In this video on AWS security, Jeff Winesett describes the shared security model. In AWS, security is shared between the cloud provider and the cloud customer.
- [Instructor] Thinking about and implementing security at every layer when architecting business applications is the best approach to minimizing risk and exposure to such events such as theft, leakage, integrity compromise, and deletion. The AWS security model must be understood when architecting applications in the cloud. AWS works on what is referred to as a shared security model. This means that the security responsibility is shared between the customer using AWS services and Amazon, the cloud service provider.
This requires AWS and customers to work together to meet security objectives. It is important to understand the line in the shared responsibility model which divides what responsibility Amazon takes on and what is the responsibility of the customer. Amazon provides what they refer to as security of the cloud, things like the physical security of the facilities in which the equipment resides and the global infrastructure on which cloud systems are architected.
On the other hand, the customer is responsible for the security of what is put in the cloud. The customer is responsible for securing operating systems, platforms, and data. Or to look at it another way, AWS secures the underlying infrastructure and the customer is responsible for securing anything put on top of that infrastructure. And as is the case with all AWS services, the customer is always responsible for account and IAM user management security.
Amazon offers many different types of services and how this shared security model applies to each depends on the type of service. For the purpose of better understanding the shared security model across all of its services, Amazon identifies three broad categories of services, infrastructure, container, and software services. The first category of services are Amazon's infrastructure as a service offerings. These include services such as EC2, EBS, and Auto Scaling.
These are the services that are likely the most familiar if coming from a traditional rack server hosting solution. The second type are referred to as container services which fall on the platform as a service category. Services in this category typically run on EC2 instances, but abstract out the underlying operating system and platform layer. AWS provides a managed service for these application containers. Examples of container services include RDS, Elasticsearch, ECS, and Elastic Beanstalk.
The third type are software as a service offerings. These services abstract the platform and management layer on which cloud applications are built and operated. The endpoints of these abstracted services are accessed using APIs. AWS manages the underlying service components and the operating system on which they reside. Examples of such AWS services are Amazon Elastic Transcoder, Amazon Lex, and Amazon Athena. The shared security model applies to each of these services.
For the services that fall under the infrastructure as a service type, Amazon is the most hands-off with regard to what they are responsible for. They provide the data centers and secure the physical facilities, hardware, network, and virtualization infrastructure, but the customer is responsible for securing all data, the application itself, and the supporting software stack, including the operating system, as well as all network and firewall configuration.
For the platform as a service offerings, Amazon takes on a little more responsibility. Amazon now takes on the responsibility of the operating system and the application management that powers the platform, while the customer remains responsible for setting up and managing network control such as firewall rules and for managing platform level identity and access management. And finally, for services that fall under the software as a service offering, Amazon takes on the additional responsibility for server-side data protection as well as some of the network traffic protection.
The customer has both the least control and the least amount of security responsibility with these types of services. Keeping things secure lesson number one. Every cloud customer must understand their role in the shared security model with regard to the resources being used in the cloud. And once understood, the customer must take action to ensure security is implemented at every layer for which they are responsible.
- Benefits of cloud services
- Making architectures scalable
- Examining cloud constraints
- Virtual servers, EC2, and Elastic IP
- Using the Amazon machine image
- Elastic load balancing
- Using CloudWatch for monitoring
- Security Models
- Elastic block storage
- S3, CloudFront, and Elastic Beanstalk
- Handling queues, workflows, and notifications
- Caching options and services
- Identity and access management
- Creating a custom server image
- Application deployment strategies
- Serverless architectures