This blog post collects the Amazon® Web Services (AWS) cloud security components from their site and other sources, providing a convenient overview.
Cloud computing security is a fast-growing service that provides many of the same functionalities as traditional IT security. This includes protecting critical information from theft, data leakage, and deletion.
One of the benefits of cloud services is that you can operate at scale and remain secure. It is similar to how you currently manage security, but now you have new ways of delivering security solutions that address new areas of concern. Cloud security does not change the approach on how to manage security from preventing to detective and corrective actions. However, it gives you the ability to perform these activities in a more agile manner.
Your data is secured within data centers and where some countries require data to be stored in their country. Choosing a provider that has multiple data centers across the world can help to achieve this.
Data storage often includes certain compliance requirements, especially when storing credit card numbers or health information. Many cloud providers offer independent third-party audit reports to attest that their internal process exist, and that they are effective in managing the security within their facilities where you store your data.
The following image shows the three main cloud infrastructure principles:
AWS cloud security components
AWS cloud security consists of the following components:
- Identity and Access Management (IAM)
- Certificate Manager
- Web Application Firewall (WAF)
- Cloud Directory
- Key Management Service (KMS)
IAM, a secure cloud security service, helps you to manage users, assign policies, and form groups to manage multiple users.
AWS Identity Access Management allows you to do the following functions:
1) Establish access rules and permissions to specific users and applications. 2) Set up permissions for users and applications. 3) Create user groups for common rules assignment. 4) Use CloudTrail to monitor access. 5) Use Identity federation to log in with your company credentials.
A principal is a person or application that requests an action or operation on an AWS resource. When a principal tries to use the AWS Management Console, the AWS Application Program Interface (API), or the AWS Command Line Interface (CLI), that principal sends a request to AWS.
A principal must be authenticated (signed into AWS) by using their credentials to send a request to AWS. AWS uses values from the request context to check for policies that apply to the request. It then uses the policies to determine whether to allow or deny the request. After AWS approves the operations in your request, you can perform them on the related resources within your account.
Inspector is an agent that you can install on your virtual machines, which reports any security vulnerabilities.
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports, which are available through the Amazon Inspector console or API.
- Integrates automated security checks into your regular deployment and production processes.
- Finds application security issues.
- Helps you gain a deeper understanding of your AWS resources.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
Increases protection against web attacks.
Integrates security with application development.
Makes deployment and maintenance easy.
Improves web traffic visibility.
This service allows you to create flexible, cloud-native directories for managing hierarchies of data along multiple dimensions.
AWS Cloud Directory enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions. With Cloud Directory, you can create directories for a variety of use cases, such as organizational charts, course catalogs, and device registries. While traditional directory solutions, such as Active Directory Lightweight Directory Services and other LDAP-based directories, limit you to a single hierarchy, Cloud Directory offers you the flexibility to create directories with hierarchies that span multiple dimensions. For example, you can create an organizational chart that can be navigated through separate hierarchies for reporting structure, location, and cost center.
Efficiently organize hierarchies of data across multiple dimensions.
Scale automatically on managed infrastructure.
Search your directory for objects and relationships.
Easily adapt to changing data requirements.
AWS KMS makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Is fully managed.
Has centralized key management.
Manages encryption for AWS services.
Encrypts data in your applications.
You can create groups of AWS accounts by using Organizations to manage security and automation settings.
AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, Organizations helps you to centrally manage billing, to control access, compliance, and security, as well as to share resources across your AWS accounts.
Centrally manage policies across multiple AWS accounts.
Govern access to AWS services, resources, and regions.
Automate AWS account creation and management.
Configure AWS services across multiple accounts.
Consolidate billing across multiple AWS accounts.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield—Standard and Advanced.
Seamless integration and deployment.
Managed protection and attack visibility.
Macie offers a data visibility security service which helps classify and protect your sensitive critical content.
Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property. Macie provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies and generates detailed alerts when it detects the risk of unauthorized access or inadvertent data leaks.
Offers superior visibility of your data.
Is simple to set up, easy to manage.
Provides data security automation through machine learning.
Has custom alert monitoring with CloudWatch.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
Comprehensive threat identification.
Strengthened security through automation.
Enterprise scale and central management.
For businesses making the transition to the cloud, robust cloud security is imperative. Security threats are constantly evolving and becoming more sophisticated, and cloud computing is no less at risk than an on-premise environment. For this reason, it is essential that you work with a cloud provider that offers best-in-class security that has been customized for your infrastructure.
Use the Feedback tab to make any comments or ask questions.
Optimize your environment with expert administration, management, and configuration
- eCommerce and Digital Experience platforms
- Enterprise Resource Planning (ERP)
- Business Intelligence
- Salesforce Customer Relationship Management (CRM)
- Email Hosting and Productivity
- Unbiased expertise: We simplify and guide your modernization journey, focusing on the capabilities that deliver immediate value.
- Fanatical Experience™: We combine a Process first. Technology second.® approach with dedicated technical support to provide comprehensive solutions.
- Unrivaled portfolio: We apply extensive cloud experience to help you choose and deploy the right technology on the right cloud.
- Agile delivery: We meet you where you are in your journey and align our success with yours.
Chat now to get started.