AWS for Cloud Computing

Module 4
Module:4 AWS Security and Compliance
AWS Identity and Access Management (IAM), AWS Shared
Responsibility Model in Security, AWS Key Management Service
(KMS), AWS Inspector, AWS Organizations, AWS Trusted Advisor,
Compliance on AWS.
AWS Identity and Access Management (IAM)
Introduction IAM

• What is IAM?
• AWS Identity and Access Management (IAM) is a web service for securely
controlling access to AWS resources. It enables you to create and control
services for user authentication or limit access to a certain set of people who
use your AWS resources.
• It controls the level of access a user can have over an AWS account & set
users, grant permission, and allows a user to use different features of an AWS
account.
• Identity and access management is mainly used to manage users, groups,
roles, and Access policies.
• The account we created to sign in to Amazon web services is known as the
root account and it holds all the administrative rights and has access to all
parts of the account.
Introduction IAM
• When you create an AWS account, you
begin with one sign-in identity that has
complete access to all AWS services
and resources in the account. This
identity is called the AWS account root
user and is accessed by signing in with
the email address and password that
you used to create the account.
• IAM deals with 4 terms such as users,
groups, Roles, and Policies.
• It controls both centralized and fine
grained-API resources plus a
management console.
• You can specify permissions to control
which operations a user or role can
perform on AWS resources
How IAM works IAM
• AWS Identity and Access Management provides the infrastructure necessary to
control authentication and authorization for your AWS account.
• First, a human user or an application uses their sign-in credentials to authenticate
with AWS. IAM matches the sign-in credentials to a principal (an IAM user,
federated user, IAM role, or application) trusted by the AWS account and
authenticates permission to access AWS.
• Next, IAM makes a request to grant the principal access to resources. IAM
grants or denies access in response to an authorization request.
How IAM works IAM
• For example, when you first sign in to the console and are on the console Home
page, you aren't accessing a specific service. When you select a service, you
send an authorization request to IAM for that service.
• IAM verifies that your identity is on the list of authorized users, determines
what policies control the level of access granted, and evaluates any other
policies that might be in effect.
• Principals within your AWS account or from another AWS account that you
trust can make authorization requests.
• Once authorized, the principal can perform actions or operations on resources in
your AWS account.
• For example, the principal could launch a new Amazon Elastic Compute Cloud
instance, modify IAM group membership, or delete Amazon Simple Storage
Service buckets.
• The following diagram illustrates this process through the IAM infrastructure
How IAM works: 6 Steps IAM
1. A principal is an entity that can perform
actions on an AWS resource. A user, a
role or an application can be a principal.
2. Authentication is the process of
confirming the identity of the principal
trying to access an AWS product. The
principal must provide its credentials or
required keys for authentication.
3. Request: A principal sends a request to
AWS specifying the action and which
resource should perform it.
4. Authorization: By default, all resources
are denied. IAM authorizes a request
only if all parts of the request are
allowed by a matching policy. After
authenticating and authorizing the
request, AWS approves the action.
5. Actions are used to view, create, edit or
delete a resource.
6. Resources: A set of actions can be
performed on a resource related to your
AWS account.
Components IAM
• 1. Users
• Users are entities you create to represent individual people or services that need
access to AWS resources. You can create an IAM user for each person or
application and assign permissions.
• 2. Groups
• Groups are collections of IAM users that you can manage as a single entity. By
assigning permissions to a group, all the users within that group inherit the
same permissions.
• 3. Roles
• Roles allow you to delegate access to AWS resources without needing to share
long-term security credentials like access keys. IAM roles are useful for giving
temporary access to users, services, or applications.
Components IAM
• 4. Policies
• Policies define permissions in AWS. These are JSON documents that specify
what actions are allowed or denied for users, groups, or roles. Policies are
attached to entities and determine the level of access.
• 5. Principles of IAM
• Least Privilege: Only grant permissions that are necessary for a user to perform
their tasks.
• Fine-grained Permissions: You can control access to specific actions and
resources, down to a very granular level.
• Temporary Credentials: IAM allows issuing temporary credentials to improve
security by reducing the risk associated with long-term credentials.
Components IAM
• 6. Multi-Factor Authentication (MFA)
• MFA adds an extra layer of security by requiring not only the username and password
but also a one-time code from a secondary device (e.g., a mobile authenticator app).
• 7. Access Keys
• Access Keys are used by programmatic users (applications or services) to interact
with AWS through APIs or the CLI. They consist of an access key ID and a secret
access key.
• 8. Federation
• Federated Users are users who do not have IAM accounts but can still access AWS
resources by using existing credentials (e.g., corporate credentials via Single Sign-On
or SSO).
• 9. Shared Responsibility Model
• In AWS, security is a shared responsibility between AWS and the customer. IAM
helps customers manage the security of their resources by giving them full control
over access permissions.
What Does IAM Do? IAM
With the help of IAM, it performs the following
• IAM Identities
• IAM Identities assists us in controlling which users can access which services and
resources in the AWS Console and also we can assign policies to the users, groups, and
roles. The IAM Identities can be created by using the Root user
• IAM Identities Classified As
1. IAM Users
2. IAM Groups
3. IAM Roles

• Root user
• The root user will automatically be created and granted unrestricted rights. We can create
an admin user with fewer powers to control the entire Amazon account.
What Does IAM Do? IAM
• IAM Users
• We can utilize IAM users to access the AWS Console and their administrative permissions differ from those of the
Root user and if we can keep track of their login information.
• Example
• With the aid of IAM users, we can accomplish our goal of giving a specific person access to every service available in
the Amazon dashboard with only a limited set of permissions, such as read-only access. Let’s say user-1 is a user that I
want to have read-only access to the EC2 instance and no additional permissions, such as create, delete, or update. By
creating an IAM user and attaching user-1 to that IAM user, we may allow the user access to the EC2 instance with the
required permissions.
• IAM Groups
• A group is a collection of users, and a single person can be a member of several groups. With the aid of groups, we can
manage permissions for many users quickly and efficiently.
• Example
• Consider two users named user-1 and user-2. If we want to grant user-1 specific permissions, such as the ability to
delete, create, and update the auto-calling group only, and if we want to grant user-2 all the necessary permissions to
maintain the auto-scaling group as well as the ability to maintain EC2, we can create groups and add this user to them.
If a new user is added, we can add that user to the required group with the necessary permissions.
What Does IAM Do? IAM
• IAM Roles
• While policies cannot be directly given to any of the services accessible through the Amazon
dashboard, IAM roles are similar to IAM users in that they may be assumed by anybody who
requires them. By using roles, we can provide AWS Services access rights to other AWS Services.
• Example
• Consider Amazon EKS. In order to maintain an autoscaling group, AWS eks needs access to EC2
instances. Since we can’t attach policies directly to the eks in this situation, we must build a role
and then attach the necessary policies to that specific role and attach that particular role to EKS.
• IAM Policies
• IAM Policies can manage access for AWS by attaching them to the IAM Identities or resources
IAM policies defines permissions of AWS identities and AWS resources when a user or any
resource makes a request to AWS will validate these policies and confirms whether the request to
be allowed or to be denied. AWS policies are stored in the form of Jason format the number of
policies to be attached to particular IAM identities depends upon no.of permissions required for
one IAM identity. IAM identity can have multiple policies attached to them.
 Features IAM
• 1) Confirmation: AWS IAM allows you to make and oversee characters, for example, clients,
gatherings, and jobs, which means you can issue and empower verification for assets, individuals,
administrations, and applications inside your AWS account.
• 2) Approval: Access to the executives or approval in IAM is made of two essential segments: Policies
and Permissions.
• 3) Fine-grained consents: Consider this — you need to give the business group in your association
admittance to charging data, yet in addition need to permit the engineering group full admittance to the
EC2 administration, and the promoting group admittance to choose S3 pails. Utilizing IAM, you can
design and tune these consents according to the necessities of your clients.
• 4) Common admittance to AWS accounts: Most associations have more than one AWS account, and
now and again need to designate access between them. IAM lets you do this without sharing your
accreditations and all the more as of late, AWS delivered Control Tower to additionally streamline
multi-account designs.
• 5) AWS Organizations: For fine-grained control of various AWS accounts, you can utilize AWS
Organizations to portion accounts into gatherings and allot consent limits.
• 6) Personality Federation: On many occasions, your association should combine access from other
character suppliers, for example, Okta, G Suite, or Active Directory. IAM empowers you to do this with
an element called Identity Federation.
Use Case 1 IAM
• 1. Secure Access Control for Development Teams
• Use Case: Managing Permissions for Different Roles in a Development Team
• In a development environment, multiple team members may need access to AWS resources such
as EC2 instances, S3 buckets, RDS databases, or Lambda functions. However, not all team
members require the same level of access. Some team members may only need read-only
access, while others (such as administrators) may require full control.
• IAM Implementation:
• Groups are created to categorize different team roles, such as "Developers," "DevOps," and
"Admins."
• Developers: This group has permissions to launch and modify EC2 instances, access certain
Lambda functions, and interact with specific databases in a non-destructive manner (e.g.,
read/write, but no deletion).
• DevOps: This group has additional permissions to manage the infrastructure, including creating
VPCs, managing load balancers, and controlling access to logging services (e.g., CloudWatch).
• Admins: This group has full control over all AWS services, with permissions to manage security
settings, networking, and deployment pipelines.
Use Case 2 IAM
• 2. Cross-Account Access for Centralized Logging and Monitoring
• Use Case: Centralized Monitoring for Multiple AWS Accounts
• A company may have multiple AWS accounts for different environments or departments
(e.g., Production, Development, and Testing). To maintain security and compliance,
centralized monitoring using services like AWS CloudWatch or AWS Config is required.
Rather than setting up individual monitoring configurations for each account, the
company wants to collect logs and metrics centrally.
• IAM Implementation:
• Roles are created in each AWS account that allow AWS CloudWatch (or another
monitoring service) in the central account to assume the role and access resources in
other AWS accounts.
• Cross-account roles are established so that the central account can securely pull metrics
and logs from all other accounts without giving full administrative control over them.
Use Case 3 IAM
• College or University Use Case: Managing Access for Faculty, Students, and
IT Staff
• In a university, faculty, students, and IT staff need different access levels to AWS
resources for academic and administrative purposes.
• IAM Implementation:
• Faculty: Full access to their own teaching and research resources (S3 for
academic materials, RDS for student data, EC2 for simulations). Read/write
access to personal resources, but only read access to shared university resources.
• Students: Read access to course materials (S3) and limited write access for
assignments. Access to AWS Lambda or EC2 for lab work. No access to
administrative resources.
• IT Staff: Full admin control over the entire AWS environment, managing users,
networks, backups, and security, with permissions to configure all AWS services
including IAM.
AWS Shared Responsibility Model (SRM) in Security
Introduction SRM
• The AWS Shared Responsibility Model in security defines the division of
responsibilities between Amazon Web Services (AWS) and its customers to
ensure a secure cloud environment.
• The Shared Responsibility Model is a cloud security structure that specifies
the security requirements of cloud service providers and users to ensure
accountability. Simply said, a cloud vendor offers a variety of cloud services
to its customers. One offers the service, while the other consumes it. The
vendor is accountable for the service provided, while the user is responsible
for the service consumption.

• AWS's responsibilities are the security of the cloud.

• Customer responsibilities are security in the cloud.
Introduction SRM
• AWS responsibility “Security of the Cloud” - AWS is responsible for
protecting the infrastructure that runs all of the services offered in the AWS
Cloud. This infrastructure is composed of the hardware, software,
networking, and facilities that run AWS Cloud services.
• Customer responsibility “Security in the Cloud” – Customer responsibility
will be determined by the AWS Cloud services that a customer selects. This
determines the amount of configuration work the customer must perform as
part of their security responsibilities.
• For example, a service such as Amazon Elastic Compute Cloud (Amazon
EC2) is categorized as Infrastructure as a Service (IaaS) and, as such, requires
the customer to perform all of the necessary security configuration and
management tasks.
Introduction SRM
• Customers that deploy an Amazon EC2 instance are responsible for
management of the guest operating system (including updates and security
patches), any application software or utilities installed by the customer on the
instances, and the configuration of the AWS-provided firewall (called a
security group) on each instance.
• For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS
operates the infrastructure layer, the operating system, and platforms, and
customers access the endpoints to store and retrieve data. Customers are
responsible for managing their data (including encryption options), classifying
their assets, and using IAM tools to apply the appropriate permissions.
Introduction SRM
• This customer/AWS shared responsibility model also extends to IT controls.
Just as the responsibility to operate the IT environment is shared between
AWS and its customers, so is the management, operation and verification of IT
controls shared.
• AWS can help relieve customer burden of operating controls by managing
those controls associated with the physical infrastructure deployed in the AWS
environment that may previously have been managed by the customer.
• As every customer is deployed differently in AWS, customers can take
advantage of shifting management of certain IT controls to AWS which results
in a (new) distributed control environment.
• Customers can then use the AWS control and compliance documentation
available to them to perform their control evaluation and verification
procedures as required. Below are examples of controls that are managed by
AWS, AWS Customers and/or both.
Introduction SRM
• For AWS Lambda, AWS manages the
underlying infrastructure and
foundation services, the operating
system, and the application platform.
You are responsible for the security of
your code and AWS IAM to the
Lambda service and within your
function.
• The following figure shows the shared
responsibility model as it applies to
the common and distinct components
of AWS Lambda. AWS
responsibilities appear below the
dotted line in orange, and customer
responsibilities appear above the
dotted line in blue.
Introduction SRM
Challenge SRM
• The biggest challenge that organizations face is the confusion of the responsibilities leading
to security compromization. This confusion gives hackers a blind spot to attack, and many
reports claimed the improperly shared security responsibilities as the culprit for various
security incidents. Thus, Amazon Web Service (AWS) established the AWS Shared
Responsibility Model to clarify responsibilities.
Introduction SRM
• Security and compliance are shared responsibilities between AWS and the
customer.
• Depending on the services deployed, this shared model can help relieve the
customer’s operational burden. This is because AWS operates, manages, and
controls the components from the host operating system and virtualization
layer down to the physical security of the facilities in which the service
operates.
• The customer assumes responsibility and management of the guest operating
system (including updates and security patches) and other associated
application software, in addition to the configuration of the AWS-provided
security group firewall.
 service Types SRM
• Amazon EC2 provides
the compute
environment and you
control the entire
solution, such as the
operating system,
application software,
and can configure how
your software interacts
with other
components.

https://aws.amazon.com/blogs/industries/applying-the-aws-
shared-responsibility-model-to-your-gxp-solution/
service Types SRM

• In RDS, You are responsible for its configuration and how it is accessed, but
you are not responsible for the internals of how it works or functions. You can
consider this a containerized type of service where the internals are available
for you to configure.

• In the final scenario, consider a service like Amazon S3. Much like the pre-
installed media system, you are responsible for the data you bring and
configuring access to that data, but you do not control how it functions – AWS
manages it. In this manner, the service details have been hidden from you.
Key Features SRM
1. Clear Responsibility Boundaries:
• AWS: Manages the security of the cloud, including physical infrastructure, data
centers, and foundational services.
• Customers: Handle security in the cloud, including their data, applications, and
configurations.
2. Security of the Cloud:
• AWS: Responsible for the security of the infrastructure that supports AWS
services. This includes physical and environmental controls, hardware, and
virtualization.
3. Security in the Cloud:
• Customers: Responsible for securing their own applications, data, and
configurations. This includes managing identity and access, encryption, and
network security.
Key Components SRM
1. Infrastructure Security:
• AWS: Ensures the security of physical data centers, servers, storage devices, and networking
hardware.
• Customers: Configure and manage security for their instances, databases, and other
resources.
2. Network Security:
• AWS: Provides secure network infrastructure and protections for the AWS environment.
• Customers: Manage their own network configurations, including security groups, network
ACLs, and VPC settings.
3. Data Protection:
• AWS: Provides tools and features for data protection, such as encryption and backup
services.
• Customers: Implement and manage data encryption, access controls, and backup strategies.
4. Identity and Access Management (IAM):
• AWS: Secures the IAM infrastructure that enables users to manage permissions.
• Customers: Configure IAM roles, policies, and permissions for their AWS resources.
Key Components SRM
5. Compliance and Auditing:
• AWS: Offers compliance certifications and tools to help customers meet regulatory requirements.
• Customers: Ensure their use of AWS services complies with their specific regulatory and compliance
obligations.
6. Incident Response:
• AWS: Handles security incidents related to AWS infrastructure and services.
• Customers: Manage their own incident response procedures, including monitoring, logging, and
responding to security events within their environment.
7. Patch Management:
• AWS: Applies patches and updates to the underlying AWS infrastructure and managed services.
• Customers: Apply patches and updates to their operating systems, applications, and databases running
on AWS.
8. Monitoring and Logging:
• AWS: Provides monitoring and logging services, such as CloudWatch and CloudTrail, to track the
performance and security of AWS services.
• Customers: Use these services to monitor and log their own AWS resources and application activities.
Examples SRM

•Amazon EC2:
•AWS: Secures the physical servers, virtualization layer, and network.
•Customers: Manage the operating system, applications, and network
configurations.
•Amazon S3:
•AWS: Secures the storage infrastructure and network.
•Customers: Manage bucket policies, encryption, and data access controls.
•Amazon RDS:
•AWS: Manages the database engine software and infrastructure.
•Customers: Configure database security settings, manage access, and
implement encryption.
Use cases SRM
1. Securing a Web Application with Amazon EC2
Scenario: A company is deploying a web application on Amazon EC2 instances.
AWS Responsibilities:
•Infrastructure Security: AWS ensures the security of the physical servers, data centers, and
networking hardware that support the EC2 instances.
•Hypervisor Security: AWS secures the virtualization layer that runs the EC2 instances.
•Network Security: AWS provides secure connectivity and protection for the network
infrastructure that supports EC2.
Customer Responsibilities:
•Operating System: The customer is responsible for securing the operating system on the EC2
instances, including applying patches and updates.
•Application Security: The customer manages the security of the web application code,
including vulnerability management and secure coding practices.
•Network Configuration: The customer configures security groups and network ACLs to
control traffic to and from their EC2 instances.
•Data Protection: The customer is responsible for encrypting sensitive data both at rest and in
transit and implementing backup strategies.
Use cases SRM
2. Storing and Securing Data with Amazon S3
Scenario: A company is using Amazon S3 to store sensitive data, including customer
information and financial records.
AWS Responsibilities:
•Storage Infrastructure: AWS secures the physical infrastructure and data centers where S3
data is stored.
•Data Encryption: AWS provides options for server-side encryption (SSE) to protect data at
rest.
Customer Responsibilities:
•Data Encryption: The customer is responsible for configuring encryption for data stored in
S3, either by using AWS-managed encryption keys or their own.
•Bucket Policies: The customer manages S3 bucket policies and access controls to ensure only
authorized users and applications can access their data.
•Data Integrity: The customer ensures data integrity through versioning and monitoring for
unauthorized changes or access.
Use cases SRM
3. Managing a Relational Database with Amazon RDS
Scenario: A company is using Amazon RDS to manage a relational database for their customer
management system.
AWS Responsibilities:
•Database Engine Security: AWS manages the security of the RDS database engine, including
applying patches and updates.
•Infrastructure Security: AWS secures the underlying infrastructure, including data centers
and hardware, used by RDS.
Customer Responsibilities:
•Database Configuration: The customer is responsible for configuring database security
settings, such as user access controls, database encryption, and backup schedules.
•Data Encryption: The customer manages encryption for data at rest and in transit using RDS’s
encryption features.
•Access Management: The customer configures IAM roles and database-specific access
controls to manage who can access and interact with the database.
•Backup and Recovery: The customer sets up and manages automated backups and snapshots
to ensure data recovery and continuity.
AWS Key Management Service (KMS)
Introduction KMS

• AWS KMS is a safe and resilient service that uses hardware security protocols
that are tested or are in the process of being tested to protect our keys.
• AWS Key Management Service provides a highly available key storage,
management, and auditing solution for you to encrypt data within your own
applications and control the encryption of stored data across AWS services.
Introduction KMS

• It is a managed service provided by AWS that allows companies to create,

control and manage the cryptographic keys that encrypt and protect their data.
• With AWS KMS, organizations get a world-class key storage, management
and auditing system that makes it easy to control the encryption of data stored
across their AWS services.
• As the name suggests, AWS KMS is an encryption and key management
service scaled for use in the AWS cloud.
• Organizations can use the encryption keys and functionality provided by
AWS KMS to protect data in all their applications that use AWS. The service
can also generate data keys that can be used outside of AWS
KMS. Symmetric and asymmetric KMS keys can be generated for encryption
and signing using AWS KMS.
Introduction KMS
• A symmetric encryption KMS key
is the most used type of KMS key.
It never leaves AWS KMS
unencrypted and is created by
default when a user creates an AWS
KMS key. The same key is used for
encryption and decryption.
• An asymmetric encryption KMS
key represents a mathematically
related public key and private key
pair. The private key never leaves
AWS KMS unencrypted and to use
it, the user must call AWS KMS.
The public key can be used within
AWS KMS by calling the AWS
KMS API operations.
Example KMS

• Let’s imagine that your database server was hacked, hackers got get right
of entry to all the sensitive information about your consumer and the
business.
• If your records are closing as plain text hackers can do what they want
with this information. But your information is encrypted already hackers
will have a difficult time decrypting your database statistics. There are
main techniques of encryption: purchaser-aspect encryption and server-
aspect encryption.
• In client-side encryption, you may encrypt your information and manage
your keys. You can use KMS for it if required. Next in the server-aspect
encryption your server AWS will encrypt your information and manage
the key for you. Most of the AWS services like EBS, and S3 offer this
server-side encryption with the help of KMS.
Introduction KMS
• AWS KMS allows organizations to better control who can use their AWS
KMS keys and who can access their encrypted data.
• The service allows them to use its key management and cryptographic features
directly in their AWS applications or through AWS services integrated with
AWS KMS.
• AWS KMS is designed to create and manage cryptographic keys and control
their use across a wide range of AWS services and in your applications.
• Integration: KMS integrates with other AWS services like S3, EBS, RDS, and
more, to provide seamless encryption capabilities.
• By using AWS KMS, you gain more control over access to data you encrypt.
You can use the key management and cryptographic features directly in your
applications or through AWS services integrated with AWS KMS.
Key concepts KMS
• Customer Master Keys (CMKs): CMKs are the primary keys created in AWS KMS used for
cryptographic operations like encryption and decryption; they can be either symmetric or
asymmetric.
• Symmetric Keys: A type of CMK that uses a single key for both encryption and decryption,
commonly used for data encryption in AWS services.
• Asymmetric Keys: A CMK that uses a pair of keys (public and private) for operations like
encryption/decryption and signing/verification.
• Key Policies: JSON-based policies that define who can use or manage the CMK, controlling
access and permissions to keys.
• Key Aliases: Friendly names assigned to CMKs to simplify their management and usage in
AWS services.
• Grants: Provide temporary and granular permissions to use a CMK, allowing users or AWS
services to access specific key functions for a limited time.
• Encryption Context: A set of key-value pairs that are cryptographically bound to the
encrypted data, adding extra security and integrity to encryption operations.
Key concepts KMS

• Key Rotation: The process of automatically or manually generating new key

material for a CMK, helping enhance security over time.
• Key Import: Allows users to import their own key material into AWS KMS
and manage its lifecycle, including control over when and how it is used or
deleted.
• Multi-Region Keys: CMKs that can be replicated across AWS regions to
ensure availability and disaster recovery in geographically distributed systems.
• AWS Service Integration: KMS is integrated with many AWS services like
S3, EBS, and RDS for seamless key management and encryption of data
stored within those services.
• CloudTrail Logging: AWS KMS operations are logged by AWS CloudTrail,
enabling auditing and tracking of key usage and management actions.
How it works KMS
What is Key KMS
• An AWS KMS key is a logical representation of a cryptographic key. It is a
primary resource in AWS KMS. To use or manage KMS keys, it's mandatory to
use AWS KMS. The following three types of KMS keys can be created in AWS
KMS:
• Customer managed key: Created by the organization.
• AWS managed key: Created by AWS services that use KMS keys to encrypt the
organization's service resources.
• AWS owned key: KMS keys created by AWS services in a service account.
• A KMS key contains the following:
• Metadata (key ID, key spec, key usage, creation date, description and key state);
and
• reference to the key material used when cryptographic operations are performed
with the KMS key.
Use Cases KMS

1. Encrypting Data in Amazon S3

• Use Case: A company needs to store sensitive customer data,
including personally identifiable information, in Amazon S3 and
must comply with data protection regulations.
• Solution: AWS KMS can encrypt the data before storing it in S3
using server-side encryption with KMS keys. The company manages
who has access to the encryption keys to ensure only authorized
users can decrypt and access the data.
Use Cases KMS

2. Database Encryption in Amazon RDS

• Use Case: An organization needs to ensure that sensitive financial
data stored in its Amazon RDS databases is protected, both at rest
and during backup operations.
• Solution: AWS KMS allows for encryption of Amazon RDS
databases using KMS-managed keys. This secures data at rest,
encrypts backups, and provides fine-grained access control through
KMS key policies and IAM roles.
Use Cases KMS

3. Encrypting Application Secrets

• Use Case: A development team requires secure storage and
management of sensitive information such as API keys, database
credentials, and certificates within their applications.
• Solution: AWS KMS is integrated with AWS Secrets Manager to
securely encrypt and manage secrets. The team can retrieve
encrypted secrets dynamically during runtime, ensuring that
sensitive data is always protected.
Use Cases KMS

4. Multi-Region Key Management for Disaster Recovery

• Use Case: A global enterprise wants to ensure that their critical
encryption keys are available across multiple AWS regions to
support disaster recovery and ensure low-latency access.
• Solution: With multi-region keys in AWS KMS, the company can
replicate keys across regions, enabling data encryption and
decryption in multiple regions while maintaining a centralized key
management policy.
AWS Inspector
Introduction
What is Amazon Inspector?
• Amazon Inspector is an automated security assessment service to test the
network accessibility of EC2 instances. It helps you to identify vulnerabilities
(weakness) within your EC2 instances and applications and allows you to
make security testing more regular occurrence as part of the development and
IT operations.
• Amazon Inspector provides a clear list of security and compliance findings
assigned a priority by the severity level. Moreover, these findings can be
analyzed directly or as part of comprehensive assessment records available
via the API or AWS Inspector console. AWS Inspector security assessments
help you check for unintended network accessibility of EC2 instances and
vulnerabilities on those EC2 instances.
Features
•Automated Security Assessments: Inspector continuously monitors and automatically
evaluates the security
posture of workloads, ensuring that security assessments are done without manual effort.
•Vulnerability Management: It identifies vulnerabilities in EC2 instances and container
images (via Amazon ECR),
alerting the user to security issues like outdated software, misconfigurations, or missing
patches.
•CIS Benchmarks Compliance: AWS Inspector provides checks based on Center for
Internet Security (CIS) benchmarks, which are recognized industry standards for security.
•Integration with AWS Services: Inspector integrates seamlessly with other AWS
services, such as EC2, Amazon ECR, and AWS Security Hub, ensuring broad coverage of
workloads and security.
•Actionable Findings: AWS Inspector produces prioritized security findings, complete
with recommendations for remediation. This saves time and resources by helping users
focus on the most critical issues
Benefits of AWS Inspector
• Automated Service: AWS Inspector is a beneficial service for the
application’s security in the AWS cloud. It can fix automatically without the
interaction of human resources.
• Regular Security Monitoring: Amazon Inspector helps to find security
vulnerabilities in applications, as well as departures from security best
practices, both before they’ve been deployed or running in production. This
improves the overall security of your AWS-hosted applications.
• Leverage AWS Security Expertise: AWS Inspector includes a knowledge
base of the number of rules charted to common security best practices and
vulnerability definitions. It uses AWS’s Security Expertise, where AWS is
constantly updating the security best practices and rules, so one gets the best
of both worlds.
Benefits of AWS Inspector
• Integrate Security Into DevOps: AWS Inspector is an API-bound service
that analyzes network configurations in your AWS account. Moreover, it uses
an optional agent for visibility into EC2 instances. The agent makes it easy to
build Inspector assessments right into your existing DevOps process and
empowers both development and operations teams to make security
assessments an essential part of the deployment process.

• Network reachability price package regulations: Assessments performed

by Amazon Inspector Classic that include network reachability rules are
priced per instance per assessment (instance assessment) per month. One
instance assessment is one that you perform against one instance. Ten
instance assessments will result from doing one assessment against ten
instances. With bulk reductions, pricing can be lowered to $0.04 per instance
assessment per month from the starting price of $0.15 per instance assessment
per month.
• How Amazon Inspector Works?
• Amazon Inspector performs an automatic assessment and generates a findings report containing
steps to keep the environment safe. To use this service, you need to define the collection of AWS
and all the resources that complete the application to proceed and tested. It is followed by adding
and performing security practices. You can also set the duration of that assessment which can vary
from 15 Min to 12 Hrs or last for one day.
• An Inspector Agent runs on the EC2 machines hosting the application that monitors the network,
file system, and process activity. After collecting all the required data, it is compared with the built-
in security rules to identify security or compliance issues.
• How Amazon Inspector Works?
Amazon Inspector is an automated vulnerability management service that
continually scans AWS workloads for software vulnerabilities and unintended
network exposure.
• Use Cases
Uber
•Automated Security Assessments: Uber’s infrastructure might be extensively
hosted on AWS, where Amazon Inspector could be leveraged to continuously
assess the security posture of their applications, including vulnerability
management and compliance checks.
•Compliance and Governance: Uber, as a large enterprise, must adhere to
numerous regulatory frameworks. Amazon Inspector could help Uber ensure
compliance by scanning its environment and highlighting areas of concern.
•Threat Detection: Amazon Inspector might assist Uber in detecting
misconfigurations or vulnerabilities before they are exploited by external
threats, enhancing the overall security of their cloud-based assets.
• Use Cases
• Volkswagen Financial Services
• The new Amazon Inspector made it very easy for Volkswagen to adopt a vulnerability
management solution to support its software patching program and to detect vulnerabilities
that could lead to unauthorized AWS access.
• Activating the service to scan both EC2 and ECR environments for software
vulnerabilities was made seamless using CloudFormation.
• In addition, since Inspector is integrated with AWS Organizations, its 1300+ existing and
newly added accounts are automatically onboarded to the service.
• Inspector discovers all the workloads, continually scans them, consolidates a prioritized
list of findings in its console, and it reduces our mean time to remediate with near-
immediate notifications of new critical vulnerabilities.
AWS Organizations
Introduction
• AWS Organizations helps us to centrally manage and govern the environment as we grow and scale
the AWS resources. Using Organizations, you can create accounts and allocate resources, group
accounts to organize your workflows, apply policies for governance, and simplify billing by using a
single payment method for all of your accounts.
• Organizations is integrated with other AWS services so you can define central configurations, security
mechanisms, audit requirements, and resource sharing across accounts in your organization
• The following diagram shows a high-level explanation of how you can use AWS Organizations:
AWS Organizations
The following diagram shows an organization that consists of five accounts that are organized into four
organizational units (OUs) under the root. The organization also has several policies that are attached to
some of the OUs or directly to accounts
Organization Structure
An organization is a collection of AWS Accounts that you can manage centrally and organize into a
hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each
account can be directly in the root, or placed in one of the OUs in the hierarchy.

Each organization consists of:

• A management account

• Zero or more member accounts

• Zero or more organizational units (OUs)

• Zero or more policies

An organization has the functionality that is determined by the feature set that you enable
Organization Structure
Root

• An administrative root (root) is contained in the management account and is the starting point for
organizing your AWS accounts. The root is the top-most container in your organization’s hierarchy.
Under this root, you can create organizational units (OUs) to logically group your accounts and
organize these OUs into a hierarchy that best matches your needs.

• If you apply a management policy to the root, it applies to all organizational units (OUs) and
accounts, including the management account for the organization.

• If you apply an authorization policy (for example, a service control policy (SCP)), to the root, it
applies to all organizational units (OUs) and member accounts in the organization. It does not apply to
the management account in the organization.
Organization Structure
• Organizational unit (OU)

• An organizational unit (OU) is a group of AWS accounts in an organization. An OU can also contain
other OUs enabling you to create a hierarchy. For example, you can group all accounts that belong to
the same department into a departmental OU. Similarly, you can group all accounts running security
services into a security OU.

• OUs are useful when you need to apply the same controls to a subset of accounts in your organization.
Nesting OUs enables smaller units of management. For example, you can create OUs for each
workload, then create two nested OUs in each workload OU to divide production workloads from pre-
production. These OUs inherit the policies from the parent OU in addition to any controls assigned
directly to the team-level OU. Including the root and AWS accounts created in the lowest OUs, your
hierarchy can be five levels deep.
Organization Structure
• AWS account

• An AWS account is a container for your AWS resources. You create and manage your AWS
resources in an AWS account, and the AWS account provides administrative capabilities for
access and billing.

• Using multiple AWS accounts is a best practice for scaling your environment, as it provides a
billing boundary for costs, isolates resources for security, gives flexibility or individuals and
teams, in addition to being adaptable for new processes.

• There are two types of accounts in an organization: a single account that is designated as the
management account and one or more members accounts
Organization Structure
• Management account
• A management account is the AWS account you use to create your organization. From the
management account, you can do the following:
• Create other accounts in your organization
• Invite and manage invitations for other accounts to join your organization
• Designate delegated administrator accounts
• Remove accounts from your organization
• Attach policies to entities such as roots, Organizational units (OUs) , or accounts within your
organization
• Enable integration with supported AWS services to provide service functionality across all of
the accounts in the organization.
• The management account is the ultimate owner of the organization, having final control over
security, infrastructure, and finance policies. This account has the role of a payer account and
is responsible for paying all charges accrued by the accounts in its organization.
Organization Structure
• Member account
• A member account is an AWS account, other than the management
account, that is part of an organization. If you are an administrator of
an organization, you can create member accounts in the organization
and invite existing accounts to join the organization. You also can
apply policies to member accounts.
Features
• Manage your AWS accounts
AWS accounts are natural boundaries for permission, security, costs, and workloads. Using a multi-account
environment is a recommended best-practice when scaling your cloud environment. You can simplify
account creation by programmatically creating new accounts using the AWS Command Line Interface (AWS
CLI), SDKs, or APIs
• Define and manage your organization

As you create new accounts, you can group them into organizational units (OUs), or groups of accounts that
serve a single application or service. Apply tag polices to classify or track resources in your organization, and
provide attribute-based access control for users or applications. In addition, you can delegate responsibility
for supported AWS services to accounts so users can manage them on behalf of your organization

• Control access and permissions

Set up AWS IAM Identity Center to provide access to AWS accounts and resources using your active
directory, and customize permissions based on separate job roles. You can also apply service control policies
(SCPs) to users, accounts, or OUs to control access to AWS resources, services, and Regions within your
organization
Features
• Share resources across accounts
You can share AWS resources within your organization using AWS Resource Access Manager
(AWS RAM). For example, you can create your Amazon Virtual Private Cloud (Amazon
VPC) subnets once and share them across your organization. You can also centrally agree to
software licenses with AWS License Manager, and share a catalog of IT services and custom
products across accounts with AWS Service Catalog.
• Audit your environment for compliance
You can activate AWS CloudTrail across accounts, which creates a log of all activity in your
cloud environment that cannot be turned off or modified by member accounts. In addition, you
can set policies to enforce backups on your specified cadence with AWS Backup, or define
recommended configuration settings for resources across accounts and AWS Regions
with AWS Config.
• Centrally manage billing and costs
Organizations provides you with a single consolidated bill. In addition, you can view usage
from resources across accounts and track costs using AWS Cost Explorer, and optimize your
usage of compute resources using AWS Compute Optimizer.
Use cases
• Automate the creation of AWS accounts and categorize workloads
We can automate the creation of AWS accounts to quickly launch new workloads. Add the accounts to user-defined
groups for instant security policy application, touchless infrastructure deployments, and auditing. Create separate
groups to categorize development and production accounts and use AWS CloudFormation StackSets to provision
services and permissions to each group.

• Define and enforce audit and compliance policies

We can apply service control policies (SCPs) to ensure that your users perform only the actions that meet your
security and compliance requirements. Create a central log of all actions performed across your organization
using AWS CloudTrail. View and enforce standard resource configurations across accounts and AWS Regions
using AWS Config. Automatically apply regular backups using AWS Backup. Use AWS Control Tower to apply
pre-packaged governance rules for security, operations, and compliance for your AWS workloads.

• Provide tools and access for your Security teams while encouraging development
Create a Security group and provide it with read-only access to all of your resources to identify and mitigate
security concerns. You can allow that group to manage Amazon GuardDuty so they can actively monitor and
mitigate threats to your workloads, and IAM Access Analyzer to quickly identify unintended access to your
resources.
Use cases
• Share common resources across accounts

Organizations makes it easy for you to share critical central resources across your accounts. For
example, you can share your central AWS Directory Service for Microsoft Active Directory so
that applications can access your central identity store.

• Share critical central resources across your accounts

Share your AWS Directory Service for Microsoft Active Directory as a central identity store for
your applications. Use AWS Service Catalog to share IT services in designated accounts so users
can quickly discover and deploy approved services. Ensure that application resources are
created on your Amazon Virtual Private Cloud (Amazon VPC) subnets by centrally defining
them once and sharing them across your organization using AWS Resource Access Manager
(AWS RAM)
AWS Trusted Advisors
What is AWS Trusted Advisor?
• AWS Trusted Advisor is your personal cloud expert! It helps you to provide best practices for AWS by
inspecting your AWS environment with a motto toward saving money, improving security.

• AWS Trusted Advisor is an AWS tool that provides you with real-time assistance to help you
provision your resources following AWS best practices

• It checks to help optimize your AWS infrastructure, provide better security and performance, reduce
your overall costs, and also monitor service limits

• Whether you want to develop applications, or as part of ongoing improvement, Always take advantage
of the recommendations provided by Trusted Advisor it helps keep your solutions provisioned
optimally system performance and reliability, and closing security gaps to protect.
How does it work?
• The Trusted Advisor scans an organization’s cloud infrastructure and provides recommendations
based on the defined best practices. The basic recommendations can be grouped into three categories:
• No problem detected—a green check.
• The investigation recommended—an orange exclamation mark.
• Action recommended—a red exclamation mark.
How does it work?
• If you are planning to migrate to the AWS cloud or to set up a new cloud application,
Trusted Advisor’s recommendations can help you to optimize your cloud infrastructure.
For example, if you are planning to set up a new RDS instance and receive a notification
from AWS Trusted Advisor that two of 15 RDS instances have been idle for more than 30
days, you can investigate and plan to utilize one of the idle instances rather than
introducing a new one. This saves costs for your organization.
• Trusted Advisor offers a list of control points for each of these 4 areas, and it examines
how your account, resources, and architecture are put in place to see if you’re in line with
best practices.
• It essentially serves as an automatic auditor for your account, which can help you save
money, improve the use of your resources, maintain a tighter and more secure
environment, ensure that your resources will still be usable in the event of a failure, and
ensure that you stay within the bounds of your service agreement, allowing you to ask for
an increase when appropriate.
How does it work?
AWS Trusted Advisor Check a large section of services which can be grouped into
four categories:
1. Cost Optimization—recommendations provided by Trusted Advisor can reduce
expenses by highlighting idle resources or by committing reserved resources.
2. Security—With the help of AWS Trusted Advisor users can harden their AWS
services against intruders by enabling various security features.
3. Fault Tolerance—suggestions that enhance the resilience of your applications by
highlighting health issues, missing backups, and redundancy shortfalls.
4. Performance—recommendations that can increase the overall performance of your
applications and cloud infrastructure by checking your service limits and monitoring
instances.
How does it work?
Compliance on AWS
Compliance
• In AWS, compliance refers to the practices, policies, and tools that ensure users
meet regulatory, legal, and industry standards while using AWS services.
• AWS Compliance empowers customers to understand the robust controls in
place at AWS to maintain security and data protection in the AWS Cloud.
• When systems are built in the AWS Cloud, AWS and customers share
compliance responsibilities.
• AWS computing environments are continuously audited, with certifications
from accreditation bodies across geographies and verticals, including SOC
1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO
27001, FedRAMP, DoD SRG, and PCI DSS Level 1.
• Additionally, AWS also has assurance programs that provide templates and
control mappings to help customers establish the compliance of their
environments running on AWS.
Compliance
• We can confirm that all AWS services can be used in compliance with the GDPR
(General Data Protection Regulation).
• This means that, in addition to benefiting from all of the measures that AWS already
takes to maintain services security, customers can deploy AWS services as a part of their
compliance plans.
• AWS offers a Data Processing Addendum (DPA) in the AWS Service Terms that applies
automatically, whenever AWS customers use AWS services to process personal data
uploaded to their AWS account.
• The GDPR-compliant terms of the AWS DPA are considered a high watermark for
privacy compliance worldwide and we are confident they exceed requirements of most
other data protection laws.
• This means customers will achieve at least an equivalent – if not higher - compliance
standard to that required by most data protection laws.
Benefits of Compliance on AWS

• Third-party validation for 1,000s of global requirements

• Inherit the latest security controls AWS uses on its own infrastructure
• Streamline and automate compliance
• Automated Compliance Reporting
Compliance is a Shared Responsibility
• Security and Compliance is a shared responsibility between AWS and the customer
• This shared model can help relieve the customer’s operational burden as AWS
operates, manages and controls the components from the host operating system
and virtualization layer down to the physical security of the facilities in which the
service operates
• The customer assumes responsibility and management of the guest operating
system (including updates and security patches), other associated application
software as well as the configuration of the AWS provided security group firewall.