security& Compliance
The major cloud providers have invested heavily in securing their cloud environments. Security on the AWS platform begins with the Shared Responsibility Model. AWS is responsible for security of the cloud - you are responsible for security in the cloud. It is important to understand this key concept because it is intertwined with each platform component and will drive key design decisions early in the process. The next key concept to understand in that in AWS, as in other cloud providers - the Security model is multi-layered. Which means, that depending on your use - case, or Corporate Standards, or regulatory requirements - AWS provides a rich set of components that you can pick and choose to meet your requirements. And these components work with each category of services - Compute, Storage, Networking, etc. For example will you require Web Application Firewall to analyze incoming traffic patterns to your site? If so, clear definition of the policy rules & alerting, working in conjunction with your security team will ensure audit compliance. In a nutshell, there are a variety of ways to secure data in transit and data at rest with AWS tools. This is augmented by the AWS Partner Network and represented through the AWS Marketplace, as well as CASB - Security Brokers. See links on the left.
Here is a list of security tools on the AWS Platform :
WAF - Web Application Firewall. Analyze traffic and set policies on traffic patterns.
Encryption - SSE-S3, SSE-KMS, SSE-C. Stands for server side encryption. There are three ways to encrypt data at rest in the AWS Platform, depending on your use - case and your Security standards. Read more here.
Certificate Manager - Yes, Amazon is a trusted provider and you can use SSL/TLS certificates on their platforom at no charge. It even auto-renews. Remember the hassles of managing certificate expirations ? This service has some limits through. Read about them here.
IAM - Identity and Access Manager - This is one of the foundational elements of security on the AWS platform. It is necessary to fully understand how this service is structured via the use of roles and policy documents.
Security Groups - Stateful firewall that established traffic policies between EC2 instances.
Network ACLS - This is a stateless access control list that governs traffic in and out of a subnet. It is stateless because you have to configure both inbound access rules (protocol/ports) and outbound access rules.
Key takeaway 1 - Security is multilayered - you have many options when evaluating your use - case.
Key takeaway 2 - The Shared Responsibility Model is foundational Concept that drives security design decisions.
Key takeaway 3 - Just because AWS is PCI DSS compliant does not make your application PCI DSS compliant.
