AWS security and compliance overview
Amazon offers many solutions for ensuring your environment is secure and meets many industry standard compliance frameworks. By properly utilizing tools such as Cognito and Organizations, you will ensure your environment has proper controls in place to secure data.
With automated tools like Trusted Advisor and Audit Manager, you will be able to demonstrate this security and compliance when necessary.
Shared responsibility model
All cloud providers must take security and compliance seriously. With multiple customers sharing physical servers and infrastructure out of the direct control of customers, providers must demonstrate that their services are at least as secure as an on-premises solution. Amazon’s solution to this is what they refer to as the “shared responsibility model.” To use Amazon’s words, Amazon Web Services (AWS) is responsible for the security “of the cloud,” while customers are responsible for security “in the cloud.”
This means AWS takes responsibility for maintaining the security of the virtualization layers, server operating systems and physical security of the facilities. The customer is responsible for ensuring the operating systems and applications running within their AWS environment are patched and updated, as well as the firewall configuration and encryption of data. This allows customers to have greater control over their environment.
Identity and access management
To control access and permissions within AWS, Amazon uses its identity and access management (IAM) service. IAM allows you to create users, groups and roles to allow extremely granular access to your AWS environment.
These users and groups can be allowed explicit access to specific applications within your environment, including read-only access and full access. When creating groups and users, be sure to grant access based on the least privilege principle.
Working with Cognito
AWS also provides Cognito for authentication, authorization and user management for use with your web and mobile apps. Through a cognito user pool, a user is allowed to create an account, sign in to applications and use third-party services such as Google and Facebook to sign in to your apps (if you choose to allow this). It also integrates with SAML and OIDC identity providers such as Active Directory Federated Services (ADFS) in Windows, allowing for single sign-on with on-premises Exchange systems.
Once authenticated through Cognito, users may temporarily assume an IAM role through a Cognito identity pool. These temporary credentials will allow users access to specific resources and services, such as allowing a mobile application user to upload an image to a specific S3 bucket. Using identity pools will allow you to control who has access to which resources and options within your application. Additionally, through single sign-on services such as SAML, you will be able to restrict access to various AWS resources by the organizational unit in your current environment.
Using AWS Organizations for account management
AWS allows you to centrally manage your various accounts through a service known as AWS Organizations. Organizations allow you to consolidate billing for all member accounts, as well as centralize and standardize various items such as backups, usable services, support for IAM and more. There are two different account types within an organization: master and member accounts. A master account is an account that created the organization and allows you to create other accounts, invite existing accounts to the organization, and remove accounts from the organization. Member accounts are all other accounts under the same organization.
Additionally, you may group your accounts within your organization into organizational units. These could be broken down into categories such as production, development and testing, or regions such as North America, Europe, Asia or any structure that helps you better apply policies. These policies can be applied to the organizational units and will flow down to all accounts which are contained within.
Using Trusted Advisor
To increase security, as well as optimize costs and performance, Amazon offers a service called Trusted Advisor. Trusted Advisor is an automated service that inspects your AWS environment and makes recommendations for security and optimization using AWS best practices. These reports can be stored in S3 and queried using various services such as Athena and QuickSight. All AWS customers have access to six security checks by default:
- S3 bucket permissions
- Security groups, unrestricted ports
- IAM use
- Multi-factor authentication on the root account
- Elastic Block Store public snapshots
- RDS public snapshots
Other checks are available with AWS business and enterprise support, premium support models from Amazon.
Trusted Advisor also offers an organizational view, which allows you to run trusted advisor checks for all accounts within your organization and compile the reports into a single source. This option is very useful to large enterprise customers.
AWS risk and compliance program
In addition to the above security services, AWS offers the Audit Manager service to help your organization stay in compliance. Audit Manager assists in automating compliance reviews, supporting many common compliance standards such as GDPR, HIPAA and PCI DSS. Audit Manager allows you to create your compliance framework to support internal audits. These reports are generated with links to detailed evidence showing the results of the audit. Please note that while Audit Manager collects evidence that is needed for showing compliance, it does not directly assess your compliance yourself. To ensure your company is fully within legal compliance, legal counsel or compliance experts are still needed.
When designed properly with security as a primary factor, your AWS environment will be as secure as an on-premises data center. Be sure to understand and take advantage of all the tools offered by Amazon to secure your data and ensure your compliance.