// security mechanism
- shared responsiblity
//customer
Customers are responsible for the security of everything that they create and put in the AWS Cloud.
When using AWS services, you, the customer, maintain complete control over your content. You are responsible for managing security requirements for your content, including which content you choose to store on AWS, which AWS services you use, and who has access to that content. You also control how access rights are granted, managed, and revoked.
The security steps that you take will depend on factors such as the services that you use, the complexity of your systems, and your company’s specific operational and security needs. Steps include selecting, configuring, and patching the operating systems that will run on Amazon EC2 instances, configuring security groups, and managing user accounts.
============
// aws
AWS is responsible for security of the cloud.
AWS operates, manages, and controls the components at all layers of infrastructure. This includes areas such as the host operating system, the virtualization layer, and even the physical security of the data centers from which services operate.
AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure includes AWS Regions, Availability Zones, and edge locations.
AWS manages the security of the cloud, specifically the physical infrastructure that hosts your resources, which include:
Physical security of data centers
Hardware and software infrastructure
Network infrastructure
Virtualization infrastructure
Although you cannot visit AWS data centers to see this protection firsthand, AWS provides several reports from third-party auditors. These auditors have verified its compliance with a variety of computer security standards and regulations.
=============
AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM)(opens in a new tab) enables you to manage access to AWS services and resources securely.
- user permission
> root account user // can access and controla ny resource in the account
IAM users, groups, and roles
IAM policies
Multi-factor authentication
iam user by default = 0 permision.
dikasih permission br bs add ec2 instance dll.
============
// multi factor authentication
add randomized token.
password + adding second form of authentication
===========
principle of least privilege
- user is granted on what they need
============
// IAM policy
json document that describe what API calls a user can or cannot make
effect = allow / deny
action = any aws api call
resource = aws api resource
==========
// IAM group
mempermudah policy. grouping of user policy
==========
// IAM Roles
- associated permission
- no username or pass
- allow or deny
- assumed for temporary amounts of time
- gain access to temporary permission
- users
- external identities
- applications
- other AWS Services
ketika dipasang roles, abandon all previous policy. dan apply policy roles.
========
// aws organization
- central location to manage multiple aws account
- combine account jadi 1
- bayar2 jadi 1. / consolidated billing
- hierarchical group of account jadi OU / organizational unit
developer OU
admin OU
HR OU
legal OU
// service control policies.
- restrict resource each role / individual user can access
- . An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.
In AWS Organizations, you can apply service control policies (SCPs) to the organization root, an individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.
=========
// compliance
- audit / follow the law
consumer data eu = GPDR / General data protection regulation
healthcare us = HIPAA / Health Insurance Portability and Accountability Act
========
// AWS Artifact
- access to compliance reports done by 3rd party with wide range of various standard
// AWS Compliance center
- compliance information all in one place
- ada aws risk and security white paper
==========
// AWS Key Management Services (KMS)
- key management services.
encryption - securing msg or data in a way that only authorized parties can access it
key an door.
1 encryption at rest
2 encryption in transit
encryption data at rest is enabled on all dynamodb table data.
encryption data in transit is between server and client
AWS Key Management Service (AWS KMS)(opens in a new tab) enables you to perform encryption operations through the use of cryptographic keys. A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data. You can use AWS KMS to create, manage, and use cryptographic keys. You can also control the use of keys across a wide range of services and in your applications.
========
// Amazon Inspector
improve security and compliance of your aws deployed app.
=========
No comments:
Post a Comment