Day 2: Cloud Security – AWS Shared Responsibility Model & Protecting the AWS Root User | #100DaysOfCode
Guransh DeolToday, I delved into essential topics around Cloud Security on AWS. Here's a breakdown of what I learned:
1. AWS Shared Responsibility Model
The AWS Shared Responsibility Model is key to understanding security in the cloud. AWS and customers both have roles to play in securing applications and data. Here's how the responsibilities are divided:
| Category | Examples of AWS Services | AWS Responsibility | Customer Responsibility |
| Infrastructure Services | Amazon EC2, Elastic Load Balancing | AWS manages the underlying infrastructure and foundation services. | You control the operating system, application platform, encryption, and management of your data. |
| Container Services | Amazon RDS, Elastic Beanstalk | AWS manages the infrastructure, operating system, and application platform. | You are responsible for data encryption, network firewalls, and managing backups. |
| Abstracted Services | Amazon S3, DynamoDB | AWS operates the infrastructure, OS, platform, server-side encryption, and data protection. | You manage your customer data and ensure it’s protected through encryption. |
Key Takeaways:
Security of the Cloud: AWS manages everything that runs the cloud, including physical data centers, networking, and foundational infrastructure.
Security in the Cloud: As users, we are responsible for securing our applications, properly configuring services, encrypting data, and managing access controls.
2. Protecting the AWS Root User
The AWS Root User has ultimate control over your AWS account, making it extremely sensitive. Here are some best practices I learned for keeping the root user secure:
| Security Measure | Description |
| Strong Password | Use a strong password that’s difficult to guess, mixing letters, numbers, and symbols. |
| Disable Access Keys | Avoid creating access keys for the root user, and if already created, disable them unless absolutely necessary. |
| Limit Root User Access | Avoid using the root user for day-to-day tasks. Use it only for essential activities like account setup. |
| Enable Multi-Factor Authentication (MFA) | Adding MFA secures your account by requiring two forms of authentication: something you know (password) and something you have (MFA device). |
Why is Multi-Factor Authentication (MFA) Important?
MFA provides an additional layer of security beyond just a username and password. Even if an attacker manages to crack your password, they’d still need the second factor to gain access.
There are multiple types of MFA supported by AWS:
| MFA Device | Description | Examples |
| Virtual MFA Device | Software apps on mobile devices that generate one-time codes. Less secure than hardware options. | Google Authenticator, Authy |
| Hardware MFA Device | Physical key fobs or display cards that generate one-time codes. | Gemalto, Display Card |
| U2F Security Key | USB devices that provide an extra layer of security by requiring you to physically plug in the key. | YubiKey, NitroKey |
Steps to enable MFA on AWS Root User:
Go to My Security Credentials.
Select Activate MFA.
Choose the MFA device (Virtual, Hardware, U2F).
Scan the QR code (for Virtual MFA) or configure the hardware device.
Enter the generated code to verify and enable MFA.
Key Learnings:
The AWS Shared Responsibility Model distinguishes what AWS secures versus what you, the customer, must secure.
AWS Root User has immense control, so securing it with a strong password and MFA is critical.
MFA greatly improves security by requiring a second authentication factor, minimizing the risk of account compromise.
Next up, I’ll be learning more about securing cloud workloads, network security, and data protection! Stay Tuned!!!
Subscribe to my newsletter
Read articles from Guransh Deol directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by