Dicoding Developer Coaching #52: Back-End | Segera Amankan Sumber Daya AWS Kamu

Transcript

1. Segera Amankan Sumber Daya AWS Kamu
   Dicoding Developer Coaching #52
   Fikri Helmi Setiawan
   Curriculum Developer
   REPLACE ME
   (Silakan ubah dengan image yang relevan sesuai materi)
   

   View Slide

2. Why should we think about
   “Security”?
   

   View Slide

3. We must put security first, because:
   ● Customer data is very sensitive.
   All of them MUST be kept in safe,
   secure, and reliable manner. If not,
   we broke the compliance and
   violate our customer privacy.
   ● All resources we use to run the
   application is critical. So we MUST
   restrict those resources from
   unauthorized access.
   

   View Slide

4. The security concept in AWS
   

   View Slide

5. AWS Shared Responsibility Model
   It’s a fundamental concept, and may be different depends on the services you use
   (managed services, serverless, platform as a service, etc)
   

   View Slide

6. Security Topics
   ● Encryption is the method by
   which information is
   converted into secret code
   that hides the information's
   true meaning.
   Encryption
   ● Firewall is a network
   security system that
   monitors and controls
   incoming and outgoing
   network traffic based on
   predetermined security
   rules.
   Firewall
   ● Access control is a
   security technique that
   regulates who or what
   can view or use
   resources in a
   computing environment
   Access Control
   

   View Slide

7. Encryption in AWS
   ● At rest (while it is stored on disks in AWS services)
   ○ Server-side (encryption of data at its destination by the application or service
   that receives it)
   ■ AWS Services-managed -> Automatically encrypt for Amazon EBS,
   Amazon S3, Amazon RDS, Amazon Redshift, Amazon ElastiCache, AWS
   Lambda, and Amazon SageMaker.
   ■ AWS KMS -> AWS services uses KMS keys to encrypt data, using AWS
   managed key or Customer managed key.
   ■ Customer-Provided -> Customer manage the keys locally and AWS
   manages the encryption process.
   ○ Client Side (encrypt data client-side and upload the encrypted data to AWS
   services)
   ■ Use a key stored in AWS Key Management Service (AWS KMS)
   ■ Use a key that you store within your application
   ● In transit (as it travels to and from AWS services)
   ○ We can leverage AWS Certificate Manager to manage SSL/TLS certificates or
   using client-side encryption.
   

   View Slide

8. Firewall in AWS
   ● Subnet-level using Network ACL
   ○ Layer of security for your VPC
   that acts as a firewall for
   controlling traffic in and out of
   one or more subnets.
   ● Instance-level using Security Group
   ○ Acts as a virtual firewall,
   controlling the traffic that is
   allowed to reach and leave the
   resources that it is associated
   with, such as EC2 instances.
   

   View Slide

9. Access Control in AWS
   

   View Slide

10. Authentication and Authorization
    ● Authentication
    ○ When you create your AWS account, you use a combination of an email
    address and a password to verify your identity. If the user types in the correct
    email and password, the system assumes the user is allowed to enter and
    grants them access. This is the process of authentication.
    ● Authorization
    ○ Once you’re inside your AWS account, you might be curious about what
    actions you can take. This is where authorization comes in. Authorization is
    the process of giving users permission to access AWS resources and
    services. Authorization determines whether the user can perform an
    action—whether it be to read, edit, delete, or create resources.
    

    View Slide

11. Protect the AWS Root User
    When you first create an AWS account, it begin with identity that has complete access
    to all AWS services and resources called the AWS root user.
    To ensure the safety of the root user:
    ● Choose a strong password for the root user.
    ● Never share your root user password or access keys with anyone.
    ● Disable or delete the access keys associated with the root user.
    ● Enable MFA on the root account
    ● Do not use the root user for administrative tasks or everyday tasks. Instead, create
    IAM user with adminstrator access or follow the principle of least privilege (grant
    only the necessary permissions to do a particular job and nothing more).
    

    View Slide

12. AWS Identity and Access Management
    We can do all those things leveraging AWS Identity and Access Management (IAM).
    ● What is AWS IAM?
    ○ It is a service that enables you to manage access to your AWS account and
    resources, provides a centralized view of authentication and authorization.
    ● IAM User
    ○ Represents a person or service that interacts with AWS.
    ● IAM Group
    ○ A collection of users. All users in the group inherit the permissions assigned
    to the group. This makes it easy to give permissions to multiple users at once.
    

    View Slide

13. Specific in IAM Policy
    ● To manage access and provide permissions to AWS services and resources, you
    create IAM policies and attach them to IAM users, groups, and roles.
    ● Whenever a user or role makes a request, AWS evaluates the policies associated
    with them.
    ● IAM Policy examples:
    

    View Slide

14. Demo
    Access Control using AWS IAM
    

    View Slide

15. Dicoding
    Dicoding
    Dicoding
    Dicoding Indonesia
    Contact us :
    Contact me :
    [email protected]
    REPLACE ME
    (Silakan ubah dengan image yang relevan sesuai materi)
    

    View Slide