Day 4 of 100 Days of AWS: Exploring AWS security, identity, and compliance services

Hi folks! Welcome to Day 4 of 100 Days of AWS, where we will cover the complete AWS cloud from beginner to professional. Today, we will expand our horizons in the AWS cloud by Exploring all the AWS Services under the Security, Identity, and Compliance category. along with a quick overview of each service to understand its purpose. lastly decoding a small e-commerce architecture about how it was designed and does it satisfies AWS cloud design Architecture Pattern. Let’s get started!

Day 3 Overview

On Day 3 we discussed extensively how Traditional IT Infra is kept secure. and their advantages & pain points. how solutions deployed in the cloud are kept secured and their tradeoffs. Service models offered by AWS depend on security management. about compliance & regulatory policies and why they are important. and set of services AWS offers to make our cloud resources adhere to compliance standards.

Purpose of AWS Security, Identity, and Compliance Services

The Security, Identity, and Compliance services in AWS are critically important for maintaining Business Continuity, Securing Cloud Environment with robustness & Resilience to attacks, Protecting sensitive data and ensuring Regulatory Compliance. keeping this in mind it becomes one of the top priorities for solution architects to build a solution ensuring Security, Identity, and Compliance are at their peak. so what are they each mean,

Security,

Security in AWS refers to protecting your Data, Application, and Infrastructure from threats and vulnerabilities. AWS offers various services and tools to help you secure your environment, ensuring your resources are safe from unauthorized access, attacks, and Data breaches.

• Core Concepts,

  1. Encryption

  2. Network Security

  3. Threat Detection & Prevention

  4. Security Monitoring

  5. Incident Response & Automation

Identity,

Identity refers to the management of users, devices, and services that need to access AWS resources. Effective identity management ensures that only authorized users or systems can access specific resources with a proper level of privileges.

• Core Concepts,

  1. Identity and Access Management

  2. Authentication & Authorization

  3. Federation and Identity providers

  4. AWS Organizations & Service Control Policy

  5. Auditing & Logging of Identity activities

Compliance,

Compliance in AWS refers to adhering to global regulatory and industry standards regarding Data Protection, Privacy, and Security.

• Core Concepts,

  1. Regulatory Requirements

  2. Auditing & Reporting

  3. Automation for Compliance

  4. Data Sovereignty

why they are important,

These pillars help ensure a strong, trustworthy, and resilient cloud infrastructure. By combining them all Together we get the advantage of,

1. Holistic Risk Management,

   security, identity, and compliance go hand in hand to minimize risks. security ensures your cloud environment is protected, Identity ensures proper access control to the environment, and compliance ensures you’re legally and ethically correct. without all three your environment is exposed to multiple attacks.

2. Protecting your Reputation,

   A single security breach or failure to comply with regulations can significantly damage your organization’s reputation. customers, partners, and stakeholders expect their data to be safe and that you comply with applicable laws. Any lapse could lead to a lack of trust and business.

3. Operational Integrity,

   Proper identity management limits the risk of unauthorized changes to your environment, security measure ensures that your system is resilient to attacks, and compliance ensures that you’re meeting the industry standard. by doing this you can ensure that your systems run smoothly and securely.

4. Cloud scalability and flexibility with confidence,

   AWS provides the flexibility to scale your applications rapidly and innovate faster than ever before. However, this scalability must be backed by solid security, identity, and compliance measures to ensure that growth does not expose vulnerabilities or exploit regulations.

Best practices,

• Use principle of Least Privilege (PoLP)

  always assign the minimum permission necessary to perform a task. This limits the scope of action that can be performed by users and applications.

• Enable Multi-Factor Authentication

  enable MFA for all AWS accounts. especially for Root accounts, and privileged IAM users to enable an additional layer of security.

• Regularly Rotate Credentials

  Regularly Rotate IAM user credentials including access keys, and passwords to reduce the risk of exposure.

• use IAM roles instead of Long-term credentials

  for applications, services, or EC2 instances that need access to AWS resources, use IAM roles with temporary credentials rather than embedding long-term access keys in code.

• Implement security monitoring

  Continuously monitor and log activities, helping to detect suspicious or unauthorized actions.

• Encrypt data

  encrypt data both in the Client side (in transit) and at the server side (at rest)

Classification of Services,

AWS Security, Identity, and Compliance Services are classified into 3 Categories. They are

1. Preventive Services,

2. Deductive Services,

3. Managerial Services,

Prevention Services,

The main objective of Prevention Services is to prevent security issues, misconfigurations or other risks before they occur.

1. AWS Web Application Firewall,

   • WAF Is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources.

   • lets you control access to your content. based on conditions your protected resource responds to the request either with the requested content, with an HTTP 403 (forbidden) status code, or with a custom response.

   • for further information regarding how to configure AWS WAF click here.

2. AWS Shield,

   • it is used to Prevent Cloud deployed resources by monitoring and taking actionable decisions and to detect and mitigate sophisticated DDOS Distributed Denial of service.

   • When you build your application on AWS, you receive automatic protection by AWS against common volumetric DDoS attack vectors, like UDP reflection attacks and TCP SYN floods. You can leverage these protections to ensure the availability of the applications that you run on AWS by designing and configuring your architecture for DDoS resiliency.

   • for further information regarding how to configure AWS WAF click here.

3. AWS Network Firewall,

   • AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you create in Amazon Virtual Private Cloud (Amazon VPC).

   • With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.

   • for further information regarding how to configure AWS WAF click here.

Deduction Services,

The Main objective of Deduction Services is to deduce or identify security, operational or performance Issues that might not be immediately obvious.

1. Amazon Inspector,

   

   • Inspector scans workloads running on AWS for vulnerabilities and undesired network exposure.

   • Automatically discovers new resources. when vulnerabilities are found inspector produces a report with the findings.

   • whenever changes that could introduce vulnerabilities are made such as installing a new package, Installing a patch or a new CVE is published it automatically re-runs the scan.

   • for further information regarding how to configure AWS WAF click here.

2. Amazon Guard Duty,

   • is a continuous security monitoring service. help to identify unexpected and potentially unauthorized or malicious activity in your AWS environment.

   • for further information regarding how to configure AWS WAF click here.

3. Amazon Detective,

   

   • ingests data from VPC flow logs, Cloud trail logs and guard duty findings.

   • uses Machine Learning and statistical analysis to create advanced visualization that shows resource behaviour and interaction over time.

4. AWS Security Hub,

   

   • with the security hub service, we can automate the security check and view the security alerts into a central location instead of going to different locations.

   • also performs validation against AWS security best practices for the resources in the cloud environment.

5. AWS Config,

   

   • AWS config provides a detailed view of the resources associated with your AWS account, including how they are configured, how they are related to one another, and how the configurations and their relationships have changed over time.

6. AWS Cloud Trail,

   

   • With AWS CloudTrail, you can monitor your AWS deployments in the cloud by getting a history of AWS API calls for your account, including API calls made by using the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services.

   • You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address from which the calls were made, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

7. Amazon Security Lake,

   

   • AWS Security Lake aggregates the log file from on-prem, aws and third-party sources. and convert them into storage and query-efficient parquet format. transform into Open Cybersecurity Schema Framework (OCSF)

   • then a set of subscribers consume the data from the security lake and perform whatever action they want to do.

8. AWS Macie,

   • It uses pattern matching and machine learning to automatically discover sensitive data.

   • Macie will generate an inventory report of the S3 bucket, scan objects for sensitive data, and notify all findings.

Management Services,

The Main objective of Management Services is to manage, govern, and orchestrate resources, accounts, and policies at scale and provide Centralized control, monitoring, and optimization of AWS environments and accounts.

1. AWS Firewall Manager,

   • Managing firewall rules separately for all firewalls sharing the same rules in different accounts becomes cumbersome over time by forgetting to change the modification made in one firewall to update in another.

   • Firewall Manager becomes the central place to manage firewall and security rules/ policies.

2. AWS Resource Access Manager,

   • Resource Access Manager helps share the resources across accounts, organizations, and organizational units

   • say your created a subnet in the account1 and with the help of Resource Access Manager you granted access to the resource in account 1 to all the accounts.

• once that is done you can easily create delete or perform any of the actions to the subnet from any of the access-granted accounts.

• some resource type lets you to share with single IAM users and roles. click here for further information.

3. AWS Cognito

   • Amazon Cognito is an identity platform for web and mobile apps. It’s a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials.

• With Amazon Cognito, you can authenticate and authorize users from the built-in user directory, from your enterprise directory, and from consumer identity providers like Google and Facebook.

• cognito manages all of the user credentials.

4. AWS Identity & Access Management,

   • IAM manages access to AWS resources.

   • IAM not only handles who is authenticated but also, what are they authorized to do. brief coverage of IAM and its entities such as user, group, role, and policy will be covered in the upcoming blog.

5. AWS Identity Center,

   • say you're creating and handling the IAM entities for different accounts. also, the user in the account1 need to be authenticated and authorized to do certain tasks in the account2 then it becomes cumbersome for you to manage users in the cloud environment.

• with IAM Identity Center you can easily manage the IAM entities in a central location.

6. AWS Secrets Manager,

   

   • AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services.

   • Instead of hardcoding credentials in your apps, you can make calls to Secrets Manager to retrieve your credentials whenever needed. Secrets Manager helps you protect access to your IT resources and data by enabling you to rotate and manage access to your secrets.

7. AWS Certificate Manager,

   

   • AWS Certificate Manager allows you to create, store, and renew the public and private certificates that can be used to protect AWS websites and services.

   • you can use it to encrypt the data sending to the AWS Elastic Load Balancer, CloudFront & API Gateway. and prevent from Man in the middle attack.

8. AWS Private Certificate Authority,

   • if you don’t want to be in the hassle of setup, configuring, and maintaining Certificate Authority. you can leverage this service which acts as a certificate authority and sign the certificate. and let the data be passed in an encrypted manner for on-prem, AWS, and third-party services

   • note this service only signs for a Private certificate. for a public certificate, the client has to manually click the proceed button.

   • AWS Private Certificate Authority (AWS Private CA ) is a hosted private certificate authority service to issue and revoke digital certificates deployed in your organization's private PKI, including on AWS-managed resources and in the Internet of Things.

9. AWS Key Management Service,

   • AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud.

   • AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your applications that use AWS.

10. AWS HSM

    • if you’re encrypting your data with an encryption technique to keep your data more secure and will be able to read if the person has the private key. with that said you stored your key in the places you need to see the data.

    • then managing these encryption keys will be very difficult and there is also a chance of getting the key into the wrong hands.

• To prevent them from these types of problems generally, companies used to store their encryption key in HSM.

• HSM is a place where all keys are stored securely and they never leave the device.

• the device that wants to access the data will be sent to the HSM for encryption or Decryption process.

• AWS CloudHSM offers secure cryptographic key storage for customers by providing managed hardware security modules in the AWS Cloud.

E-commerce Architecture Design;

Day 4 wrap up;

On Day 4 of 100 Days of AWS, we covered the wide variety of AWS Preventive, Deductive, and managerial services available for enabling Security, Identity, and Compliance in your Cloud Environment. along with the Importance of each domain and Best practices to follow to have a robust & secure solution that is highly resilient to attacks.

Summary & Key points;

1. WAF protects applications from common attacks like SQL Injection and Cross-site scripting (XSS) Attacks.

2. Shield protects the applications and services from DDOS attacks.

3. Network Firewall monitor traffic entering and leaving VPC.

Up next on Day 5;

• How Organizations provide Access to their AWS Cloud for their employees and Applications.

• How do you write a Custom IAM Policy so that they will be attached to the IAM Identities?

• How to centrally manage IAM for all AWS accounts.

• A Brief Overview of AWS Organizations.