Shared Security Responsibility Model
In the Shared Security Responsibility Model, AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.
AWS Security Responsibilities
- Amazon Web Services is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services.
- AWS provide several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations
AWS is responsible for the security configuration of its products that are considered managed services for e.g. RDS, DynamoDB - For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and database patching, firewall configuration, and disaster recovery.
Customer Security Responsibilities
- AWS Infrastructure as a Service (IaaS) products for e.g. EC2, VPC, S3 are completely under your control and require you to perform all of the necessary security configuration and management tasks.
- Management of the guest OS (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance
- For most of these managed services, all you have to do is configure logical access controls for the resources and protect your account credentials. A few of them may require additional tasks, such as setting up database user accounts, but overall the security configuration work is performed by the service.
AWS Global Infrastructure Security
AWS Compliance Program
The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- DOD CSM Levels 1-5
- PCI DSS Level 1
- ISO 9001 / ISO 27001
- ITAR
- FIPS 140-2
- MTCS Level 3
And meet several industry-specific standards, including:
- Criminal Justice Information Services (CJIS)
- Cloud Security Alliance (CSA)
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Motion Picture Association of America (MPAA)
Physical and Environmental Security
Storage Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Network Security
Amazon Corporate Segregation
AWS Production network is segregated from the Amazon Corporate network and requires a separate set of credentials for logical access. The Amazon Corporate network relies on user IDs, passwords, and Kerberos, while the AWS Production network requires SSH public-key authentication through a bastion host.
Networking Monitoring & Protection
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
AWS network provides protection against traditional network security issues :-
- DDOS - AWS uses proprietary DDoS mitigation techniques. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
- Man in the Middle attacks - AWS APIs are available via SSL-protected endpoints which provide server authentication
- IP spoofing - AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
- Port Scanning - Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. When unauthorized port scanning is detected by AWS, it is stopped and blocked. Penetration/Vulnerability testing can be performed only on your own instances, with mandatory advance approval, and must not violate the AWS Acceptable Use Policy.
- Packet Sniffing by other tenants - It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While you can place your interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic.
Secure Design Principles
AWS’s development process follows :-
- Secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment
- Static code analysis tools are run as a part of the standard build process
- Recurring penetration testing performed by carefully selected industry experts
AWS Account Security Features
AWS account security features includes credentials for access control, HTTPS endpoints for encrypted data transmission, the creation of separate IAM user accounts, user activity logging for security monitoring, and Trusted Advisor security checks
AWS Credentials
Individual User Accounts
Do not use the Root account, instead create an IAM User for each User and provide them with a unique set of Credentials and grant least privilege as required to perform their job function
Secure HTTPS Access Points
Use HTTPS for data transmissions, which which uses public-key cryptography to prevent eavesdropping, tampering, and forgery, which is provided by all AWS services
Security Logs
Use Amazon CloudTrail which provides logs of all requests for AWS resources within your account and captures information about every API call to every AWS resource you use, including sign-in events
Trusted Advisor Security Checks
Use Trusted Advisor service which helps inspect AWS environment and provide recommendations when opportunities may exist to optimize cost, improve system performance, or close security gaps
Exam Scenario Questions
- In the shared security model, AWS is responsible for which of the following security best practices (check all that apply) :
- Penetration testing
- Operating system account security management
- Threat modeling
- User group access management
- Static code analysis
- You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility?
- Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access
- Protect against IP spoofing or packet sniffing
- Assure all communication between EC2 instances and ELB is encrypted
- Install latest security patches on ELB. RDS and EC2 instances
- In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
- Controlling physical access to compute resources
- Patch management on the EC2 instances operating system
- Encryption of EBS (Elastic Block Storage) volumes
- Life-cycle management of IAM credentials
- Decommissioning storage devices
- Security Group and ACL (Access Control List) settings
- Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
- May be performed by AWS, and will be performed by AWS upon customer request.
- May be performed by AWS, and is periodically performed by AWS.
- Are expressly prohibited under all circumstances.
- May be performed by the customer on their own instances with prior authorization from AWS.
- May be performed by the customer on their own instances, only if performed from EC2 instances
Amazon Web Services (AWS) BGP
ReplyDeleteThis video demonstrates how to configure the Amazon Web Services BGP to set up a VPN between a Check Point Security Gateway and Amazon VPC
http://www.s4techno.com/blog/2015/12/24/amazon-web-services-aws-bgp/
Thanks for providing this informative information you may also refer.
ReplyDeletehttp://www.s4techno.com/blog/2016/08/10/interview-questions-of-aws/
Thanks for sharing the very useful info about AWS and please keep updating......
ReplyDeleteAWS Online Training hyderbad
AWS Online Training india
AWS Online Training banglore
Thanks for sharing an useful article AWS Online Training
ReplyDeleteGood Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging…
ReplyDeleteAws Online Training
Appreciation for really being thoughtful and also for deciding on
ReplyDeletecertain marvelous guides most people really want to be aware of.
AWS Training in Bangalore
This comment has been removed by the author.
ReplyDeleteThanks for sharing link, AWS is most widely used cloud services all over the world and it is very secure to work. According to my research 24x7 sever support is best AWS management services provider.
ReplyDeleteAbove Article is very much informatic , Thank you for Sharing
ReplyDeletewith us . For More info on amazon web services
, Plz look once our aws online training
Above Article is very much informatic , Thank you for Sharing
ReplyDeletewith us . For More info on amazon web services
, Plz look once our aws online training
Above Article is very much informatic , Thank you for Sharing
ReplyDeletewith us . For More info on amazon web services
, Plz look once our aws online training
I appreciate your work on Aws. It's such a wonderful read on Aws. Keep sharing stuffs like this. I am also educating people on similar technologies so if you are interested to know more you can watch this:-
ReplyDeletehttps://www.youtube.com/watch?v=okS4N1xRCDM
this blog for very useful for AWS.
ReplyDeleteAWS Training in Hyderabad
AWS Course Content
AWS Interview Questions
AWS Training in ameerpet
AWS Online Training in Hyderabad
Wow..super blog thanks for sharing keep update with new and more updates with us. If you want more updates on AWS at fast AWS Online Training Bangalore
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIt is really a great work and the way in which you are sharing the knowledge about AWS DR solutions is excellent.
ReplyDeleteThis concept is a good way to enhance the knowledge.thanks for sharing. please keep it up
ReplyDeletesalesforce Online course Bangalore
useful blog
ReplyDeletehadoop training in chennai
Very nice information, thanks for providing. AWS Online Training
ReplyDelete
ReplyDeleteThanks for sharing this in here. You are running a great blog, keep up this good work.
AWS Training in chennai | AWS Training institute in velachery
ReplyDeleteReally it was an awesome article… very interesting to read…
Thanks for sharing.........
Salesforce online training in bengalore
Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
ReplyDeletehttps://www.emexotechnologies.com/courses/other-technology-trainings/python-training/"> Python Training in electronic city
https://www.emexotechnologies.com/courses/big-data-analytics-training/data-science-with-python-training/">DataScience with Python Training in electronic city
https://www.emexotechnologies.com/courses/cloud-computing-training/amazon-web-services-aws-training/"> AWS Training in electronic city
https://www.emexotechnologies.com/courses/big-data-analytics-training/big-data-hadoop-training/"> Big Data Hadoop Training in electronic city
https://www.emexotechnologies.com/courses/other-technology-trainings/devops-training/"> Devops Training in electronic city
This is very interesting and useful for many learners. . Thanks for sharing this valuable post..
ReplyDeleteAWS Training in Hyderabad
AWS Training in Ameerpet
This is great blog. If you want to know more about this visit here AWS Security.
ReplyDelete"• Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating IOT Online Training
ReplyDelete"
Excellent Blog
ReplyDeleteThanks For Sharing
aws training in viayawada
This comment has been removed by the author.
ReplyDeleteAmazon has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.For more information visit.
ReplyDeleteaws online training | aws training in hyderabad | aws online training in hyderabad
There is a good blog and huge series on this blog. I am very pleased with the good idea on this blog and thank you for using the best method on this blog.
ReplyDeleteGet online Training in AWS Development
Excellent Submit! Many thanks a great deal regarding revealing this kind of quite submit, it absolutely was so excellent to learn Hipaa Compliance Aws and also beneficial to increase my own information since up to date a single, retain blogging….
ReplyDeleteaws training in bangalore
ReplyDeleteartificial intelligence training in bangalore
machine learning training in bangalore
blockchain training in bangalore
iot training in bangalore
artificial intelligence training in bangalore
artificial intelligence training in bangalore
ReplyDeleteAWS Training in electronic city
Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming.
ReplyDeletemachine learning course in bangalore
Good Post. I like your blog. Thanks for Sharing
ReplyDeleteAWS Course in Noida
I am so happy after read your blog. It’s very useful blog for us.
ReplyDeletephp professional training center in Noida
Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
ReplyDeleteThanks for sharing.
ReplyDeleteAWS Training In Hyderabad
AWS Training
AWS Online Training
AWS Training Online
AWS Training In Bangalore
Nice blog.
ReplyDeleteAWS Training In Hyderabad
Best AWS Training in Hyderabad
Nice Article!
ReplyDeleteAWS Training in Hyderabad
Best AWS Training in Hyderabad
AWS Online Training
AWS Training Online
AWS Training In Bangalore
Really Nice!
ReplyDeleteAWS Training in Hyderabad
Best AWS Training in Hyderabad
I am so happy after read your blog. It’s very useful blog for us.
ReplyDeleteCorporate training for employees
Nice blog,Thanks for sharing.
ReplyDeleteAWS Training in Hyderabad
Best AWS Training in Hyderabad
Thank you for sharing .The data that you provided in the blog is informative and effective. aws training in bangalore
ReplyDeleteThanks for the nice blog. It was very useful to me. I am happy I found this blog. Thank you for sharing with us, I always learn something new from your post. Oracle apps training in Noida
ReplyDeleteGreat job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. This is a very well written article. I will be sure to bookmark it and come back to read more of your useful information. Oracle certified institutes
ReplyDeleteI've been following your weblog for a while now and finally got the courage to go
ReplyDeleteahead and give you a shoutout from Dallas Texas! Just wanted to mention keep up the great work! I’ve been surfing online greater than 3 hours nowadays, yet I never
found any fascinating article like yours. It is pretty value sufficient for me.
Python training in Noida
ReplyDeleteI think this is a useful post and it is valuable and learned.
I simply want to tell you that I am new to weblog and definitely liked this blog site.
Android training institute
Saved as a favorite, I really like your blog! Hola!
ReplyDeleteI've been following your weblog for a while now and finally got the courage to go
ahead and give you a shout out from Dallas Texas! Just wanted to mention keep up the great work!
I’ve been surfing online greater than 3 hours nowadays, yet I never
found any fascinating article like yours. It is fairly value sufficient for me.
In my opinion, if all webmasters and bloggers made good content as you probably did, the web will likely be a lot more useful than ever before.
It’s my first visit to this blog, it seems that you are fond of writing since so long because the selection of topics is so nice also the information which you have mentioned here is real and impressive. Really appreciate. Artificial intelligence classes in noida
It's useful. Please keep me posted for more updates.
ReplyDeleteHey, really great stuff! I didn't know much about that topic before reading this.
I think this is a useful post and it is valuable and learned.
I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog.Cloud Computing training in noida
You absolutely have wonderful stories. Cheers for sharing with us your blog. When I am searching for a different sort of information, at that time I found yours blog. Great Information sharing. I am very happy to read this article .. thanks for giving us go through info. Fantastic nice. I appreciate this post. Awesome Article. Keep sharing amazing posts on. Node Js classes in noida
ReplyDeleteI’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. When I am searching for a different sort of information, at that time I found yours blog. Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post.
ReplyDeleteCCNA certification training
I've been following your weblog for a while now and finally got the courage to go ahead and give you a shout out from Dallas Texas! Just wanted to mention keep up the great work!
ReplyDelete6 months training
Best QA / QC Course in India, Hyderabad. sanjaryacademy is a well-known institute. We have offer professional Engineering Course like Piping Design Course, QA / QC Course,document Controller course,pressure Vessel Design Course, Welding Inspector Course, Quality Management Course, #Safety officer course.
ReplyDeleteQA / QC Course
QA / QC Course in india
QA / QC Course in hyderabad
This is a very well written article. I will be sure to bookmark it and come back to read more of your useful information. Amazon web services developer training
ReplyDeleteGreat Post and thanks for sharing this info with us. Waiting for more like this.
ReplyDeleteAWS Technical Essentials Training
python training in bangalore | python online training
ReplyDeleteaws training in Bangalore | aws online training
artificial intelligence training in bangalore | artificial intelligence online training
machine learning training in bangalore | machine learning online training
data science training in bangalore | data science online training
python training in bangalore | python online training
ReplyDeleteaws training in Bangalore | aws online training
artificial intelligence training in bangalore | artificial intelligence online training
machine learning training in bangalore | machine learning online training
data science training in bangalore | data science online training
Very nice job... Thanks for sharing this amazing ExcelR Machine Learning Course Pune and educative blog post!
ReplyDeleteGood Post! it was so good to read and useful to improve my knowledge as an updated one, keep blogging. After seeing your article I want to say that also a well-written article with some very good information which is very useful for the readers....thanks for sharing it and do share more posts like this.
ReplyDeleteAWS Training
really easily understandable one. The students can obtain help from the professional and expert authorities with abundant knowledge. The example that you given above are easy to learn. Thank you for such a useful blog.
ReplyDeleteAws Training in Chennai
Aws Training in Velachery
Aws Training in Tambaram
Aws Training in Porur
Aws Training in Omr
Aws Training in Annanagar
I m here to learn more about aws Thanks for Sharing
ReplyDeleteHere you can check DevOps Online Training.
aws Online Training
Thank you for sharing wonderful information with us to get some idea about it.
ReplyDeleteWorkday Integration Course India
Workday Online Integration Course
There are different methods to keep the web applications safe from being harmed. But before implementing the web application penetration testing services, here are some points which every web application penetration testing company in dubai considers
ReplyDeleteIf you want to have services for DDoS and Web Application in Abu Dhabi, then Securium Solutions is the best DDoS and Web Application Company in Abu Dhabi.
ReplyDeleteIf you are looking for the company that validates PCI DSS Compliance Company in Abu Dhabi, then you can totally count on Securium Solutions for such accountancy.
ReplyDeleteIf you are looking for the company that validates PCI DSS Compliance Company in Abu Dhabi, then you can totally count on Securium Solutions for such accountancy.
ReplyDeleteWhat a really awesome post this is. Truly, one of the best posts I've ever witnessed to see in my whole life. Wow, just keep it up.
ReplyDeletedata science training in malaysia
I will truly value the essayist's decision for picking this magnificent article fitting to my matter.Here is a profound depiction about the article matter which helped me more.
ReplyDeletebest data science training in hyderabad
It's essential to comprehend the Shared Security Responsibility Model of AWS. Users are given the ability to fully utilize the cloud while being reminded of their responsibility to protect their data and apps.
ReplyDeleteData Analytics Courses in India
Hello Blogger,
ReplyDeleteThis AWS Security Whitepaper provides a comprehensive overview of the shared security responsibility model, outlining the division of responsibilities between AWS and the customer. It also delves into various security aspects, such as network security, secure design principles, and AWS account security features. A valuable resource for understanding AWS security best practices.
Data Analytics Courses in Nashik
This write-up serves as an excellent reference for anyone seeking a solid understanding of AWS security concepts. It provides a well-organized and informative overview of AWS security practices, and the inclusion of exam questions is a helpful bonus.
ReplyDeleteData Analytics Courses In Dubai
Understanding AWS's Shared Security Responsibility Model is crucial. The option to fully utilise the cloud is provided to users, but they are also reminded of their obligation to protect their data and programmes.
ReplyDeleteData Analytics Courses in Agra
Thank you so much for posting this wonderful blog on aws security whitepaper overview.
ReplyDeleteVisit - Data Analytics Courses in Delhi
The blog post incredibly shares the comprehensive overview on AWS Security Whitepaper.
ReplyDeleteDigital Marketing Courses in Italy
I want to thank you for the efforts you made to write this awesome article. This article inspired me to read more. keep it up. Very nice blogs.
ReplyDeleteData analytics framework
"HII
ReplyDeleteNice Article
Thanks to share with us
Looking to kickstart your career in SAP BASIS? Bangalore offers a plethora of options for SAP BASIS training.
Here’s what to consider:
SAP BASIS Training in Bangalore at SAP Masters
1.Quality Training:
Opt for best institutes with a solid reputation and accreditation from SAP Masters Training institute.
Look for expert faculty who can provide comprehensive insights.
2.Curriculum:Ensure the curriculum covers core BASIS concepts and offers hands-on projects for practical learning.
3.Infrastructure: Check for modern facilities and labs equipped with the latest software to support your training needs.
4.Placement Support: Choose institutes that offer robust placement assistance, including resume building and interview preparation.
Consider institutes like SAP Masters Institute of Technology, sap masters Academy, and sapmasters training institute bangalore,
known for their quality training and successful placements. Choose wisely, and jumpstart your SAP BASIS journey in Bangalore!
Visit SAP Masters - Best SAP Training in Bangalore"
Visit SAP Masters - SAP BASIS Training in Bangalore"