Mastering AWS Security: A Review

It's no secret that Amazon provides extensive and detailed information explaining how to properly secure solutions built on AWS.

Remarkably, indeed, astoundingly, despite this wealth of information, there are high-profile stories of entirely preventable data breaches caused by organizational failures to follow well-architected guidelines.

According to an April 2017 article posted in AWSInsider:

"62 percent of companies analyzed weren't following the well-known best practice of requiring multi-factor authentication for AWS users. That, according to Threat Stack, makes brute force attacks easier. Furthermore, users aren't taking advantage of AWS-native security services like CloudTrail, which weren't being deployed universally across all regions."

Clearly, there's a very large gap between what IT organizations know, and what's required to secure solutions built on AWS. Albert Anthony's book, Mastering AWS Security (available from Packt Publishing) is a welcome and high-quality contribution to the ongoing effort to close this gap.

Albert Anthony (LinkedIn page) is an AWS certified technologist with nearly 20 years of experience using computing power to solve problems for businesses and organizations. This deep knowledge shows as he comprehensively walks the reader through the theory and practice of AWS security.

Appropriately, Anthony starts with an overview of the often-misunderstood shared security model:

"security in the cloud is in fact slightly different to security in an on-premises datacenter. When you move servers, data and workload to AWS cloud, responsibilities are shared between you and AWS for securing your data and workload. AWS is responsible for securing the underlying infrastructure that supports the cloud through its global network of regions, availability zones, edge locations, endpoints, and so on, and customers are responsible for anything they put on the cloud such as their data, their application, or anything that they connect to the cloud such as the servers in their data centers. They are also responsible for providing access to their virtual network and resources in the cloud, this model is known as AWS shared security responsibility model."

This is the key – in fact, I'd go so far as to say foundational – concept AWS cloud architects must understand as they design solutions and it’s a sure sign of a professional that Anthony begins his book with a careful overview of the shared sec model.

Anthony dives deeper into the shared security model as it applies to three main categories of AWS services:

• Infrastructure Services (EC2 virtual machines, Elastic Block Storage and Virtual Private Cloud)
• Container Services (which require the proper configuration of IAM roles for offerings such as Elastic Map Reduce and Relational Database Services)
• Abstracted Services (I.e., services that are accessed via API and offerings such as DynamoDB, Amazon SQS, and S3)

The book's first chapter, which is almost completely devoted to a comprehensive overview of the shared security model – what it means and how it specifically applies to different AWS services – is one of the best treatments of that topic I've read to date.

Subsequent chapters intelligently build on the first's foundation, guiding us through:

• AWS Identity and Access Management (IAM, another, commonly misunderstood topic)
• Securing AWS Virtual Private Clouds (VPC)
• Data Security in AWS (securing your data both in transit and at rest and, using data encryption CloudHSM, Amazon Macie - particularly useful for organizations concerned about handling sensitive information types - and AWS KMS for managing the encryption keys used to encrypt data)
• Securing Servers in AWS (EC2 security best practices including using IAM roles, controlling access to the server OS and other measures common to server operations generally)
•  Securing applications built on AWS using the Web Application Firewall (among other measures)

Anthony's tour of AWS security is deep and comprehensive, and this review is only scratching the surface of the areas covered (such as auditing and monitoring using CloudWatch and Cloudtrail).

By gathering all of the relevant, critical AWS security practices information under one umbrella and presenting it in an engaging and clear way, Albert Anthony has provided us with an excellent resource which, every AWS solutions architect should have in their library.