AWS has a shared security model, meaning they commit to looking after part of the environment while you must look after the rest. We can generalize & say that AWS look after all of the bits of the environment that they can touch.
AWS are responsible for the physical security in their own facilities. This includes controlling the movements of individuals, restricting access to only those people that absolutely require access and keeping exact AWS data centre locations a closely guarded secret.
They’re responsible for the physical security of the underlying hardware and host operating system of EC2 and non-managed database instances. They are also responsible for the network security across their estate (all availability zones, edge locations and regions).
They deliver a number of managed services, as discussed earlier in this book. This includes RDS, whereby you are unable to access the underlying operating system to AWS are also responsible for the security around these services.
Finally, AWS are responsible for the virtualization infrastructure and the related security.
Now we know what AWS looks after, we can focus on the bits that we’re responsible for.
We are responsible for managing those users that are able to access the AWS resources through IAM. The first level of security is always user management. We should work with the principle of least privilege, meaning that users should only ever have the access they require, never more and never less. We can track everything that’s carried out in the AWS environment by enabling Cloudtrail and monitoring the logs it outputs.
Using IAM, we must provision EC2 roles, rather than passing API keys directly to the instance to add an extra layer of security across our environment.
We must also enable multi factor authentication (MFA) for all users of AWS. This is not just for login but also for termination protection of EC2 instances.
As AWS users, we are responsible for looking after all customer data. This includes managing data in transit; at rest and all our data stores. This can include the application of SSL certificates and data encryption (S3, Glacier, Redshift, EBS and SQL-Databases (RDS)). Remember: if your RDS database is encrypted, your read replicas and snapshots will also be encrypted.
While AWS will manage the host operating system, it is your responsibility to manage the install of security patches and updates on the guest operating system.
Further to this, it is your responsibility to manage the configuration of security groups, subnets, and network access control lists within your VPC.
You can further enhance security through the user of a dedicated connection between your on-premise environment and AWS by utilizing AWS Direct Connect.
We can monitor our environment and changes to it by using AWS Config. Essentially, this service takes a snapshot of your entire environment. You can then compare this against previous snapshots to identify changes in your estate.
Finally, we can utilize the AWS Trusted Advisor service, which is a premier support service where AWS will find security issues with your environment for you, enabling you to plug holes.