Shared responsibility model

Compliance

Identity and Access Management (IAM)

• user

• policy

• group

• role

AWS Organization

Application Security

• Web Application Firewall (WAF)

• Shield - DDoS

• Inspector - automated security assessment

• Key Management Service (KMS) - cryptographic keys (not secrets, not certificates)

• GuardDuty - intelligent threat detection

Shared Responsibility Model

Compliance

compliance: prove

https://aws.amazon.com/compliance/

using a compliant service is not sufficient to mkae a customer compliant

Identity and Access Management (IAM)

manage access to AWS services and resources

AWS account root user

rarely / never use root

any use of root, is so rare, that it should be investigated as a security event

IAM Users

identity representing person / application

best practice: create users for each person, don't share accounts with other ppl

IAM Policies

document that grants or denies permissions

best practice: principle of least privilige

IAM groups

collection of users

best practice: use groups

users can be in multiple groups

access conflicts

deny always wins

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

IAM roles

identity you can assume to gain temporary access to permissions

you can only have one role at a time

roles vs groups

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html

roles  (requires technical effort)

• single sign on

• federated identity

simple starting point: groups

• stops scaling

technical effort

• single sign on

• federated identity

AWS Organization

create & manage AWS accounts & groups of AWS accounts

Application Security

Web Application Firewall (WAF)

(cf network firewall on OSI layer 3-4, but on OSI layer 7 application)

Shield - DDoS

not optional, aways on

optional: Shield advanced

Inspector

Key Management Service (KMS)

NOT certificate

GuardDuty - intelligent threat detection