The most significant advantage of the Amazon cloud platform is its scalability. Moreover, Amazon cloud security complies with the prescribed industry standards to keep your sensitive data well-protected against vulnerabilities and breaches. As AWS data centers are monitored around-the-clock, remote access is granted only to a privileged few.
Although Amazon has done their part to make the cloud environment secure, it is your duty as a consumer to leverage the built-in security features to conform to business requirements so that your data and applications are well-protected in the cloud.
Equal Security Responsibility
The first thing you need to understand as a consumer is that the security responsibility has to be shared equally by the provider (Amazon) and by the consumer (you). While it is the responsibility of Amazon to be responsible for the security of host operating systems, network, visualization layer, and physical security, it is your responsibility to ensure that whatever you deploy on the host operating systems is secured.
Besides your data, your responsibility includes platform applications, Identity & access management, operating system, network, and firewall configuration. It is the responsibility of Amazon to ensure the security of the cloud data is taken care of.
Here’s a ready reckoner of Amazon security services built-in features which you need to be aware of:
Identity and Access Management (IAM)
With Amazon’s Identity and Access Management, you can create groups and users, define their roles and grant permission for their access or denial to all AWS resources, including RDS, VPC, IAM, EC2, etc. You can issue unique credentials to all users you grant access to your AWS account, with restricted individual access.
Whenever users try to access an AWS resource, they will be prompted to authenticate themselves with the username and password and an authentication code available only on their MFA-configured devices.
Virtual Private Cloud (VPC)
VPCs grant you total control over all inbound and outbound network traffic, thus making your cloud environment secure. You can use VPCs for securing your data and applications by restricting access to and from the Internet. Amazon cloud security features give you the added advantage of connecting your on-premise servers directly to Amazon cloud-based VPC without going through public networks.
Security Groups, Network ACLs
Amazon provides security groups that help you create a virtual firewall to control all inbound and outbound traffic. You are allowed up to five security groups for each instance you launch on VPC. For example, suppose you launch an instance with Amazon EC2 API or a command-line tool without specifying a security group. In that case, the instance gets automatically assigned to your VPC default security group.
ACLs or access control lists work at the network level. ACLs are good for preventing Distributed Denial of Service (DDOS) attacks when there is an instance calling for blacklisting traffic originating from a specific IP address.
Data Encryption
Amazon ensures additional security by providing data encryption for EBS volumes, Relational Database Service (RDS), S3 buckets, and Glacier data stores. While creating encrypted EBS volume and attaching it to an instance, data on the volume disk I/O and snapshots created from such volume are all encrypted. While configuring, AWS makes sure that each S3 object is encrypted with a unique key. As 256-bit Advanced Encryption Standard (AES 256), one of the strongest block ciphers available, is used by Amazon, security for your encrypted data is assured.
Summing it Up
Leveraging the built-in features of Amazon cloud security is easy and essential to ensure protection for your data and applications on the cloud. In addition to the built-in security services offered by AWS as an Amazon cloud security feature, there are other open-source and commercial packages offered on AWS MarketPlace for several categories with various pricing plans. However, it is essential to learn how to use these powerful tools to protect your data and applications on the cloud.
