AWS Security and Compliance
We live in a time when any enterprise application is like a castle that needs to be secured and protected. Security becomes even more crucial when the application is deployed on a cloud platform – not in your on-prem data center. In this chapter, we will discuss how the AWS cloud platform handles security and compliance at a high level.
Table of Contents
AWS Security
AWS cloud security is much like security in an on-premises data center. It doesn't matter whether organizations have their applications on-premises or on the cloud. Security is crucial for the deployed applications. Security, a core non-functional requirement in most enterprise systems. It deals with accidental leakage, theft, integrity compromise, or deletion of a valuable information asset.
How AWS Handles Security
Highly Secured Data Centers
To maintain trust and confidence in their customers, AWS has implemented comprehensive security mechanisms or safeguards in place to keep customers' data safe. All data are stored in highly secured AWS data centers.
To continue further on how AWS approaches security to provide peace of mind to its customers. AWS has built its data centers and network architecture in such a way to meet the requirements of the most security-sensitive organizations. What it means organizations can get their security requirements with much lower operational costs. Organizations would also inherit best practices of AWS policies, architecture, and operational processes, which were already built into the AWS core security infrastructure. That way, AWS satisfies the demand of most security-sensitive organizations.
Shared Security Model
AWS Infrastructure is designed from the cloud architectural perspective — with the security best practices in mind. AWS shares security responsibilities with the organizations where AWS takes care of the security of the underlying infrastructure while organizations must take care of the applications' security.
Layered Security
AWS uses a layered approach to security. It makes sure that underlying systems are monitored from potential threats and protected round the clock. AWS environments are continuously audited, with certifications from accreditation bodies across geographies and verticals.
AWS Compliance
Another essential foundational concept to understand is how AWS approaches compliance. AWS helps organizations when it comes to compliance with applications deployed on its platform. Compliance requirements vary country or region-wise. When applications are deployed on AWS, organizations have complete control and ownership of their applications in that region to set up their secure, governance-focused applications. Additionally, they apply compliance and audit features.
Assurance Programs
The following is a partial list of assurance programs with which AWS complies. It complies with SOC1, SOC2, and SOC 3. It complies with Federal Information Security Management Act (FISMA), Department of Defense Information Assurance Certification, Accreditation Process (DIACAP), and Federal Risk and Authorization Management Program (FedRAMP). It also complies with Payment Card Industry Data Security Standard (PCI DSS) Level 1. Finally, it complies with various ISO such as ISO 9001, 27001.
Benefits of AWS Security, Identity and Compliance Related Services
Data Protection
The AWS infrastructure provides strong safeguards in place to help protect your privacy. All data are stored in highly secure AWS data centers. Furthermore, AWS also provides services that help protect your data, accounts, and workloads from unauthorized access. AWS has different data protection-related services that provide encryption and key management. In addition, AWS also provides threat detection-related services to continuously monitor and protect your accounts and workloads from unauthorized access. The following services help in data protection:AWS Service | Use Cases |
Amazon Macie | Discover and protect your sensitive data at scale |
AWS Key Management Service (KMS) | Key storage and management |
AWS CloudHSM | Hardware based key storage for regulatory compliance |
AWS Certificate Manager | Provision, manage, and deploy public and private SSL/TLS certificates |
AWS Secrets Manager | Rotate, manage, and retrieve secrets |
Threat detection & continuous monitoring
AWS continuously monitors the network activity and account behavior for any abnormality within your cloud environment and identifies threats. The following services help in threat detection & continuous monitoring:AWS Service | Use Cases |
AWS Security Hub | Automate AWS security checks and centralize security alerts |
Amazon GuardDuty | Protect AWS accounts with intelligent threat detection |
Amazon Inspector | Automate vulnerability management |
AWS Config | Record and evaluate configurations of your AWS resources |
AWS CloudTrail | Track user activity and API usage |
AWS IoT Device Defender | Security management for IoT devices |
Amazon Detective | Investigate potential security issues |
AWS Elastic Disaster Recovery | Scalable, cost-effective application recovery to AWS |
Identity & Access Management
AWS Identity Services enable you to securely manage identities, resources, and permissions at scale. The following services help in identity & access management:AWS Service | Use Cases |
AWS Identity & Access Management (IAM) | Securely manage access to services and resources |
AWS Single Sign-On | Cloud single-sign-on (SSO) service |
Amazon Cognito | Identity management for your apps |
AWS Directory Service | Managed Microsoft Active Directory |
AWS Resource Access Manager | Simple, secure service to share AWS resources |
AWS Organizations | Central governance and management across AWS accounts |
Compliance & data privacy
AWS manages dozens of compliance programs in its infrastructure. AWS provides a comprehensive view of your AWS IT environment with regard to compliance status. It does this by continuously monitoring your environment using automated compliance checks based on the AWS best practices and industry standards. The following services help in compliance & data privacy:AWS Service | Use Cases |
AWS Artifact | No cost, self-service portal for on-demand access to AWS’ compliance reports |
AWS Audit Manager | Continuously audit your AWS usage to simplify how you assess risk and compliance |
Network & Application Protection
Network and application protection services help you to manage fine-grained security policy at different network boundaries across your AWS IT environment. For example, AWS services help you inspect and filter traffic to prevent unauthorized resource access at the host, network, and application boundaries.AWS Service | Use Cases |
AWS Network Firewall | Network security |
AWS Shield | DDoS protection |
Amazon Route 53 Resolver DNS Firewall | Filter and control outbound DNS traffic for your VPCs |
AWS Web Application Firewall (WAF) | Filter malicious web traffic |
AWS Firewall Manager | Central management of firewall rules |
Saves Cost
Customers save in cost as they would not have to manage on-premises security. The region is the security would be addressed in AWS data centers.Scale Quickly
Security scales based on the AWS cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe.AWS Artifact
Screenshot from:
https://aws.amazon.com/artifact/
AWS Artifact is a central place for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. AWS Artifact is a portal using which an enterprise can access security and compliance reports related to the AWS public cloud.
The following reports are available in AWS Artifact: SOC (Service Organization Control) reports, PCI (Payment Card Industry) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
These reports can also guide team members, such as developers, to ensure that they adhere to these standards. Additionally, a user can download reports and other internal AWS documents via Artifact to ensure and demonstrate to auditors or regulators that the AWS offerings meet security and compliance standards.
SK Singh is the founder, a software, cloud, and data engineer. He has been involved in the software industry for around 25 years. He has a bachelor's degree in computer science and engineering from India and a master's degree in software engineering from the Pennsylvania State University. SK has been involved in a wide range of software projects for many governments, private, start-ups, and large public companies in various software engineering roles. He has many professional certifications such as AWS, Hadoop, Kafka, Oracle, Unix, Java, Java-related frameworks, and many others related.