Back to Course

Introduction to AWS Security

0% Complete
0/0 Steps

  1. Introduction

    About the course and authors
  2. AWS cloud architecture
  3. Security concerns with our architecture
  4. Regions and Availability Zones (AZs)
  5. Shared responsibility in the cloud
  6. [Cheat Sheet] AWS Security Services
  7. [LAB] Create a billing alert to avoid surprise bills
  8. Infrastructure Security
    VPC networks
  9. Default VPCs
  10. [DEMO] Creating VPCs and Subnets
  11. How many VPCs should you use?
  12. [DEMO] Subnet, Route Table, and Gateway Configurations
  13. [LAB] [Challenge] Create a VPC with public and private subnets
  14. [DEMO] Security Groups (SGs)
  15. Security Groups Best Practices
  16. [DEMO] Network Access Control Lists (NACLs)
  17. [Cheat Sheet] SGs vs. NACLs
  18. [LAB] [Challenge] Configure security groups and NACLs to specific requirements
  19. Elastic Load Balancers
  20. [DEMO] AWS WAF
  21. [LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
  22. [DEMO] AWS Network Firewall - Part 1
  23. [DEMO] AWS Network Firewall - Part 2
  24. AWS Shield for DDoS Protection
  25. AWS Firewall Manager
  26. Identity and Access Management (IAM)
    Key Concepts of IAM in AWS
  27. [DEMO] Getting started with IAM in AWS
  28. [DEMO] Creating our first admin user
  29. Assigning permissions with policies
  30. [Cheat Sheet] Anatomy of an AWS IAM Policy
  31. [DEMO] Using Identity Center AWS SSO
  32. IAM Roles
  33. [DEMO] Creating a role for EC2 instances to access S3 buckets
  34. End-User Management with Amazon Cognito
  35. Data Protection
    Data protection in the cloud
  36. EBS Data Protection and Encryption
  37. Amazon RDS Data Protection and Encryption
  38. Key Management with AWS KMS
  39. [DEMO] Creating a Symmetric Encryption KMS Key
  40. Amazon S3 Bucket Protection
    Understanding Bucket Ownership
  41. Managing Access to Buckets
  42. [Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
  43. [LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
  44. Using Signed URLs
  45. Encrypting S3 Data
  46. [DEMO] Enable S3 Object Versioning
  47. [Cheat Sheet] Amazon S3 Protection Summary
  48. [Cheat Sheet] Create a least privilege S3 bucket policy
  49. Logging, Monitoring, and Incident Response
    AWS Log Types and Auditing Options
  50. [DEMO] Enable S3 Server Access Logs
  51. AWS CloudTrail
  52. Amazon CloudWatch
  53. [DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
  54. [DEMO] Amazon VPC Flow Logs
  55. Proper Logging and Monitoring
  56. Amazon GuardDuty
  57. [LAB] [DEMO] Enable Threat Detection with GuardDuty
  58. [DEMO] Amazon EventBridge
  59. AWS Config
  60. AWS Systems Manager
  61. [DEMO] AWS Config Automated Remediation with SSM
  62. Amazon Detective
  63. [LAB] [DEMO] Amazon Inspector
  64. [DEMO] Amazon Macie
  65. [DEMO] AWS Security Hub
  66. [DEMO] Must-have AWS monitoring and alerting with SSK
  67. Multi-Account Security
    [DEMO] AWS Organizations
  68. [DEMO] AWS SCPs and Management Policies
  69. AWS Control Tower
  70. Wrap-up and Key Takeaways
    What now?
Introduction to AWS Security Shared responsibility in the cloud
Lesson 5 of 70
In Progress

Shared responsibility in the cloud

Christophe October 18, 2022

Access the interactive diagram for this lesson here. (It may ask you to create a free account in order to view. You do not need paid features to view this course’s content so you can ignore that!)

What is shared responsibility?

In the traditional, good old on-premises world, we used to be responsible for pretty much everything in our data centers; starting from the physical layer, hardware, power, physical security, and going up to the application layer and, of course, protecting data that was stored and processed.

When you move to the cloud, you start sharing some of this responsibility with your cloud service provider.

As a matter of fact, you give up control and responsibilities for services that you consider trivial or commoditized. The level of responsibility you give up varies according to the type of service you are getting, such as: IaaS, PaaS, or SaaS.

IaaS refers to Infrastructure as a Service, which is a model where you, the customer, are responsible for deploying and configuring the network, deploying and managing the operating system, as well as applications.

When we talk about setting up VPCs, subnets, web servers, app servers, and databases, we are referring to IaaS.

PaaS, instead, is a model where you don’t have to worry about the underlying infrastructure such as the hardware and operating system. Instead of having to configure your own instances by selecting the instance type, the operating system, etc…you only have to worry about the application and your data.

An example of PaaS in AWS is AWS Lambda, which is a serverless offering. Instead of provisioning your own servers and running your code on those servers, you upload code functions to AWS Lambda, and Lambda will run that code for you whenever the code is needed. You don’t need to manage any infrastructure at all.

SaaS is what many of us are familiar with now because we use SaaS services on a daily basis. Services like Google Docs, Dropbox, Notion, etc… are all examples of SaaS services, and we can make use of these types of services on AWS as well.

Why does this matter?

Why does understanding these models matter, though, and what does it have to do with shared responsibility?

Loss of control is often a source of fear and uncertainty, even in the world of IT, and some organizations or individuals may not feel comfortable with giving up that amount of control to a third-party organization.

Or, in some cases, they may not truly understand where the line is drawn, which results in costly breaches we hear about in the news and we start to think that the cloud isn’t secure..

That’s why it’s important to understand who is responsible for what in the cloud, and in our case in AWS, so that we can better secure our data and resources.

AWS’ vs. Our Responsibility

So what is AWS’ responsibility and what is our responsibility when using the AWS cloud?

Generally speaking, Amazon is responsible for security “of” the cloud, while you, the customer, are responsible for security “in the cloud”.

In more detail, Amazon is responsible for providing the underlying hardware of the global AWS infrastructure. As we recently learned, this hardware is distributed in data centers across multiple regions and availability zones. On top of that, AWS provides computing resources, storage, databases and the networking layer.

What you are responsible for depends on the model you’re using — like if you’re using IaaS, you will have different responsibilities than if you are using PaaS.

Regardless of the type of cloud services that you are consuming, you have to configure and manage identities along with their permissions and access rights.

Most importantly, you are always responsible for your data and its protection. This includes all aspect of data security, including: confidentiality, integrity, and availability.

AWS, and as a matter of fact any cloud service provider, will provide you with the necessary tools and services that you need in order to secure your data, though you may sometimes want to use different third-party solutions or even build your own. At the end of the day, though, you are responsible for encrypting your data, controlling access to it and ensuring it is available.

Even though your data is stored in the cloud, it still remains your data, and your responsibility, regardless of the type of the cloud services that you are consuming.

That’s why it’s critical that we understand how to implement all necessary controls to protect our resources, data, and accounts.

Conclusion

With that out of the way, let’s complete this lesson and let’s get started talking about securing our infrastructure!

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts

Please allow a few minutes for this process to complete.

Report

You have already reported this .