AWS – Shared (Security) Responsibility Model

Ensuring that your aws infrastructure is secure is a responsibility that’s shared between you and Amazon.

Amazon is responsible for mainly:

  • Ensuring physical hardware that your resources (e.g. EC2 instances are running on). E.g. limit access to who is allowed to walk into AWS’s AZs (data centres)
  • Ensuring that internal data transfers are secure, e.g. data transfers between S3 buckets and EC2 instances. Also data transfers between physical hardware

We are responsible for:

  • Ensuring we use AMIs that are secure, i.e. don’t have api keys or ssh keys hardcoded in them.
  • Performing OS software updates and security patches
  • Keeping “Data at rest” secure – e.g. persistant data on our EBS. We can select the ebs encrypt option when creating our instances, also encrypt our filesystems using luksformat.
  • OS configurations, e.g. firewalld and selinux
  • software configurations, e.g. httpd settings
  • Setting up ssl certificates
  • Install firewalls
  • securely accessing AWS, via bastion host, vpn, or AWS Direct Connect
  • Properly configuring security groups and network acls
  • ensuring our own developed apps are secure, e.g. add a login page to our apps, prompting user to log in, in order to access data.

 

 

https://aws.amazon.com/compliance/shared-responsibility-model/