Security - Security Best Practices for Creating an AWS Account
################################
## Security Best Practices for Creating an AWS Account
AWS - security *of* the cloud
User - security *in* the cloud
Understanding when to use the root directory
- change account settings
- restore IAM user permissions
- change AWS Support plan or cancel AWS Support plan
- activate IAM access
- view tax invoices
- close AWS account
- register as a seller
- configure S3 bucket
- edit or delete S3 bucket
Best practices: Stop using root user
Create IAM user -> Create IAM group -> Sign in with IAM credentials
|-> Give group full admin permissions
|-> Add IAM users to this group
Require MFA
Root user-|
|--> Require MFA for all account users -> Access AWS console -> use MFA
Root user-|
Best practices: AWS CloudTrail (log monitoring tool)
Cloudtrail tracks API calls, publishes log files to S3 bucket
Activate CloudTrail -> Grant S3 access to those who require it
|-> Apply to all Regions
|-> Specify an S3 bucket where logs will be stored
Best practices: Billing report
Activate billing report, such as AWS Cost and Usage Report (S3 bucket)
Activate billing report in AWS -> Grant S3 access to those who need it
|-> use AWS Cost and Usage Report
Security - AWS Compliance Program
################################
## AWS Compliance Program
- how laws, standards, and regulations impact security
- identify various regulatory compliance standards
- describe AWS compliance program
## Regulatory compliance and standards
Goal of security compliance
- security compliance ensures security controls meet regulatory and contractual requirements
- Regulations mandate security controls
Regulatory
- Country
- Industry
Contractual
- SLA - service level agreement
- PLA - project labor agreement
- vary between localities, jurisdictions, and cultures
- create policies to support and enforce compliance
Compliance levels and noncompliance
- Compliance leves vary by authority type. Noncompliance has consequences
- External authority
- Governmet or laws - mandatory
- Open standards - recommended
- Best practices - optional
- Consequences of noncompliance
- Government or laws - civil, criminal, or financial
- Open Standards - financial or participation
- Best practices - loss of customers, partners, or revenue
- Proper reporting required to prove compliance
National and international cybersecurity standards
- NIST, ENISA, ETSI, ISO, EITF, IEEE, COSO
PCI DSS
- Payment Card Industry (PCI) Data Security Standard (DSS), payment card transactions
HIPAA
- Health Insurance Portability and Accountability Act of 1996
- how personally identifiable information should be protected
Compliance standards: European Union
- General Data Protection Regulation (GDPR)
- enhanced control over personal and private data
Compliance standards: Canada
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- how private sector collects, uses, and discloses personal information of clients
Compliance standards: Russia
- Russian federal law on personal data
- individual must provide consent
- can revoke previously granted consent
- transfer of data outside Russian Federation requires protection in destination country
Compliance standards: United States
- many compliance requirements
- Dodd-Frank, Gramm-Leah-Billey, etc
## AWS compliance program
AWS risk and compliance program
- provide information about AWS controls
- assist customers in documenting security compliance framework
Three components
- AWS business risk management
- AWS control environment and automation
- AWS certifications and attestations
AWS business risk management
- perform risk assessments and risk monitoring of key AWS functional areas
- capture business risk management goals in a business plan, that is reevaluated at least biannually
- goals include
- id and remediate risks
- maintain register of known risks
- create and maintain security policies
- provide security training to AWS employees
- perform application security review
- also uses independent security firms to perform threat assessments
AWS control environment and automation
- integrate security and compliance requirements during design and development of each AWS service
- establishes control environment that
- includes people, policies, processes, and control activities
- secures deliver of AWS service offerings
- uses automation to eliminate potential process deviations
- integrate practices identified by industry-leading cloud bodies
AWS certifications and attestations
- regular third-party attestation audits to provide assurance that control activities are operating as intended
- audits performed against
- global and regional security frameworks
- customer contract and govmt regulatory requirements
- results of audits documents and available in AWS Artifact portal
Customer compliance responsibilities
- customers responsible for maintaining adequate governance over entire IT control environment
- customers need to:
- understand required compliance objectives and requirements
- establish control environment that meets thos objectives and requirements
- understand validation required based on organization's risk tolerance
- verify operating effectiveness of control environment
Security - AWS Security Resources
################################
## AWS Security Resources
- explore different types of security resources
AWS account teams
- first point of contact
- guide deployment
- point toward resources to resolve security issues
AWS Support plans
- basic support plan
- customer service and communities
- AWS Trusted Advisor
- Personal Health Dashboard
- three tiers of additional support
- Developer support plan
- Business Support plan
- Enterprise Support plan
AWS Developer Support
- for users that use AWS services for testing within AWS
- email cloud support associates
- response times
- general guidance: 24 hours or less
- system impaired: 12 hours or less
AWS Business Support
- for users or businesses with production workloads within AWS
- support avail 24/7 by phone, chat, or email
- response times
- general: 24 hrs or less
- system impaired: 12 hours or less
- production system impaired: 4 hours or less
- production system down: 1 hour or less
AWS Enterprise Support
- business-critical workloads
- less than 15 minutes for business-critical outages
- 24/7 phone, chat, email
- dedicated technical account manager (TAM)
- response times
- general: 24 hrs or less
- system impaired: 12 hours or less
- production system impaired: 4 hours or less
- production system down: 1 hour or less
- business-critical down: 15 minutes or less
AWS Professional Service and Partner Network
Partner Network (APN) - group of cloud software and service vendors that has certified APN Partners worldwide
APN Partners
- help customers implement and manage deployment
- develop security policies
- meet compliance requirements
- include system integrators and manage services providers
APN Technology Partners
- provide software tools and services hosted or run on AWS
- include independent software vendors (ISVs) and providers of SaaS
AWS advisories and bulletins
- provide infor on current vulnerabilities and threats
- work with experts to address
- report abuse
- report vulnerabilities
- conduct penetration tests
AWS Auditor Learning Path
- help understand how internal operations gain compliance
- visit compliance website for
- recommended training
- self-paced labs
- auditing resources
AWS security benefits
- only commercial cloud service that has its services vetted and approved for top-secret workloads
- securely scale infrastructure
- automate security tasks
- integrated security services
- large infrastructure env prebuilt for customer
- AWS security is strategic and focuses on preventing, detecting, responding, and remediating