Three important principles for securing AWS architectures:
“Security and compliance are shared responsibilities between AWS and our customers. AWS operates, manages, and controls security of the cloud.” Customer responsibilities include “selecting and securing operating systems that run on Amazon Elastic Compute Cloud (Amazon EC2) instances, and securing the applications that are launched on AWS resources.”
Security is one of the six pillars of the Well-Architected Framework. The other pillars are:
The framework provides best practices and design guidance across each pillar to help make choices and review existing architectures. You can use the AWS Well-Architected Tool to implement best practices and access current AWS best practices on-demand.
Strong Identity Foundation
Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with AWS resources. Centralize identity management, and aim to eliminate reliance on long-term, static credentials.
Data Protection
Protect data in transit and at rest. Classify your data into sensitivity levels, and use mechanisms, such as encryption, tokenization, and access control, where appropriate.
Defense in Depth
Apply security at all layers. Apply a defense-in-depth approach with multiple security controls to all layers (edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).
Implementing a strong identity foundation involves using policies to grant or deny access to AWS resources. For example:
“This means granting only the permissions that are needed to perform a task. It’s more secure to start with a minimum set of permissions and grant additional permissions as needed.”
When creating access policies:
“Data in transit is data that is actively moving from one location to another, such as across the internet or through a private network.” Use cryptographic protocols like TLS to protect data while it’s traveling between networks or being transferred from local storage to cloud storage.
Example: Encrypting pictures as they are uploaded to a cloud service using TLS to ensure privacy of the transfer.
“Client-side encryption provides end-to-end protection for your object, in transit and at rest, from its source to storage.” The client encrypts data before sending it and retrieves encrypted data to decrypt for use.
Example: Encrypting data on a mobile device to ensure data is scrambled and isn’t accessible to unintended users if the device is lost or stolen.
“With server-side encryption, data is encrypted before it’s stored.” The server encrypts data when storing it and decrypts data when requested.
Example: Amazon S3 provides server-side encryption, encrypting data at the object level as it writes to disks in AWS data centers.
This section established the fundamental security principles for AWS cloud architectures, emphasizing the shared responsibility model, Well-Architected Framework security pillar, and the critical importance of implementing least privilege access controls with proper data encryption strategies.