Besa Program - Week 7 : Security | Encryption | Firewalls

Linet KendiLinet Kendi
4 min read

🌟 Excited to Share Insights from Besa Session 7: Security | Encryption| Firewalls! 🌟

The most interesting bit for this session is the role play, And it shines light on how to engage with customers and respond.

  • 🔒 Access management and authentication are vital for maintaining security in AWS. By offering solutions for external user authentication using third-party identity providers, AWS ensures secure access to resources.

    • Access Management strategies

      • Role Based Access Control (RBAC)

      • Least Role Access/ Least Privilege Access (LRA)

      • SAML | Oauth 2.0 | OIDC - empowered by Amazon Cognito[ very helpful for startup since it easy to setup ]

        • ​​Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. Examples of IdPs include Active Directory, Azure Active Directory, Google, Facebook, and various enterprise identity management systems.

        • Cognito is used for App authentication using User Pools/directories or Federated Identities (AD, Google, Idp)

    • 3 A's of Security

      • Authentication [2FA/MFA]

        • What you know -> Credentials

        • What you have -> Soft or hard tokens

        • Who you Are -> Biometrics, DNA

      • Authorization

      • Accountability [Auditing / investigation] - enabled by Cloud Trail [logging of every API call/ activity]

    • AWS IAM service

      • Users

      • Groups

      • Roles

      • Policies

      • Federated Identity Access

    • AWS IAM Access Analyzer is a security service provided by AWS that helps you identify the resources in your AWS environment that are shared with an external entity.

  • 🔐 Encryption is an essential aspect of security, and AWS provides services for key management and encryption. This enables users to protect their data and ensure its confidentiality and integrity.

    • Encryption of data at rest / data in transit

      • KMS- AWS manages the key for customer. ​​[KMS is a fully managed service that makes it easy for you to create, manage, and use cryptographic keys. there is a cost asscociated with the services]

      • ​​Cloud HSM - Customer manages the key themselves. [​​CloudHSM provides dedicated, single-tenant HSM (hardware security module) appliances that are physically isolated and located in AWS data centers. it is provided by AWS. For completely/ strongly regulated industries i.e Banks/ Manufacturing]

    • Encryption of data in transit

    • client-side encryption, you encrypt the data before uploading it to Amazon S3.The encryption and decryption happen on the client-side, and Amazon S3 only sees the encrypted data.

    • With SSE-KMS, the data keys used to encrypt the objects are protected by a customer master key (CMK) stored in KMS.

  • 🛡️ Firewalls are crucial for network security, and AWS offers a centralized management solution for different types of firewalls. This simplifies the management and configuration of firewalls, enhancing overall security.

    • Firewalls in AWS

      • Security Groups - Instance/ resources level & Stateful

      • NACLs - Subnet level & Stateless

      • AWS WAF [provides protection on the application layer]

    • AWS WAF(Web Application Firewall) provides protection on the application layer and AWS Shield protects the infrastructure layers of the OSI model

  • 🚀 Network ACLs and security groups are effective tools for controlling inbound and outbound traffic. By using these features, users can define granular access controls, allowing only authorized traffic to reach their resources.

  • 🛡️ Shield is an AWS security service that provides protection against Distributed Denial of Service (DDoS) attacks. This service helps safeguard applications and ensures their availability during potential attacks.

    • AWS shield [protects the infrastructure layers of the OSI model]

      • Shield Standard - enabled by default and free, Layer 3/4

      • Shield Advanced - requires Monthly subscription , Layer 6/7, 24/7 SRT team

  • 🚨 The AWS Security Response Team (SRT) plays a crucial role in handling security breaches. Their expertise and prompt response help mitigate the impact of breaches, ensuring the security of AWS services and customer data.

    • Site Reliability Team (SRT) 24/7 available

    • The SRT is a team of engineers responsible for ensuring the reliability, availability, and scalability of an organization's technology infrastructure and services.

  • 🕵️ Other AWS services like:

    • AWS Config - Ensure Compliances to best Configuration standard

    • AWS Inspector - CVE

    • Amazon Macie, a data security service that uses machine learning (ML) and pattern matching to discover and help protect your sensitive data.

These services provide additional layers of security and help users monitor and protect their AWS resources effectively.

Kudos to the Besa team for curating yet another insightful and impactful session!💪 #Besa #SecureArchitecture #AWS #Technology #Innovation #ContinuousLearning

2
Subscribe to my newsletter

Read articles from Linet Kendi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

aws securityAWS Certified Solutions Architect AssociatebesaprogramAWS

Written by

Linet Kendi
Linet Kendi

Cloud and Cyber Security enthusiast. I love collaborating on tech projects. Outside tech, I love hiking and swimming.