Some people claim that cloud is not secure, thus they prefer to use on-premises instead of migrating to cloud. However, the fact is that all the security control on premises also appears on cloud, even cloud is more secure because cloud provider will force you to do something. In this article, we will go though cloud security model, cloud identity and access management (IAM) and cloud auditing.
Cloud Security Model
As mentioned before, AWS will take some responsibilities. In general, AWS will provide some managed services and the AWS global infrastructure. As I said before, the switch and router are managed by AWS therefore we can pay afford in other aspects. However, some tasks like client and server side encryption, network traffic protect, network and system administration are done by the customers.
For physical security, AWS provides 7×24 trained security staff. AWS data centers are in nondescript and undisclosed facilities. When people want to enter data center, they need two-factor authentication.
We can use SSL endpoints, security groups and VPC to protect our network.
By default, all other ports are blocked.
AWS Identity and Access Management (IAM)
There are mainly 3 types identity in AWS: users and group, roles and federated users.
When we have some users are in the same group, or same team, we will assign them into the same group. Thus, group is nothing but just a collection of users.
After that, we need to assign a set of policy to the group with least right principle.
IAM role is a quite new concept compared to traditional administration. An IAM role uses policy but no associated credentials. Generally speaking, services, applications, IAM users may assume IAM roles.
For example, when an application in EC2 wants to access S3, we can store AWS credentials on EC2 instance. However, we can also securely assign a role for the EC2 to access S3.
We will use temporary security credentials (AWS STS) for cross account access, federation, mobile users and key rotation for EC2-based apps.
When we talk about authentication, we think of AWS management console and AWS CLI or SDK API. On the other hand, when we talk about authorization, we think of policies.
Above figure shows a list of best practices of IAM.
We can use CloudTrail to record AWS API calls for accounts. It delivers log files with information to an Amazon S3 bucket. In addition, it makes calls using the AWS management console, AWS SDKs, AWS CLI and higher level AWS services.
In this article, we learn about security model, IAM and auditing. In fact, there is no big difference between on-premises and cloud when talking about security. Their security idea is very similar, the best practices are almost the same.