This document discusses securing applications in the AWS cloud. It covers authentication and authorization with IAM, managing access with roles, securing infrastructure from threats like DDoS attacks with AWS Shield, and AWS services for compliance and security assessments like Amazon Inspector. The AWS shared responsibility model is also explained, with AWS responsible for security of the cloud infrastructure and the customer responsible for security in the cloud.

1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Module 4:
Secure your cloud applications
Navjot Singh
Technical Trainer
AWS

2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is our top priority
Designed for
security
Constantly
monitored
Highly
automated
Highly
available
Highly
accredited

4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security of the cloud
• Hosts, network, software, facilities
• Protection of the AWS global infrastructure is top priority
• Availability of third-party audit reports
Foundation services
Compute Storage Database Network
AWS global
infrastructure
RegionsAvailability zones Edge locations
AWS

5. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the cloud
Considerations
• What you should store
• Which AWS services you
should use
• Which region to store in
• In what content format and
structure
• Who has access
Client-side data encryption &
Data integrity authentication
Platform, applications, identity & access management
Operating system, network & firewall configuration
Customer data
Customer
Server-side encryption
(File system and/or data)
Network traffic protection
(Encryption/integrity/identity)

6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS shared responsibility model
Client-side data encryption &
Data integrity authentication
Platform, applications, identity & access management
Operating system, network & firewall configuration
Customer data
Customer
Server-side encryption
(File system and/or data)
Network traffic protection
(Encryption/integrity/identity)
Foundation services
Compute Storage Database Network
AWS global
infrastructure
RegionsAvailability zones Edge locations
AWS

7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security, identity, and compliance products
AWS Artifact
AWS Certificate Manager
Amazon Cloud Directory
AWS CloudHSM
Amazon Cognito
AWS Directory Service
AWS Firewall Manager
Amazon GuardDuty
AWS Identity and Access Management
Amazon Inspector
AWS Key Management Service
Amazon Macie
AWS Organizations
AWS Shield
AWS Secrets Manager
AWS Single Sign-On
AWS WAF
AWS Artifact
AWS Certificate Manager
Amazon Cloud Directory
AWS CloudHSM
Amazon Cognito
AWS Directory Service
AWS Firewall Manager
Amazon GuardDuty
AWS Identity and Access Management
Amazon Inspector
AWS Key Management Service
Amazon Macie
AWS Organizations
AWS Shield
AWS Secrets Manager
AWS Single Sign-On
AWS WAF

8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Manage authentication and
authorization

9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Temporary privileges
that an entity can assume
GROUP ROLEIAM USER
Collection of users
with identical permissions
A person or application
that interacts with AWS
Securely control access to AWS resources

10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication: Who are you?
$ aws
IAM GROUPIAM USER
IAM
AWS
CLI
AWS
SDKS
AWS
Management
Console

11. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authorization: What can you do?
IAM policies
Full
access
Read only
$ aws AWS
CLI
Amazon
S3 BucketIAM USER,
GROUP OR ROLE

12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IAM roles
• IAM users, applications, and
services may assume IAM roles
• Roles uses an IAM policy
for permissionsIAM ROLE

13. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket

14. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket

15. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
IAM Role IAM Policy

16. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
Assume
IAM Role IAM Policy

17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Using roles for temporary security credentials
EC2
instance
Application
Amazon
S3 bucket
Assume
IAM Role IAM Policy

18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices
• Delete access keys for the
AWS account root user
• Activate multi-factor
authentication (MFA)
• Only give IAM users
permissions they need
• Use roles for applications
• Rotate credentials regularly
• Remove unnecessary users
and credentials
• Monitor activity in your
AWS account

20. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access your security and compliance

21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of threat assessment
• Expensive
• Complex
• Time-consuming
• Difficult to track IT changes

22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Amazon Inspector?
Automated security
assessment as a service
• Assesses applications for
vulnerabilities
• Produces a detailed list of
security findings
• Leverages security best
practices

23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon Inspector findings

24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remediation recommendation

25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Protect your infrastructure from
Distributed Denial of Service (DDoS) attacks

26. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is DDoS?
DDoS
DDoSDDoS

27. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
DDoS mitigation challenges
Manual
Degraded
performance
Limited
bandwidth
Involves
rearchitecting
Time-
consuming Expensive
Complex

28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is AWS Shield? • A managed DDoS protection service
• Always-on detection and mitigations
• Seamless integration and deployment
• Cost-efficient and customizable protection
DDoS
DDoSDDoS

29. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Standard and AWS Shield Advanced
AWS Shield Standard
(Included)
• Quick detection
• Inline attack mitigation
AWS Shield Advanced
(Optional)
• Enhanced detection
• Advanced attack mitigation
• Visibility and attack notification
• DDoS cost protection
• Specialized support

30. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS security compliance

31. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Assurance programs

32. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How AWS helps customers achieve compliance
Sharing information
• Industry certifications
• Security and control practices
• Compliance reports directly
under NDA
Assurance program
• Certifications/attestations
• Laws, regulations, and privacy
• Alignments/frameworks

33. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

34. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer responsibility
Review – Design – Identify – Verify

35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.