In this video, learn how to secure your data records using security policies, the Key Management Service, AWS Secrets, and data storage services.
- [Instructor] There are a number of key services that help us secure our data, whether it's storage services or services that help out in the encryption process or even storing secrets. First, we have bucket policies which can be applied, to our surprise, to an S3 bucket. The bucket policy defines what users in that AWS account or what other AWS accounts can access the records in the bucket. You might consider a bucket policy more secure than an IAM policy because the bucket policy is attached to the bucket. So there's no getting around what the policy is, it's attached through the resource. We also can define rules for access, for applications that are hosted and running on EC2 instances. And this removes the problem of trying to use plain text passwords or IAM usernames and passwords for applications to access any AWS resources. Remember the IAM role is also going to provide us temporary access and it's security that's controlled using the secure token service at AWS. So us humans don't have to be involved in ensuring that everything stays secure. There's also a service called the Key Management Service, which is fully integrated with most services at AWS that perform data encryption. So let's say for example, you're creating an EBS volume, you can check the box saying, I'd like to encrypt this volume and the Key Management Service will be an option that you can select and then you can decide the types of keys that you actually want to use, whether they're keys completely controlled by AWS, or maybe keys that you want to upload. We can also use a service called AWS secrets for storing application secrets such as credentials for databases. So we can hold all the secure bits for our application stack in encrypted format in the AWS Cloud. When we look at the services for data, we have EBS volumes and an EBS volume can be encrypted for both the boot and data volumes. You might want to use a service that shares content amongst a number of servers. So for Linux, you can use the Elastic File Service for Windows you can use FSx. Nobody really knows what FSx stands for, I expect that means file server and yes, either FSx or the Elastic File Service both support encryption. If you use RDS, that's the Relational Database Service to host your MSQL, SQL Server or Oracle databases, each database that is supported by RDS offers a supported form of encryption for those records. And finally, if you're using an S3 bucket or S3 Glacier, they both support AES 256 bit encryption. So we have many services to use at AWS to store our data. They all support encryption.
- Design principals
- Identity and Access Management (IAM)
- Protecting AWS credentials
- Identifying threats
- Auditing security
- Infrastructure protection
- Protecting data at rest and in transit
- Responding to security incidents
- Managing incident response