Chapter 2: Security and Compliance
Mohamad's interest is in Programming (Mobile, Web, Database and Machine Learning). He is studying at the Center For Artificial Intelligence Technology (CAIT), Universiti Kebangsaan Malaysia (UKM).
2.1 Understanding the AWS Shared Responsibility Model
2.1.1 The Principle of Shared Responsibility
In a traditional on-premises IT environment, organizations are responsible for securing every layer—from physical access to servers, up to the application and data. In the cloud, this responsibility is shared between the cloud provider (AWS) and the customer.
This model, known as the AWS Shared Responsibility Model, clearly defines who is responsible for what:
AWS is responsible for: Securing the infrastructure that supports the cloud platform—including data center facilities, network hardware, physical servers, and foundational software (e.g., hypervisors).
Customers are responsible for: Securing everything they build and run on top of AWS infrastructure—such as configuring permissions, managing user access, encrypting data, and updating applications.
Key Insight: The division of responsibility is dynamic. As customers use more managed services, AWS takes on a greater share of responsibility. Conversely, customers using lower-level services like EC2 must manage more of the stack.
2.1.2 AWS Responsibilities
AWS handles the security of the physical infrastructure:
Physical Security: Controlled access to data centers, biometric access, and video surveillance.
Hardware Security: Servers, routers, and power systems are maintained and monitored.
Network Infrastructure: Redundant networking, DDoS protection, secure routing.
Hypervisor and Virtualization: Isolation between virtual machines (VMs) and management of patches to the underlying platform.
These responsibilities are consistent across all AWS services and regions. Customers inherit the security of this infrastructure, which is independently audited and certified (e.g., SOC, ISO, PCI).
2.1.3 Customer Responsibilities
Customers are responsible for managing security in the cloud, which includes:
Identity and Access Management: Defining who has access to what, using IAM policies, groups, and roles.
Application Security: Implementing secure coding practices and regular updates.
Data Encryption and Classification: Ensuring sensitive data is encrypted and handled in accordance with privacy laws.
Firewall and Network Configuration: Using security groups, NACLs, and VPC configurations to control access.
Discussion:
Customers must understand their role in this model to avoid misconfigurations. For example, an S3 bucket can be made publicly accessible by mistake. AWS will not prevent this—it's the customer's responsibility to configure it securely.
2.1.4 Responsibility Shifts by Service Type
The division of responsibility varies depending on the abstraction level of the service:
| Service Type | Customer Responsibility | AWS Responsibility |
| Amazon EC2 (IaaS) | OS security, updates, IAM, firewall | Data center, hypervisor, hardware |
| Amazon RDS (Managed DB) | Data access, backups, schema | OS, DB engine patching, HA setup |
| AWS Lambda (Serverless) | Code logic, IAM roles | Scaling, runtime, infra security |
Insight:
As services become more abstracted and managed, the customer is relieved of many responsibilities. This can increase security overall, but also demands new practices—such as fine-tuning IAM roles or ensuring secure function code.
2.2 Security, Governance, and Compliance Concepts
2.2.1 Key AWS Security Features
AWS integrates security capabilities at all levels:
Encryption: AWS supports both server-side and client-side encryption. Services like Amazon S3, RDS, and EBS provide built-in encryption features. Encryption in transit is enforced using TLS.
Access Control: Fine-grained access controls are available using IAM. Customers can define user roles, use policies to restrict access, and apply conditions such as time or IP address.
Auditability: AWS services support full visibility and traceability of actions. AWS CloudTrail records every API call, including who made it and when.
Threat Detection: Tools like Amazon GuardDuty, AWS Security Hub, and Amazon Inspector help detect anomalies, vulnerabilities, and compliance issues.
Discussion:
AWS provides security by default, but security must be configured intentionally. Simply using AWS does not guarantee protection. Cloud-native security requires proactive setup, regular audits, and automation of controls.
2.2.2 Compliance and Governance
AWS complies with a broad set of regulatory frameworks and publishes artifacts to demonstrate its adherence. This includes:
Regional Regulations: GDPR (EU), CCPA (California)
Industry Standards: HIPAA (Healthcare), PCI-DSS (Finance), FedRAMP (Government)
Third-Party Audits: SOC 1, 2, 3; ISO 27001; FIPS 140-2
Customers can access these documents via AWS Artifact, a portal for audit and compliance reports.
Governance Services:
| Service | Purpose |
| AWS CloudTrail | Logs API activity for auditing |
| AWS Config | Records and evaluates configurations |
| AWS Audit Manager | Simplifies audit evidence collection |
Discussion:
Governance ensures that cloud usage aligns with internal policies, industry requirements, and legal standards. Automating governance helps avoid drift from secure baselines as teams scale.
2.3 Identity and Access Management (IAM)
2.3.1 Core Concepts of IAM
AWS IAM is the backbone of access control across AWS services. It ensures that only authorized users and applications can interact with resources.
Key Concepts:
Users: Individual credentials with login and programmatic access.
Groups: Collections of users with shared permissions.
Roles: Temporary credentials for EC2, Lambda, or cross-account access.
Policies: JSON documents defining permissions using “allow” or “deny”.
Example:
A developer might have an IAM user with permissions to launch EC2 instances, while a Lambda function may assume a role that allows it to read from DynamoDB.
Security Best Practice:
Apply the principle of least privilege—grant only the permissions necessary for a task, and nothing more.
2.3.2 Root User Protection
The root user has unrestricted access to all AWS resources. It should only be used for initial account setup.
Recommended Protections:
Enable Multi-Factor Authentication (MFA)
Do not use root credentials for daily operations
Monitor access to root through CloudTrail logs
Lock down root access in organizational policy
2.3.3 IAM Identity Center (AWS Single Sign-On)
IAM Identity Center centralizes access control across AWS accounts. It integrates with external identity providers (e.g., Azure AD, Okta) and allows:
Centralized single sign-on
Role-based access control (RBAC)
Group-based permission sets
Discussion:
In large organizations, managing access manually becomes error-prone. IAM Identity Center reduces risk by enforcing consistent, centrally managed identity policies.
2.4 Additional AWS Security Components and Resources
2.4.1 Security Services Overview
AWS provides services to protect applications, detect threats, and automate security response.
| Service | Key Role |
| AWS WAF | Blocks malicious traffic based on rules |
| AWS Shield | Protects against DDoS attacks |
| Amazon GuardDuty | Detects anomalies and unauthorized access |
| Amazon Inspector | Scans for vulnerabilities and misconfigurations |
| AWS Security Hub | Aggregates security findings from multiple sources |
| AWS Firewall Manager | Applies security policies across accounts/orgs |
Discussion:
These tools are designed to work together. For example, GuardDuty findings can trigger automated responses using Lambda, while Security Hub consolidates those alerts for centralized visibility.
2.4.2 Encryption and Key Management
Encryption is a core requirement for protecting data privacy and ensuring compliance.
AWS KMS: Manages cryptographic keys with auditability.
AWS Secrets Manager: Stores sensitive credentials with rotation support.
ACM: Simplifies SSL/TLS certificate deployment for secure websites.
Discussion:
Data breaches often occur not due to stolen infrastructure, but due to mismanaged credentials. Automating key and secret rotation significantly reduces attack risk.
2.4.3 Monitoring and Logging Tools
Visibility is essential to understanding and securing your cloud environment.
Amazon CloudWatch: Monitors resource performance and triggers alerts.
AWS CloudTrail: Tracks every API call for auditing.
AWS Config: Ensures resources remain in compliance with expected settings.
AWS Trusted Advisor: Recommends optimizations across cost, performance, and security.
Example Use Case:
A sudden spike in EC2 usage can trigger a CloudWatch alarm and send an SNS notification. A DevOps team can then investigate using CloudTrail logs.
2.4.4 Knowledge and Support Resources
AWS offers many public resources to build security awareness and technical competency:
AWS Knowledge Center: FAQ-style articles on common security topics.
AWS Security Blog: Thought leadership, incident response case studies, and best practices.
AWS re:Post: Community Q&A driven by real AWS practitioners.
AWS Whitepapers: Deep dives on architecture and compliance strategies.
Discussion:
Security is not a one-time configuration but a continuous process. Staying informed through AWS blogs, whitepapers, and forums is critical to keeping systems up to date and secure.
Summary
Security and compliance are foundational to operating in the AWS Cloud. Through the Shared Responsibility Model, AWS provides highly secure infrastructure, while customers are empowered—and obligated—to configure and manage their resources responsibly.
Key Takeaways:
Understand your responsibilities based on the services you use.
Use IAM to control access and apply least privilege.
Encrypt data and manage keys using KMS and Secrets Manager.
Monitor your environment with CloudWatch, CloudTrail, and Config.
Centralize findings and automate responses with Security Hub and GuardDuty.
Stay compliant with global regulations using Audit Manager and Artifact.
Security in the cloud is both a technical challenge and an organizational discipline. By embracing AWS security tools and best practices, organizations can build systems that are resilient, compliant, and trustworthy.