Domain 1 - AWS Solutions Architect Study Notes

Domain 1: Design Secure Architectures

Security is a fundamental priority in AWS, and Domain 1 focuses on creating robust architectures that safeguard sensitive data, control access to resources, and ensure regulatory compliance. This article will cover key aspects of designing secure AWS architectures, including access control, workload protection, and data encryption.

Secure Access to AWS Resources

In any cloud environment, controlling who has access to what resources is critical. AWS provides several tools and features to ensure secure access:

Identity and Access Management (IAM)

IAM is the cornerstone of AWS security. It allows you to manage access to AWS services and resources securely. The main components of IAM include:

1. Users: Individual entities such as people or applications that need access to AWS resources. Each user can have unique credentials and permissions.
2. Groups: Logical collections of users that share the same permissions. For example, a group called "Developers" might have permission to deploy applications but not access sensitive data.
3. Roles: Temporary credentials assigned to AWS services or users from trusted external accounts. Roles eliminate the need for long-term access keys embedded in your applications.
4. Policies: JSON documents that define the permissions for users, groups, or roles. For example, a policy might grant read-only access to S3 buckets or full administrative access.

Best Practices for IAM:

• Enforce the principle of least privilege, ensuring users only have the permissions necessary to perform their tasks.
• Use Multi-Factor Authentication (MFA) for all privileged accounts to add an extra layer of security.
• Regularly audit IAM permissions and remove unnecessary access.
• Utilize IAM roles instead of access keys for applications running on AWS services like EC2 or Lambda.

Resource-Based Policies

Resource-based policies are directly attached to AWS resources like S3 buckets, SNS topics, or Lambda functions. These policies allow fine-grained control over who can access the resource.

Example: An S3 bucket policy granting read-only access to a specific user:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/ExampleUser"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
        

AWS Organizations

AWS Organizations simplifies multi-account management by grouping accounts under a single management entity. With Organizations, you can:

1. Centralize Account Management: Manage multiple AWS accounts as a single entity. This is particularly useful for companies with distinct environments, such as development, testing, and production.
2. Apply Service Control Policies (SCPs):
3. Consolidated Billing: Aggregate usage and billing for all accounts under the organization, simplifying cost management and enabling volume discounts.
4. Tag Policies:
5. Enable Security Features:

Secure Workloads and Applications

Security Groups and Network ACLs

AWS provides multiple layers of network protection to secure your workloads:

1. Security Groups: Virtual firewalls that control inbound and outbound traffic to your EC2 instances or other services. Security groups are stateful, meaning that if you allow inbound traffic, the response traffic is automatically allowed.
2. Network ACLs (Access Control Lists): Operate at the subnet level and provide stateless traffic filtering. Unlike security groups, you must explicitly allow return traffic in NACLs.

Key Differences:

• Security Groups: Applied at the instance level and stateful.
• NACLs: Applied at the subnet level and stateless.

Encryption of Data in Transit and at Rest

To protect sensitive information, encrypt data both in transit and at rest:

• Data in Transit: Use TLS/SSL for secure communication between applications and services.
• Data at Rest: AWS services provide built-in encryption options: S3: Supports server-side encryption with S3-managed keys (SSE-S3), AWS KMS-managed keys (SSE-KMS), or customer-provided keys (SSE-C). RDS: Enable encryption during database creation using KMS keys. EBS: Encrypt volumes automatically when creating them.

AWS Web Application Firewall (WAF)

WAF protects web applications from common threats like SQL injection, cross-site scripting (XSS), and bot attacks. WAF integrates with services like CloudFront and ALB to provide flexible security rule sets.

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service:

• Standard: Automatically available to all AWS accounts.
• Advanced: Provides enhanced protection, including detailed diagnostics and cost protection for scaling during attacks.

Design Data Encryption Solutions

AWS Key Management Service (KMS)

KMS is a fully managed service for creating and controlling cryptographic keys used to encrypt your data.

Key Types:

• AWS-Managed Keys: Automatically created and managed by AWS.
• Customer-Managed Keys: Created by you, offering more control and allowing key rotation and detailed policies.

Envelope Encryption

This is a scalable and efficient method of encrypting large data volumes. It works by encrypting data with a data key, which is then encrypted with a KMS key.

Steps for Envelope Encryption:

1. Generate a data key using KMS.
2. Encrypt the data using the data key.
3. Store the encrypted data key securely alongside the encrypted data.

S3 Encryption Options

Amazon S3 supports multiple encryption methods to secure your data:

• Server-Side Encryption (SSE): SSE-S3: S3 manages the encryption keys. SSE-KMS: You manage the keys through AWS KMS.
• Client-Side Encryption: Encrypt the data before uploading it to S3.

Auditing and Monitoring

To ensure compliance and track access to encrypted data, enable monitoring and logging tools:

• CloudTrail: Logs all API calls, including KMS key usage.
• AWS Config: Monitors compliance with encryption policies across AWS resources.