Scribd
Upload
4 views

Chapitre4 AWS Cloud Security (1)

Uploaded by

arbimaatoug3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
4 views

Chapitre4 AWS Cloud Security (1)

Uploaded by

arbimaatoug3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Chapitre4 AWS Cloud Security

Topics
• AWS shared responsibility model
• AWS Identity and Access Management (IAM)
• Securing a new AWS account
• Securing accounts
• Securing data on AWS
• Working to ensure compliance

Section 1: AWS shared responsibility model


Activities:

Section 2: AWS Identity and Access Management (IAM) IAM is a no-cost AWS account
feature
-Use IAM to manage access to AWS resources
• Define fine-grained access rights –
• Who can access the resource
• Which resources can be accessed and what can the user do to the resource
• How resources can be accessed

1. Essential IAM Components


IAM User: A person or application that can authenticate to an AWS account.
IAM Group: A group of IAM users sharing the same permissions.
IAM Policy: A JSON document defining permissions and accessible resources.
IAM Role: An IAM identity that can be assumed by a user, service, or application with
specific permissions.

2. IAM Authentication
Programmatic Access: Via AWS CLI/SDK using an Access Key ID and a Secret Access
Key.
AWS Console Access: Requires an account ID, username, password, and optionally
MFA (Multi-Factor Authentication) for enhanced security.
3. IAM Authorization
IAM Policies: Define what a user, group, or role can do.

• A single policy can be attached to multiple entities


• A single entity can have multiple policies attached to it
Identity-based Policies: Attached to a user, group, or role.
Resource-based Policies: Attached to an AWS resource (e.g., S3 bucket).
Principle of Least Privilege: Always grant the minimum permissions necessary.

Permissions Hierarchy:
All permissions are implicitly denied by default.
• If something is explicitly denied, it is never allowed.
An explicit allow is required for access.
An explicit deny always overrides an allow.

4. IAM Groups:There is no default group


Allow easy assignment of common permissions to multiple users.
A user can belong to multiple groups, but groups cannot be nested.

5. IAM Roles
Provide temporary access to AWS resources without creating new users.
e can have permissions policies attached to it
Use cases:
An AWS service (e.g., EC2) accessing S3 via a role.
A user from another AWS account assuming a role to access resources.

6. Example: Using an IAM Role


When an EC2 instance needs access to an S3 bucket:
An IAM policy granting access to the bucket is created.
The policy is attached to an IAM role.
The EC2 instance assumes the role and accesses S3 resources.

7. Key Takeaways
IAM enables fine-grained permission management using JSON policies.
IAM users, groups, and roles are the main entities.
IAM roles provide a secure way to delegate temporary access.

Section 4: Securing accounts


AWS Organizations
AWS Organizations allows centralized management of multiple AWS accounts.
Security Features:
Group accounts into Organizational Units (OUs) with different access policies.
Integrates with IAM: Permissions are the intersection of AWS Organizations and IAM policies.
Service Control Policies (SCPs) restrict AWS services and API actions per account.

AWS Organizations: Service control policies


{Si un Service Control Policy (SCP) interdit l'accès à S3, mais qu'une IAM Policy l'autorise,
l'accès à S3 sera bloqué. 🚫
Pourquoi ?
Les SCPs définissent les permissions maximales qu'un compte AWS peut accorder à ses
utilisateurs (tous les comptes de l'organisation). Si une action est bloquée par un SCP, aucune
IAM Policy ne peut l'autoriser}

• Service control policies (SCPs) offer centralized control over accounts.


• Limit permissions that are available in an account that is part of an organization.
• SCPs are similar to IAM permissions policies –
• They use similar syntax.
• However, an SCP never grants permissions.
• Instead, SCPs specify the maximum permissions for an organization

AWS Key Management Service (AWS KMS) features:


• Enables you to create and manage encryption keys
• Enables you to control the use of encryption across AWS services and in your applications.
Amazon Cognito
Provides user authentication and access control for web and mobile applications.
AWS Shield
DDoS protection service for AWS applications.
Use it to minimize application downtime and latency

Section 5: Securing data on AWS

Encryption Data At Rest


encodes data with a secret key, which makes it unreadable
• Only those who have the secret key can decode the data
• AWS KMS can manage your secret keys
• AWS supports encryption of data at rest
Data at Rest = Data stored physically (on disk or on tape)
• You can encrypt data stored in any service that is supported by AWS KMS, including:
• Amazon S3
• Amazon EBS
• Amazon Elastic File System (Amazon EFS)
• Amazon RDS managed databases

Encryption of data in transit (data moving across a network)


• Transport Layer Security (TLS)—formerly SSL—is an open standard protocol
• AWS Certificate Manager provides a way to manage, deploy, and renew TLS or SSL certificates
• Secure HTTP (HTTPS) creates a secure tunnel
• Uses TLS or SSL for the bidirectional exchange of data
AWS services support data in transit encryption

Section6 :Working to ensure compliance

AWS Artifact est un service d'AWS qui fournit un accès à des rapports de conformité, des
certifications et des accords de sécurité liés aux services AWS. Il aide les entreprises à répondre aux
exigences réglementaires et à assurer la conformité de leur utilisation d'AWS.
• Is a resource for compliance-related information
• Provide access to security and compliance reports, and select online agreements
AWS security compliance programs provide information about the policies, processes, and controls
that are established and operated by AWS
· Aider les clients à comprendre comment AWS sécurise l'infrastructure cloud.
· Fournir des rapports d'audit et des certifications pour prouver la conformité aux standards de
l'industrie.

You might also like