10.2 Pillar One - Security

Previous10.1 Introduction of Well Architected Framework Next10.3 Pillar Two - Reliability

Last updated 5 years ago

Was this helpful?

Definition

Security in the cloud consists of 4 areas:

Data protection

Best practices: Before you begin to architect security practices across your environment, basic data classification should be in place. You should organize and classify your data in to segments such as publicly available, available to only members of your organization, available to only certain members of your organization, available only to the board etc. You should also implement a least privilege access system so that people are only able to access what they need. However most importantly, you should encrypt everything where possible, whether it be at rest or in transit.
In AWS the following practices help to protect your data:
- AWS customers maintain full control over their data.
- AWS makes it easier for you to encrypt your data and manage keys, including regular key rotation, which can be easily automated natively by AWS or maintained by a customer.
- Detailed logging is available that contains important content, such as file access and changes.
- AWS has designed storage systems for exceptional resiliency. As an example, Amazon S3 is designed for 11 nines of durability.
Versioning, which can be part of a larger data lifecycle-management process, can protect againest accidental overwrites, deletes, and similar harm.
AWS never initiates the movement of data between regions. Content placed in a region will remain in that region unless the customer explicitly enable a feature or leverages a service that provides that functionality.
What questions should you ask yourself:
- How are you encrypting and protecting your data at rest?
- How are you encrypting and protecting your data in transit? (SSL)
AWS Key services:
- You can encrypt your data both in transit and at rest using: ELB, EBS, S3, RDS.

Privilege management

Best practices: Privilege Management ensures that only authorized and authenticated users are able to access your resources, and only in a manner that is intended. It can include:
- Access Control Lists (ACLs)
- Role Based Access Controls
- Password Management (such as password rotation policies)
What questions should you ask yourself:
- How are you protecting access to and use of the AWS root account credentials? (Have you enabled multi-factor authentication on your root account?)
- How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and APIs? (e.g. groups)
- How are you limiting automated access (such as from applications, scripts, or third-party tools or services) to AWS resources? (For example, are you using roles within IAM?) (e.g. only allow your own app server to access your DynamoDB)
- How are you managing keys and credentials? (Are you using key management service?)
AWS Key service:
- IAM.
- MFA (within IAM, you will use MFA to secure your accounts).

Infrastructure protection

Outside of Cloud, this is how you protect your data center. RFID controls, security, lockable cabinets, CCTV etc. Within AWS they handle this, so really infrastructure protection exists at a VPC level. (e.g. So how you protect your VPC? What security groups do you have in place? What Network ACLs do you have in place? How are you doing your routing, is it a subnet public or private?)
What questions should you ask yourself:
- How are you enforcing network and host-level boundary protection? (e.g. public/private subnets, security groups. NACLs, bastion host, etc)
- How are you enforcing AWS service level protection? (e.g. can multiple users log into your AWS account, do you have groups setup to group different users and give them different privileges, do you have IAM, do you have multi-factor authentication(MFA) enabled for all those users, do you have a strong password protection or rotation policy, etc)
- How are you protecting the integrity of the operating systems on your EC2 instances? (e.g. do you have antivirus installed, etc)
AWS Key services:
- VPC (within AWS cloud)
- Security Groups (locking down particular ports on your security groups to IP addresses)
- Network ACLs
- Public/private subnets
- Bastion
- NAT instances/gateway

Detective controls

You can use detective controls to detect or identify a security breach. AWS services to achieve this include:
- AWS CloudTrail (for logging)
- AWS CloudWatch
- AWS Config
- Amazon S3
- Amazon Glacier
What questions should you ask yourself:
- How are you capturing and analyzing AWS logs? (e.g. do you turned on CloudTrail in each region which you're operating because CloudTrail is a regional service, are you using any log management services, etc)
AWS Key services:
- AWS CloudTrail
- AWS CloudWatch
- AWS Config

Definition

Security in the cloud consists of 4 areas:

Data protection

Best practices: Before you begin to architect security practices across your environment, basic data classification should be in place. You should organize and classify your data in to segments such as publicly available, available to only members of your organization, available to only certain members of your organization, available only to the board etc. You should also implement a least privilege access system so that people are only able to access what they need. However most importantly, you should encrypt everything where possible, whether it be at rest or in transit.
In AWS the following practices help to protect your data:
- AWS customers maintain full control over their data.
- AWS makes it easier for you to encrypt your data and manage keys, including regular key rotation, which can be easily automated natively by AWS or maintained by a customer.
- Detailed logging is available that contains important content, such as file access and changes.
- AWS has designed storage systems for exceptional resiliency. As an example, Amazon S3 is designed for 11 nines of durability.
Versioning, which can be part of a larger data lifecycle-management process, can protect againest accidental overwrites, deletes, and similar harm.
AWS never initiates the movement of data between regions. Content placed in a region will remain in that region unless the customer explicitly enable a feature or leverages a service that provides that functionality.
What questions should you ask yourself:
- How are you encrypting and protecting your data at rest?
- How are you encrypting and protecting your data in transit? (SSL)
AWS Key services:
- You can encrypt your data both in transit and at rest using: ELB, EBS, S3, RDS.

Privilege management

Best practices: Privilege Management ensures that only authorized and authenticated users are able to access your resources, and only in a manner that is intended. It can include:
- Access Control Lists (ACLs)
- Role Based Access Controls
- Password Management (such as password rotation policies)
What questions should you ask yourself:
- How are you protecting access to and use of the AWS root account credentials? (Have you enabled multi-factor authentication on your root account?)
- How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and APIs? (e.g. groups)
- How are you limiting automated access (such as from applications, scripts, or third-party tools or services) to AWS resources? (For example, are you using roles within IAM?) (e.g. only allow your own app server to access your DynamoDB)
- How are you managing keys and credentials? (Are you using key management service?)
AWS Key service:
- IAM.
- MFA (within IAM, you will use MFA to secure your accounts).

Infrastructure protection

Outside of Cloud, this is how you protect your data center. RFID controls, security, lockable cabinets, CCTV etc. Within AWS they handle this, so really infrastructure protection exists at a VPC level. (e.g. So how you protect your VPC? What security groups do you have in place? What Network ACLs do you have in place? How are you doing your routing, is it a subnet public or private?)
What questions should you ask yourself:
- How are you enforcing network and host-level boundary protection? (e.g. public/private subnets, security groups. NACLs, bastion host, etc)
- How are you enforcing AWS service level protection? (e.g. can multiple users log into your AWS account, do you have groups setup to group different users and give them different privileges, do you have IAM, do you have multi-factor authentication(MFA) enabled for all those users, do you have a strong password protection or rotation policy, etc)
- How are you protecting the integrity of the operating systems on your EC2 instances? (e.g. do you have antivirus installed, etc)
AWS Key services:
- VPC (within AWS cloud)
- Security Groups (locking down particular ports on your security groups to IP addresses)
- Network ACLs
- Public/private subnets
- Bastion
- NAT instances/gateway

Detective controls

You can use detective controls to detect or identify a security breach. AWS services to achieve this include:
- AWS CloudTrail (for logging)
- AWS CloudWatch
- AWS Config
- Amazon S3
- Amazon Glacier
What questions should you ask yourself:
- How are you capturing and analyzing AWS logs? (e.g. do you turned on CloudTrail in each region which you're operating because CloudTrail is a regional service, are you using any log management services, etc)
AWS Key services:
- AWS CloudTrail
- AWS CloudWatch
- AWS Config

10.2 Pillar One - Security

10.2 Pillar One - Security

Design Principles

Definition

Exam Tips:

Design Principles

Definition

Exam Tips: