Scribd
Upload
39 views14 pages

Security Features of AWS Services

security

Uploaded by

sohaliyagaurav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views14 pages

Security Features of AWS Services

security

Uploaded by

sohaliyagaurav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

NOT FOR DISTRIBUTION © Stephane Maarek [Link].

com
Security - Kinesis
• Kinesis Data Streams
• SSL endpoints using the HTTPS protocol to do encryption in flight
• AWS KMS provides server-side encryption [Encryption at rest]
• For client side-encryption, you must use your own encryption libraries
• Supported Interface VPC Endpoints / Private Link – access privately
• KCL – must get read / write access to DynamoDB table
• Kinesis Data Firehose:
• Attach IAM roles so it can deliver to S3 / ES / Redshift / Splunk
• Can encrypt the delivery stream with KMS [Server side encryption]
• Supported Interface VPC Endpoints / Private Link – access privately [Link]

• Kinesis Data Analytics


• Attach IAM role so it can read from Kinesis Data Streams and reference
sources and write to an output destination (example Kinesis Data Firehose)

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - SQS
• Encryption in flight using the HTTPS endpoint
• Server Side Encryption using KMS
• IAM policy must allow usage of SQS
• SQS queue access policy

• Client-side encryption must be implemented manually [Link]

• VPC Endpoint is provided through an Interface

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security – AWS IoT
• AWS IoT policies:
• Attached to X.509 certificates or Cognito Identities
• Able to revoke any device at any time
• IoT Policies are JSON documents
• Can be attached to groups instead of individual Things.

• IAM Policies:
• Attached to users, group or roles [Link]

• Used for controlling IoT AWS APIs

• Attach roles to Rules Engine so they can perform their actions

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security – Amazon S3
• IAM policies
• S3 bucket policies
• Access Control Lists (ACLs)
• Encryption in flight using HTTPS
• Encryption at rest
• Server-side encryption: SSE-S3, SSE-KMS, SSE-C
• Client-side encryption – such as Amazon S3 Encryption Client
• Versioning + MFA Delete [Link]

• CORS for protecting websites


• VPC Endpoint is provided through a Gateway
• Glacier – vault lock policies to prevent deletes (WORM)

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security – DynamoDB
• Data is encrypted in transit using TLS (HTTPS)
• DynamoDB tables are encrypted at rest
• KMS encryption for base tables and secondary indexes
• AWS owned key (default)
• AWS managed key (aws/dynamodb)
• AWS customer managed key (your own)
• Access to tables / API / DAX using IAM [Link]

• DynamoDB Streams are encrypted


• VPC Endpoint is provided through a Gateway

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - RDS
• VPC provides network isolation
• Security Groups control network access to DB Instances
• KMS provides encryption at rest
• SSL provides encryption in-flight
• IAM policies provide protection for the RDS API
• IAM authentication is supported by PostgreSQL, MySQL and [Link]

MariaDB
• Must manage user permissions within the database itself
• MSSQL Server and Oracle support TDE (Transparent Data
Encryption)
[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - Aurora
• (very similar to RDS)
• VPC provides network isolation
• Security Groups control network access to DB Instances
• KMS provides encryption at rest
• SSL provides encryption in-flight
• IAM authentication is supported by PostgreSQL and MySQL [Link]

• Must manage user permissions within the database itself

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - Lambda
• IAM roles attached to each Lambda function
• Sources
• Targets
• KMS encryption for secrets
• SSM parameter store for configurations
• CloudWatch Logs [Link]

• Deploy in VPC to access private resources

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - Glue
• IAM policies for the Glue service
• Configure Glue to only access JDBC through SSL
• Data Catalog: Encrypted by KMS
• Connection passwords: Encrypted by KMS
• Data written by AWS Glue – Security Configurations:
• S3 encryption mode: SSE-S3 or SSE-KMS
• CloudWatch encryption mode
[Link]

• Job bookmark encryption mode

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - EMR
• Using Amazon EC2 key pair for SSH credentials
• Attach IAM roles to EC2 instances for:
• proper S3 access
• for EMRFS requests to S3
• DynamoDB scans through Hive
• EC2 Security Groups
• One for master node
• Another one for cluster node (core node or task node)
• Encrypts data at-rest: EBS encryption, Open Source HDFS Encryption, LUKS + EMRFS
for S3
• In-transit encryption: node to node communication, EMRFS, TLS [Link]

• Data is encrypted before uploading to S3


• Kerberos authentication (provide authentication from Active Directory)
• Apache Ranger: Centralized Authorization (RBAC – Role Based Access) – setup on
external EC2
• [Link]
[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security – OpenSearch Service
• Amazon VPC provides network isolation
• OpenSearch policy to manage security further
• Data security by encrypting data at-rest using KMS
• Encryption in-transit using HTTPS (TLS)

• IAM or Cognito based authentication [Link]

• Amazon Cognito allow end-users to log-in to OpenSearch


Dashboards through enterprise identity providers such as
Microsoft Active Directory using SAML

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - Redshift
• VPC provides network isolation
• Cluster security groups
• Encryption in flight using the JDBC driver enabled with SSL
• Encryption at rest using KMS or an HSM device (establish a
connection)
• Supports S3 SSE using default managed key
• Use IAM Roles for Redshift [Link]

• To access other AWS Resources (example S3 or KMS)


• Must be referenced in the COPY or UNLOAD command
(alternatively paste access key and secret key creds)

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - Athena
• IAM policies to control access to the service
• Data is in S3: IAM policies, bucket policies & ACLs
• Encryption of data according to S3 standards: SSE-S3, SSE-
KMS, CSE-KMS
• Encryption in transit using TLS between Athena and S3 and
JDBC
[Link]

• Fine grained access using the AWS Glue Catalog

[Link]
[Link]
© 2023 All Rights Reserved Worldwide
NOT FOR DISTRIBUTION © Stephane Maarek [Link]
Security - Quicksight
• Standard edition:
• IAM users
• Email based accounts
• Enterprise edition:
• Active Directory
• Federated Login
• Supports MFA (Multi Factor Authentication) [Link]

• Encryption at rest and in SPICE


• Row Level Security to control which users can see which rows
• Column Level Security to restrict access to specific columns in
dataset
[Link]
[Link]
© 2023 All Rights Reserved Worldwide

You might also like