ tool is used to constantly analyse the data that flows into the cloud application. As soon as something irregular happens, or a threshold is reached or a condition is met, the tool notifies the user about these irregularities. This can be understood as ‘Gaining visibility’ into the irregular situation. This can be done with the help of tools that are present in AWS.  

The user can either take action or configure the system in such a way that the cloud application automatically takes action when it encounters irregularities. The Cloud Monitoring tool also has advanced machine learning application which logs in the data flow.  

  • In AWS cloud, data monitoring is done with the help of AWS CloudWatch.  
  • Gaining visibility is handled with the help of AWS CloudTrail.  
  • Access management is taken care of by AWS IAM.   

Now let us look at every service one at a time: 

CloudWatch Monitoring tool

CloudWatch Monitoring is a service offered by Amazon that helps monitor the AWS resources and the user applications which run on AWS in real-time. It can also be used to gather and keep a track on the metrics, where metrics refers to variables which can be measured for the resources and applications that the user uses.  

CloudWatch page automatically displays the metrics with respect to every AWS service which the user is associated with. Users are also able to create customized dashboards that help display metrics about specific applications. They can also be used to display a customized collection of metrics which are chosen by the user.  

Alarms can be created by the user that help in monitoring the metrics and sending notifications regarding the state of the metrics. These alarms can also be used to automatically make certain changes to the AWS resources which are being monitored by the user when a certain condition is met or a threshold is reached.  

An example would be monitoring the usage of CPU and disk reads and writes of the Amazon EC2 instance.  

  • This data can be used to understand whether additional instances need to be launched to handle the increase in load.  
  • The same data can also be used to stop instances which are not being used, and thereby helps in saving costs.  

CloudWatch helps provide system-wide visibility into the utilization of resources, how the application performs and the health of the operations which take place in the system.

CloudTrail to gain visibility

It can be used to monitor calls that are made to Amazon CloudWatch API for that specific user’s account. These calls include the ones made by AWS Management Console, AWS CLI and other AWS services. When the CloudTrail logging is enabled, CloudWatch can be used to write the log file to an Amazon S3 bucket which is specified by the user when CloudTrail is configured. It helps enable governance, compliance and operational and risk auditing of the user’s AWS account. Actions performed by a user, a role or an AWS service is record as an event in CloudTrail, and these events also include actions which have been taken in the AWS Management Console, AWS CLI, AWS SDK and AWS APIs.  

When an AWS account is created, CloudTrail is automatically enabled on it. Whenever an activity occurs in this user account, it is recorded as a CloudTrail event. The events can be viewed by visiting the CloudTrail console-> Event history tab.

CloudTrail can be used to view, search, download, archive, analyse and respond to activities that take place across the AWS infrastructure. The person or the operation that took action can be identified, the resources upon which changes were made can be identified, and the event which occurred can also be identified. These details allow in the analysis of the activities in the AWS account.  

To record an ongoing event in the AWS account, a trail can be created. A trail allows the CloudTrail service to provide log files to an Amazon S3 bucket. When a trail is created, it will be applied across all AWS Regions.  

IAM to manage access

AWS IAM (Identity and Access Management) is a web service facilitated by Amazon that helps the user in securely controlling access to the resources of AWS. IAM can be used to control who gets authenticated to sign-in and who gets the authorization (has permissions) to use the resources provisioned by AWS.  

An IAM role can be created with the help of AWS Management Console, AWS CLI, Tools for Windows PowerShell or IAM API.

If AWS Management Console is used to create an IAM role, a wizard guides the user through the entire steps. The steps while using the Console are slightly different in comparison to other methods.  

IAM role is similar to user, since it is an identity which provides permission policies which are used to determine the operations which the identity can do within AWS. A role doesn’t have any credentials, such as password or access keys attached to it. It can be uniquely associated with a user since a role is basically used to be assumed by a user for a specific task or when need.  

An IAM user can assume a specific role to be granted specific permissions to perform specific tasks. A role can be assigned to a federated user who can sign in with the help of an external identity provider instead of using IAM. AWS uses the details passed via the identity provider so as to determine the role that can be mapped to the federated user.  

An application that runs on Amazon Elastic Cloud Compute (EC2) instance and makes requests to AWS: An IAM role can be created that can be attached to the EC2 instance so as to provide temporary security credentials to the applications which run on this instance. When an application uses these credentials in AWS, it gets the ability to perform all operations that would be allowed by the policies which are attached to the role.  

An application that runs on mobile and makes requests to AWS: An identity provider such as Login with Amazon, or Amazon Cognito or Facebook or Google can be used to authenticate users and map them to an IAM role. Applications can be used to provide the role with temporary security credentials which have the required permissions (based on the policies that are attached to the role).  

IAM is a web service which helps in securely controlling access to AWS resources of the users. IAM can be used to control which users use the account holder’s AWS resources (known as authentication) and which resources could be used in which ways (known as authorization).  

AWS IAM identities

IAM identities are created to provide authentication to people and process in the AWS accounts.  

IAM root user

When an AWS account is created for the first time, the user signs in with a single identity which has access to all the AWS services and resources in the account. This identity is known as ‘AWS account root user’. This root user can be accessed by signing in with the email address and password that was used while creation of the account.  

The root user is not recommended to be used for everyday tasks, not even the administrative ones. The root user has to be securely locked away and used only to perform specific account and service management related tasks.  

IAM user

The entity which is created in the AWS account is an IAM user, which represents a person or a service that uses IAM user to interact with AWS. One of the uses of IAM users is to provide people the ability to sign into their AWS Management Console to perform interactive tasks and programmatic requests to other Amazon services with the help of an API or using the CLI.  

A user has a name, a password that is used to sign into the AWS Management Console and about 2 access keys which can be used in conjunction with the API or CLI. When an IAM user is created, it can be granted certain permissions after it has been made as a member if a group which has the appropriate permission policies attached to it, or by directly attaching the policies to the user.  

Permissions can be cloned from an existing IAM user which will automatically make the new user as a member of the same group, and attaches the policies to the user.  

IAM group

It is a collection of IAM users, which is made to specify permissions for a specific collection of users. This makes it easy to manage the permissions for those users. If a permission is assigned to a group, any user of that group automatically has the same permissions.  

AWS IAM role use cases 

IAM allows the user to manage access to the Amazon services and resources in a secure method. With the help of IAM, the user can create and manage AWS users and groups, provide permissions to allow and deny access to AWS resources. IAM feature can be used with AWS account at no additional cost. The charges are incurred only when Amazon services are used by the users.  

Granular access control to AWS resources

IAM allows users to control access to AWS service APIs and to certain resources. It also allows the user to plug in specific conditions such as time of the day when the user can control AWS, based on their originating OP address, whether they use SSL, whether they authenticate with the help of an MFA (Multi-factor authentication) device.   

MFA for highly privileged users 

An AWS environment can be protected with the help of AWS MFA, which is a security feature that is enabled at no extra cost. This feature augments the username and password credentials. MFA expects the user to prove that they have the physical possession of a hardware MFA token or an MFA enabled mobile device. This can be proven by the user when they provide a valid MFA code.  

Management of access control for mobile applications with Web Identity Providers 

The user can enable mobile and browser-based applications to securely access the AWS resource. This can be done by requesting for temporary security credentials that can be used to provide access to certain specific AWS resources for a specific period of time (which is also configured beforehand).  

Integration with the corporate directory of the user 

IAM can be used to grant specific permissions to the employees and applications. This is known as federated access which is provided to access the AWS Management Console and Amazon service APIS with the help of the user’s existing identity system such as Microsoft Active Directory. Any Identity management solution can be used that comes with support for SAML 2.0. 

Conclusion 

In this post, we understood various components of cloud security and saw how these components work hand in hand to protect user data.  

Leave a Reply

Your email address will not be published. Required fields are marked *