Ensuring that your aws infrastructure is secure is a responsibility that's shared between you and Amazon.
Amazon is responsible for mainly:
- Ensuring physical hardware that your resources (e.g. EC2 instances are running on). E.g. limit access to who is allowed to walk into AWS's AZs (data centres)
- Ensuring that internal data transfers are secure, e.g. data transfers between S3 buckets and EC2 instances. Also data transfers between physical hardware
We are responsible for:
- Ensuring we use AMIs that are secure, i.e. don't have api keys or ssh keys hardcoded in them.
- Performing OS software updates and security patches
- Keeping "Data at rest" secure - e.g. persistant data on our EBS. We can select the ebs encrypt option when creating our instances, also encrypt our filesystems using luksformat.
- OS configurations, e.g. firewalld and selinux
- software configurations, e.g. httpd settings
- Setting up ssl certificates
- Install firewalls
- securely accessing AWS, via bastion host, vpn, or AWS Direct Connect
- Properly configuring security groups and network acls
- ensuring our own developed apps are secure, e.g. add a login page to our apps, prompting user to log in, in order to access data.