Now a days cyber security is very important concern in the world. Daily basis everybody getting knowingly or unknowingly lot of cyber-attacks. Protecting data and environment is became lot of challenges. AWS is providing lot of services to protect our cloud environment from cyber-attack. AWS security is shared responsibilities between AWS and us. AWS reduces burden of protecting the infrastructure and services offered by them. Our responsibility is to use the proper tools and services to protect the services what we are using.
Following diagram represent the shared responsibility
mode which is provided by AWS. For more details please refer here
Next challenge is to protect our application environment. To protect our environment, it better to follow leading industrial standard cyber security framework. Cyber security framework will provide a set of guidelines, standard and best practice which we can implement.
In the cyber security industry, National
Institute of Standards and Technology (NIST) is widely used and popular cyber
security framework. NIST cyber framework is having set of guidelines to
mitigating organization cyber-attack. The five core framework functions of NIST
are listed below
In the context of NIST, AWS is providing
various security services to adhere NIST framework. As AWS is having so many securities
feature, we no need to use all. Based on the application need we need to use
proper security service to protect our application.
Following table contain details of the
security services provided by AWS. Following are currently available service
based on their site, it may get outdated after sometime as AWS is keep adding
more services for security click here to
see exact details
As AWS is providing more security services
to protect, we need to choose proper tools to protect our environment.
Following diagram represent sample security design
IAM : This
service provides access control to AWS services. Using role groups, Roles and
Policies we can control access to one or group of people.
Cloud Trail:
This service records all AWS account
activity. This service will be helpful to monitor and detect any unauthorized
access
Cloud Watch:
This service will be helpful to monitor application. This service we can
configure to collect all the application service calls. By default, it is integrated with 70+ AWS
Services.
VPC: Virtual
private cloud (VPC) enables us to create virtual network
Secret Manager: This service will provide a feature to store and retrieve
application secrets like password. This service easily enables us to store
database passwords, access key and other secrets and rotate
KMS : Key
management service will help us to create and manage encryption key to encrypt
data in rest. It is integrated with aws services to simply encrypt and decrypt
data.
Certificate manager: This service will be helpful to quickly create a certificate,
deploy it on AWS resources, such as Application Load Balancing, Amazon
CloudFront distributions, and APIs on Amazon API Gateway. This also enable us
to create private certificate for internal resources
Cognito :
This service will be helpful to build authentication control in web and mobile
very quickly. Cognito provides user pools and identity pools.
Security hub : Security Hub collects security data from across AWS accounts,
services, and supported third-party partner products and validated against
industrial security standards like CIS, PCI DSS and AWS foundation security.
AWS Shield :
This service will be helpful to protect for DDoS (Distributed Denial of
Service) attack
AWS WAF:
This service will protect web applications or APIs against common web exploits
and bots that may affect availability and compromise security of application.
AWS Inspector: This service continuously scan EC2 instances and container images
for software vulnerability.
AWS Macie: Macie
automates the discovery of sensitive data, such as personally identifiable
information (PII) and financial data, to provide you with a better understanding
of the data that your organization stores in Amazon Simple Storage Service
(Amazon S3)
On top of it we can use additional vendor services
to further enhance security. AWS security competency partners are available here
No comments:
Post a Comment