Technical Blogs
Day 3 of 100 Days of AWS: Security and Regulatory Compliance.

Day 3 of 100 Days of AWS: Security and Regulatory Compliance.

Dinesh T's photo
Dinesh T
·

11 min read

Table of contents

Hi folks! Welcome to Day 3 of 100 Days of AWS, where we will cover the complete AWS cloud from beginner to professional. Today, we will expand our horizons in the AWS cloud by understanding how the traditional Infrastructures and AWS Infra are secured by practising the shared Responsibility Model, and how AWS ensures their customers by adhering to Compliance & Regulation of storing data. followed by a Quick overview of AWS Compliance Services with which AWS helps businesses to audit their Cloud Infra deployed in the cloud adhering to the standard. Let’s get started!

Day-2 Overview

On Day 2, we discussed about key benefits of using the Cloud and different cloud economics. which one to opt depending on you or your organization's goal and workload. finally about AWS Cloud design principles to ensure your solutions cater for the business needs while also being reliable, scalable and cost-optimized. if you want to dive deep into this topic or revise it, feel free to click here.

How Infra was secured in Traditional on-prem;

consider you have created a solution and deployed it in your in-house on-prem Datacenter and its running successfully but in order to maintain the security of the Datacenter you need to allow only authorized persons so that compute resources will not be damaged or misused, securing the network connectivity or network within the data center so that you’ll prevent the data center from Intrusions and web exploits, secure the servers, and secure the OS running in the servers, and also want to secure the deployed applications from bugs. In summary, when deploying the idea in the on-prem datacenter you have to handle the end-to-end security which is often painful, Time consuming and Resource burning.

How to ensure the security for cloud-deployed solutions;

with all that complicacy what happens if anyone leaves the job or the security authorities become lethargical and security is compromised then the show goes off. but with deploying in the cloud you don’t have direct access to the physical resources cause they are deployed AWS managed Datacenters which are scattered across the world in different regions. so the security becomes a shared responsibility that you’ll maintain certain portions of your IT security and AWS handles the rest depending on the service model. With that done you can now able to reduce the Infra security concern from half to null. by doing this we are now converting our security measures from capital expense to variable expense. once everything is done AWS will take it back and charges will no longer be made.

though it may sound like the whole security responsibility is offloaded. it comes with some price of loss which is your IT become Less customizable as you more and more offloaded the responsibility.

Shared Responsibility Model

as we discussed before security and compliance in AWS cloud deployed are maintained using the Shared Responsibility Model meaning that some of the security measures are managed by AWS and the rest by others depending on the level of services AWS manage the cost and customizable control will change. for example, if you want to offload all the security measures to the AWS all you manage is maintaining the customer data and Client-side Data encryption then your service cost will also increase drastically.

Depending on the level of services managed by AWS the services are classified into three different models. They are,

  1. Infrastructure as a Service - IaaS

  2. Platform as a Service - PaaS

  3. Software as a Service - SaaS

Cloud Service Model

Infrastructure as a Service - IaaS

IaaS Provides the fundamental building blocks for IT. including virtual machines, storage, networking and other components, allowing organizations to rent IT resources rather than owning and maintaining physical hardware.

In this Service model, AWS only manages the Physical Hardware, Hypervisor & Virtualization, Network Management, Security of Infrastructure, Monitoring and patch management of underlying physical hardware, hardware Maintenance and Reliability, Scaling & Elasticity.

and Customer(Cloud User) manages the OS management, Application & Software, Data, Security Configuration, Backup & Recovery, Monitoring & Logging.

Example

  1. AWS EC2, where you have full control, runs on those services so that the customer(Cloud User) has to maintain all of the OS and application Management, Security, and Patch Updates. and also it becomes mandatory to attach an auto-scaling group for attaining automatic scalability and a cloud watch for monitoring the performance of the ec2 so that you can make data-driven decisions.

Advantages of IaaS;

  1. Cost-effective, with pay only for what you use and lower prices compared to other service models.

  2. Scalable, easily scalable up or down based on the changing demand.

  3. Flexible, highly flexible over hardware and OS configuration. which means more control over the resources.

  4. No Hardware Management, Cloud provider takes care of Infrastructure hardware preventing depreciated performance.

Dis Advantages of IaaS;

  1. Security, Users need to manage the application's security**, data, and access management**. mismanagement of security can lead to vulnerabilities.

  2. Complexity, Requires more management and expertise compared to PaaS & SaaS.

  3. Dependency on the provider, Issues with the provider or unmatched expectations can affect the operations.

  4. Potential for cost unpredictability, costs can rise if unproperly managed.

    Platform as a Service - PaaS

    PaaS offers a Higher level of abstraction by providing a platform with tools, libraries and runtime environments for developers. it simplifies the process of building, deploying, and managing applications.

    In this service model, AWS manages more services compared to IaaS which encompasses all the Services managed for the IaaS along with OS Management, Run time Environments, Platform Security, Middleware like web servers, database management systems, and message queues, Scaling and Availability, Security, Developer Tools, Monitoring & Maintenance.

    and customer manages Application Development, Application Configuration, and Data Management.

    Example;

    AWS Elastic Beanstalk is one of the many examples of PaaS offering in AWS which is an easy-to-use service for deploying and scaling web applications and services. All that the customer (cloud user) has to do is upload their code with efficient Data management logic, and EBS (Cloud Provider) will handle all the Infrastructure, load balancing and scaling automatically.

    Advantages of PaaS;

    1. Simplified Development, PaaS provides tools and frameworks that simplify the development of the application.

    2. Faster Time to Market, developers can focus more on coding and the application logic. reducing time spent on Infrastructure management.

    3. Automatic Scaling, PaaS performs Automatic scale-in and scale-out without any manual interventions.

    4. Less Management Overhead, provider manages the most of the IT infrastructure reducing the need for IT expertise.

Dis Advantages of PaaS;

  1. Limited Flexibility, the Platform can limit control over specific resources or configurations.

  2. Vendor lock-in, Moving an application to another vendor may require significant effort due to platform-specific dependencies.

  3. increased Cost,

  4. Compatibility issues, some platforms may not support certain programming languages and tools limiting development choices.

Software as a Service - SaaS

  • SaaS delivers a fully functional, ready-to-use application over the Internet. Users access these services via web browser without worrying about Infrastructure, Maintenance, and updates.

  • In this service model, AWS Manages the majority of services starting from Physical Hardware to server-side encryption. customer is only responsible for Client side data encryption and Customer Data.

    Example;

    Amazon Chime is a communication service that lets users meet, chat, and collaborate in real time. provides features for Video conferencing, Voice calls, screen sharing, and messaging designed for business teams and organizations.

    In this Service, the user has no idea about how it’s handled under the hood or how the service is fault-tolerant, highly available, reliable, secure and scalable. As we discussed all of this will be taken care of by the Cloud Provider(AWS). the customer (user/Organization) is only responsible for Data and Access Management and ensuring data aligns with compliance and regulatory requirements only if applicable.

    Advantages of SaaS;

    1. Ease of Use, Fully managed solutions. require, no technical expertise for setup and Maintenance.

    2. Accessibility, Applications are available anywhere, anytime, on any device with internet access.

    3. Automatic Updates, Provider handles software updates, patches, and feature enhancements.

    4. Scalability, Accommodates growing user base without interventions.

Dis Advantages of SaaS;

  1. Limited Customization, Users have minimal control over application features or configurations.

  2. Data Security, Sensitive data is stored within the service provider. posing potential risk and security Doubt.

  3. Vendor Lock-in, Migrating to a different SaaS provider can be challenging due to data and integration dependencies.

  4. Recurring costs and subscription fees can add up over time, especially for large-scale use.

Why is it crucial to have data stored in the Cloud to be compliance and security regulated for Businesses

In order to understand about it. it is necessary to know what is compliance. In general, Compliance refers to the act of conforming to or adhering to a set of rules, standards, regulations, and guidelines. and Regulatory compliance means organizations operating in specific industries must adhere to rules and laws specific to that industry. such industries are Banking, Finance, Health Care, and the Federal Government.

Compliance & Regulatory Frameworks are sets of Guidelines and best practices that organizations must follow to meet regulatory requirements.

AWS has a customer from all around the world and from different business domains and government bodies. In order to keep their data stored in the AWS Data centers they also need to follow the strict compliance & regulatory requirements. so now Compliance & Regulatory becomes a team effort. and AWS makes a good effort in making themselves regularly tested and audited.

How AWS supports maintaining the cloud Infra adhere to complaints and regulations

  1. AWS Artifact,

    • In order to store their customers’ sensitive data AWS need to be regularly audited. and AWS Undergoes Certification reviews and audits to meet regulatory requirements.

    • for easy access to the customer, all of these certifications and audit reports are stored in the AWS Artifact service.

    • Customers who need to audit can review and accept agreements in the artifact. even further they can also download the reports to their local machine and show them to the auditing authority.

  1. Amazon Customer Compliance Center

    • Amazon compliance centre is a central location to research cloud-related regulatory requirements and their impact on your industry.

    • some of the Compliance Center features are,

      • Identify Regulatory requirements.

      • Browse country-specific laws/ requirements.

      • Discover how companies in various industries solved compliance and governance challenges.

      • AWS answers to key complaint questions.

      • Auditing and Security Checklist.

      • Reference architecture with best practices.

  2. AWS Audit Manager

    now for performing auditing for your cloud-deployed resources, you have to log in manually and check each resource is adhering to the standard. then what happens if a company’s solutions deployed in the cloud are very complex the process becomes very time-consuming and cumbersome.

    so AWS came up with a service called Audit Manager which continuously collects data to prepare for audits and ensures you comply with the required regulatory standards.

    Audit Manager helps build audit-ready reports. and download the report during the auditing process to showcase to the authorities.

  3. AWS Config,

    • It tracks how the resource is configured and records the previous configuration state, so you can see how the config for it has changed over time.

    • every time you make a change in your cloud environment it gets logged into the AWS config service. for example, when you attach a security group to your ec2 it will be logged in the service. after some time you attach an EBS volume to the EC2 then it also be logged.

    • so we get the bigger picture of how the AWS resources that you created are evolving.

    • Because AWS config keeps track of the historical configuration of resources, it is great for auditing and compliance.

Day3 wrap up

In conclusion, securing IT infrastructure, whether on-premises or in the cloud, requires a strategic approach to ensure data protection and compliance with regulatory standards. Traditional on-premises setups demand comprehensive management and expertise, offering high control but at a significant resource cost. In contrast, cloud infrastructure leverages the Shared Responsibility Model, distributing security responsibilities between the customer and AWS, which can reduce the burden on businesses while maintaining robust security and fault tolerance. AWS provides various service models each offering different levels of control and management.

Compliance and regulatory adherence are crucial for businesses, especially those handling sensitive data, and AWS supports a set of tools that help businesses ensure their cloud resources meet necessary compliance standards, making cloud adoption a viable and secure option for modern enterprises.

Summary & Key points

  • Securing On-prem Traditional IT infrastructure requires end-to-end involvement which requires more expertise and resource. but comes with the advantage of high control.

  • Cloud Infrastructure is secured using the Shared Responsibility Model. where the customer and AWS itself share certain responsibilities for keeping the solution highly secure and fault-tolerant.

  • Depending on the level of responsibilities shared AWS offers 3 service models. namely IaaS, PaaS, SaaS.

  • Compliance and regulatory framework are sets of guidelines and best practices that organizations must follow.

  • As Same as the Shared Responsibility model ensuring, Compliance & Regulatory Requirements of the Businesses’ sensitive data are also become Team effort.

  • AWS Artifact, Amazon Complain Center, AWS Audit Manager, and AWS config are sets of services created by AWS to help in our compliance & Regulatory audit for the resources in the Cloud.

Up next on Day 4;

  • An Overview of all the AWS services falls under the category of Security, Identity, and Compliance.
2Articles1Week100DaysOfCloud100daysofdevopsDevopsDevops articlesCloudCloud ComputingAWSSecuritycloud security