AWS Shared Responsibility Model and Security Principles

Introduction

Security is a fundamental pillar of the AWS Well-Architected Framework, alongside operational excellence, reliability, performance efficiency, cost optimization, and sustainability. AWS follows a shared responsibility model, where:

• AWS is responsible for the security of the cloud (infrastructure, hardware, software, and global services).
• Customers are responsible for security in the cloud (data, applications, access control, and encryption).

Design Principles for the Security Pillar

To build a secure AWS environment, follow these key design principles:

1. Implement a Strong Identity Foundation

   • Use AWS Identity and Access Management (IAM) to control access.
   • Enforce multi-factor authentication (MFA) for additional security.

2. Protect Data in Transit and at Rest

   • Encrypt data in transit using TLS/SSL to secure network communications.
   • Encrypt data at rest using AWS Key Management Service (KMS) or client-side encryption.

3. Apply Security at All Layers

   • Implement security controls across networks, applications, and data storage.

4. Keep People Away from Data

   • Use automation to minimize human access to sensitive data.

5. Maintain Traceability

   • Enable AWS CloudTrail to log API activity and monitor changes.

6. Prepare for Security Events

   • Establish incident response plans and conduct regular security drills.

7. Automate Security Best Practices

   • Use AWS Config and AWS Systems Manager to enforce compliance.

Principle of Least Privilege

• Grant users and applications only the minimum permissions required to perform their tasks.
• Reduces the risk of accidental or malicious misuse of resources.

Data Encryption Methods

1. Encrypting Data in Transit

• Protects data while moving between services.
• Use TLS/SSL for secure communication.

2. Encrypting Data at Rest

• Ensures stored data remains secure.
• Client-Side Encryption: Data is encrypted before being uploaded to AWS.
• Server-Side Encryption: AWS services (e.g., Amazon S3) encrypt data automatically before storage.

Amazon S3 Storage Classes

Amazon S3 offers multiple storage classes for cost-effective data management:

• S3 Standard – High availability, low latency.
• S3 Intelligent-Tiering – Automatically moves data between tiers based on usage.
• S3 Standard-IA (Infrequent Access) – Lower cost for less frequently accessed data.
• S3 One Zone-IA – Lower cost, stored in a single Availability Zone.
• S3 Glacier Instant Retrieval – Low-cost archive with fast retrieval.
• S3 Glacier Flexible Retrieval – Economical storage with retrieval times from minutes to hours.
• S3 Glacier Deep Archive – Lowest cost for long-term retention.

Configuring Amazon S3 Lifecycle Policies

• Transition Actions: Move objects between storage classes automatically.
• Expiration Actions: Define when objects should be deleted.

AWS Identity and Access Management (IAM)

Authentication vs. Authorization

• Authentication (Who is requesting access?)

  • Verifies identity using credentials (username/password, access keys).
  • Applies to users, roles, and applications.

• Authorization (What are they allowed to do?)

  • Determines permissions via IAM policies.

IAM Terminologies

• IAM Resources: Users, groups, roles, policies, and identity providers.
• IAM Entities: Objects used for authentication (users, roles).
• IAM Identity: Objects that can be authorized (users, groups, roles).
• Principal: A person or application making requests to AWS.

IAM Credentials for Authentication

IAM Policies & Permissions

• Identity-Based Policies: Attached to users, groups, or roles.
• Resource-Based Policies: Attached to AWS resources (e.g., S3 bucket policies).

Conclusion

By following AWS security best practices, such as enforcing least privilege, encrypting data, and using IAM effectively organizations can build a secure, scalable, and compliant cloud environment. Leveraging AWS security services ensures robust protection while maintaining operational efficiency.