demand, scalable, and pay-as-you-go. TRADITIONAL IT (On-Premise) • Buy servers upfront • Maintain hardware manually • Capacity planning is hard • Slow provisioning (weeks/months) • High operational cost CLOUD COMPUTING • Rent resources instantly • No physical hardware management • Scale up/down automatically • Provision in minutes • Pay only for what you use
E C O N C E P T THE AWS SHARED RESPONSIBILITY MODEL AWS RESPONSIBILITY Security "OF" the Cloud Physical data centers & facilities facilities Global network infrastructure Regions & Availability Zones Zones Edge locations & CDN CDN Hypervisor & host OS CUSTOMER RESPONSIBILITY Security "IN" the Cloud Customer Data: Encryption, classification Applications: Secure coding, patching IAM: Access controls, MFA OS & Network: Config, firewalls Client/Server-Side Encryption: Key management 99% of cloud security failures are the CUSTOMER'S fault
the minimum permissions necessary to perform their tasks. Regularly review and adjust permissions. Example: Instead of "s3:*" on "*", grant "s3:GetObject" on specific buckets only. ENABLE MFA EVERYWHERE Require Multi-Factor Authentication for all users, especially those with administrative administrative privileges. Root Account Admin Users Privileged Roles Cross-Account USE IAM ROLES, NOT KEYS Avoid long-term access keys. Use IAM roles with temporary credentials for applications and services. Rotate keys regularly if you must use them. CRITICAL IAM RULES Never Use Root for Daily Tasks Create individual IAM users instead. Lock away root credentials. Enable IAM Access Analyzer Identify and validate permissions; detect unintended access. Implement Service Control Policies Set permission guardrails across multiple accounts with AWS Organizations. Organizations. Monitor with CloudTrail Log and monitor all API calls to detect unauthorized access. access. POLICY STRUCTURE EXAMPLE { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::mybucket/*", "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} }] } Remember: IAM is your first line of defense. A single overly permissive policy can expose your entire infrastructure.
servers, load balancers, bastion hosts hosts 2 PRIVATE SUBNET (APP) Application servers, business logic 3 PRIVATE SUBNET (DATA) Databases, caches, sensitive storage SECURITY GROUPS Stateful (allows return traffic) Instance-level firewall Only allow rules (no deny) Best practice: Least privilege NACLs Stateless (no auto return) Subnet-level firewall Allow AND deny rules rules Ordered rule evaluation GATEWAYS & CONNECTIVITY Internet Gateway (IGW) Enables public subnet internet access NAT Gateway Allows private subnet outbound-only internet VPC Peering Connect VPCs privately (same or cross-account) VPC Endpoints Private connectivity to AWS services BEST PRACTICES Use multi-tier architecture Keep databases in private subnets Enable VPC Flow Logs for monitoring Restrict security group rules (avoid 0.0.0.0/0) Use both Security Groups AND NACLs DEFENSE IN DEPTH Layer multiple security controls: NACLs at subnet boundary, Security Groups at instance level, plus host-based firewalls and encryption.
→ 0.0.0.0/0 Outbound •(default allow all) Can users access the website from the internet? Can the server respond back? Can SSH connect (22)? Can the instance call external APIs?
→ 0.0.0.0/0 Outbound •(default allow all) Can users access the website from the internet? YES Can the server respond back? YES Can SSH connect (22)? NO Can the instance call external APIs? YES
•Rule 100 → ALLOW 80 •Rule 110 → DENY ALL Can users access the web server? NO, NACLs are: •Stateless •Evaluated in order Return traffic gets blocked by DENY ALL.
Service provides centralized control over cryptographic keys with with automatic rotation and audit logging. Customer Managed Full control, rotation, deletion AWS Managed Automatic, service-integrated ENCRYPTION AT REST Amazon S3 SSE-KMS, SSE-S3, or client-side encryption. Enable S3 Bucket Keys for 10-1000x cost improvement. improvement. Amazon RDS Enable encryption at launch using KMS keys. Encrypts underlying storage, backups, and snapshots. Amazon EBS Encrypt volumes during creation. All snapshots and AMIs encrypted automatically. ENCRYPTION IN TRANSIT TLS/SSL Everywhere Enforce HTTPS-only connections. Use ACM for certificate management. VPC Endpoints Private connectivity to AWS services without traversing public internet. AWS Certificate Manager Provision, manage, and deploy SSL/TLS certificates automatically. SECRETS MANAGEMENT AWS Secrets Manager Rotate, manage, retrieve credentials. Automatic rotation for RDS. Parameter Store Secure hierarchical storage for config data and secrets. Free for standard. KEY BEST PRACTICES Enable automatic key rotation Use customer-managed keys for sensitive data Monitor KMS usage with CloudTrail CloudTrail Implement least privilege key policies
Scalable object storage for files, backups, and application data. Buckets are private by default, but human configuration errors remain the leading cause of data breaches. Critical Security Risks Misconfigured Bucket Policies - Public access via via Principal: "*" ACL Vulnerabilities - Overly permissive access control control lists Unintentional Public Exposure - Human error in settings Lack of Encryption - Data at rest and in transit Essential Security Measures Block Public Access Account & bucket level settings Encryption SSE-S3/SSE-KMS at rest, HTTPS in transit Versioning + MFA Delete Prevent data loss & unauthorized deletion Least Privilege IAM Avoid wildcards like s3:* CloudTrail Logging Track all access activity GuardDuty Integration Detect anomalous access patterns
healthcare staff records were exposed after an AWS S3 bucket was misconfigured and left unprotected. Sensitive personal information was accessible to anyone who knew the bucket URL.
accessible AWS S3 bucket exposed sensitive internal business data and cloud credentials, demonstrating how simple storage misconfigurations can lead to major enterprise data leaks without any hacking.
is BEST practice? A) Share the root account B) Create one shared admin user C) Use IAM roles with temporary access D) Give everyone AdministratorAccess permanently
•App servers •Database Which layout is MOST secure? A) All in public subnet B) Web public, App private, DB private C) All private D) DB public, others private
traffic from users. Which SG rule is correct? A) Allow all ports from 0.0.0.0/0 B) Allow 80 and 443 from 0.0.0.0/0 C) Allow 22 only D) Allow all outbound only
traffic from users. Which SG rule is correct? A) Allow all ports from 0.0.0.0/0 B) Allow 80 and 443 from 0.0.0.0/0 C) Allow 22 only D) Allow all outbound only
wants: •centralized GuardDuty findings •single dashboard Best architecture? A) Enable GuardDuty separately in each account B) Share credentials C) Use GuardDuty delegated admin / master account D) Use CloudTrail only
& Alarms — Collect and track metrics, collect and monitor log files, and set alarms. EC2 CPU/Memory Lambda Invocations Custom Metrics Log Insights AWS CloudTrail API Auditing & Governance — Records AWS API calls, user activities, and changes to resources. Who made the call? (IAM identity) What was the API call? When did it happen? (timestamp) Where did it originate? (IP address) VPC Flow Logs Network Traffic Visibility — Capture IP traffic information for network interfaces in your VPC. Source/Dest IP Port Numbers Protocol Accept/Reject WHY MONITORING MATTERS 1 Detect Anomalies 2 Compliance Requirements 3 Incident Response 4 Cost Optimization Best Practice: Enable CloudTrail in ALL regions, enable VPC Flow Logs on ALL subnets, and set CloudWatch alarms for critical metrics
senayakut
thoeni
oripsolob
katarinadahlin
addyosmani
dougneiner
szymonslowik
pedronauck
.jpg){kind=avatar}
cargoodrich
joshbly
techseoconnect
popppiees
