Ensuring that your aws infrastructure is secure is a responsibility that’s shared between you and Amazon.
AnnouncementI have released my new course on Udemy, Kubernetes By Example. Sign up now to get free lifetime access!
Amazon is responsible for mainly:
- Ensuring physical hardware that your resources (e.g. EC2 instances are running on). E.g. limit access to who is allowed to walk into AWS’s AZs (data centres)
- Ensuring that internal data transfers are secure, e.g. data transfers between S3 buckets and EC2 instances. Also data transfers between physical hardware
We are responsible for:
- Ensuring we use AMIs that are secure, i.e. don’t have api keys or ssh keys hardcoded in them.
- Performing OS software updates and security patches
- Keeping “Data at rest” secure – e.g. persistant data on our EBS. We can select the ebs encrypt option when creating our instances, also encrypt our filesystems using luksformat.
- OS configurations, e.g. firewalld and selinux
- software configurations, e.g. httpd settings
- Setting up ssl certificates
- Install firewalls
- securely accessing AWS, via bastion host, vpn, or AWS Direct Connect
- Properly configuring security groups and network acls
- ensuring our own developed apps are secure, e.g. add a login page to our apps, prompting user to log in, in order to access data.