Shared responsibility model Compliance Identity and Access Management (IAM)
- user
- policy
- group
- role
AWS Organization Application Security
- Web Application Firewall (WAF)
- Shield - DDoS
- Inspector - automated security assessment
- Key Management Service (KMS) - cryptographic keys (not secrets, not certificates)
- GuardDuty - intelligent threat detection
Shared Responsibility Model
Compliance compliance: prove https://aws.amazon.com/compliance/
using a compliant service is not sufficient to mkae a customer compliant
Identity and Access Management (IAM)
manage access to AWS services and resources
AWS account root user rarely / never use root
any use of root, is so rare, that it should be investigated as a security event
IAM Users identity representing person / application best practice: create users for each person, don’t share accounts with other ppl
IAM Policies document that grants or denies permissions best practice: principle of least privilige
IAM groups collection of users best practice: use groups users can be in multiple groups
access conflicts
deny always wins
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
IAM roles
identity you can assume to gain temporary access to permissions
you can only have one role at a time
roles vs groups https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html roles (requires technical effort)
- single sign on
- federated identity
simple starting point: groups
- stops scaling
technical effort
- single sign on
- federated identity
AWS Organization
create & manage AWS accounts & groups of AWS accounts
Application Security
Web Application Firewall (WAF)
(cf network firewall on OSI layer 3-4, but on OSI layer 7 application)
Shield - DDoS
not optional, aways on
optional: Shield advanced
Inspector
Key Management Service (KMS)
NOT certificate
GuardDuty - intelligent threat detection
