4 areas of “security in the cloud” and related Key AWS Services
Data protection : ELB,EBS,S3, RDS;
Privilege management : IAM, MFA;
Infrastructure protect : VPC;
Detective control : CloudTrail; CloudWatch; Config;
Best Practise - Data protection
- customer keep full control of their data;
- data encryption and key management (regular key rotation)
- Detailed logging: files access and change
- data storage: durability and resiliency eg. S3
- Versioning: data lifecycle management process
- Data retained in the region until the customer transfer it to another region.
Questions (How):
encryption data at rest and in transit
Privilege Management
*Access Contol Lists;
*Role-based access controls;
*Password management (Password rotation policies);
Questions (How):
*AWS root account credentials management
*roles and responsibility definition to control access of AWS Management Console and APIs.
*Limitation of automated access to AWS resources;
*Key and credential management;
Infrastructure Protection
- protection of the data centers: RFID controls, security guard, lockable cabinets, CCTV etc
Questions (How):
*network and host-level boundary protection;
*AWS service level protection;
*Integrity of the EC2 instances etc.
Detective Controls
*AWS Service related to this pillar:
CloudTrail; CloudWatch; Config; S3; Glacier
Questions (HOW) :
capturing and analyzing AWS logs
Furthermore
whitepaper
