Tuesday, June 7, 2016

07_AWS - Security & Identity

Amazon Web Services


2006: Amazon launched Amazon Web Service (AWS) on a utility computing basis although the initial released dated back to July 2002.

Amazon Web Services (AWS) is a collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by

The most central and well-known of these services are Amazon EC2 (Elastic Compute Cloud )and Amazon S3 (Simple Storage Service).



Amazon Web Services is based on SOA standards, including HTTP, REST, and SOAP transfer protocols, open source and commercial operating systems, application servers, and browser-based access.




1.       Identity & Access Management

2.       AWS Certificate Manager

3.       AWS Directory Service

4.       Amazon Inspector (preview)

5.       AWS CloudHSM

6.       AWS KMS

7.       AWS WAF



1). AWS Identity and Access Management (IAM)


·         AWS IAM is a Web Service that enables AWS customers to Centrally Manage Users And User Permissions in AWS.

·         The service is targeted at organizations with multiple users or systems in the cloud that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.

·         IAM helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).

·         With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.



2). AWS Certificate Manager  (ACM)


·         ACM makes it easy to provision, Manage, and Deploy SSL/TLS certificates on AWS-managed resources.

·         ACM handles the complexity of Provisioning, Deploying, And Managing Certificates provided by ACM (ACM Certificates) for your AWS-based websites and applications.


·         You use ACM to request and manage the certificate and then use other AWS services to provision the ACM Certificate on your website or application.

·         For example, the following illustrates the steps to be performed when using ACM with a load balancer.


1.       Developer installs a website or application on one or more Amazon EC2 instances.

2.       Developer creates an Elastic Load Balancing load balancer to route client traffic to the Amazon EC2 instances.

3.       Developer uses the ACM console, API, or AWS Command Line Interface to request an ACM Certificate.

4.       Developer uses the Elastic Load Balancing console, API, or AWS CLI to provision the ACM Certificate on the load balancer.

5.       Clients access the website through the load balancer.

6.       Load balancer distributes client traffic to the Amazon EC2 instances.




3). AWS Directory Service


·         AWS Directory Service is a Managed Service that makes it easy to connect AWS services to your existing on-premises Microsoft Active Directory (AD Connector), OR

·         To set up and operate a new directory in the AWS cloud (Simple AD and AWS Directory Service for Microsoft Active Directory).

·         Your directory users and groups can access the AWS Management Console and AWS applications, such as Amazon WorkSpaces and Amazon WorkDocs, using their existing credentials.


·         You have three choices:

1.       Simple AD - Simple AD is a Microsoft Active Directory–compatible directory that is powered by Samba 4 and hosted on the AWS cloud.

2.       Microsoft AD -  Microsoft AD is a Microsoft Active Directory hosted on AWS. It integrates most Active Directory features with AWS applications.

3.       AD Connector - AD Connector uses your existing on-premises Microsoft Active Directories to access AWS applications and services.



4). Amazon Inspector Documentation


·         With Amazon Inspector, you can Analyze The Behavior of the applications you run in AWS and Identify Potential Security Issues.


·         Using Amazon Inspector, you can define a collection of AWS resources that comprises your application.

·         You can then create and launch a security assessment of this application.

·         During the security assessment, the network, file system, and process activity within the specified application are monitored, and a wide set of activity and configuration data is collected.

·         This data includes details of communication with AWS services, use of secure channels, details of the running processes, network traffic among the running processes, and more.

·         The collected data is correlated, analyzed, and compared to a set of selected security rules. A completed assessment produces a list of findings - potential security problems of various severity.



5). AWS CloudHSM (Hardware Security Modules)


·         AWS CloudHSM provides Secure Cryptographic Key Storage for customers by making HSMs available in the AWS cloud.

·         HSM is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.

·         HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.


·         HSM is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.

·         HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.


·         AWS CloudHSM helps you meet corporate, contractual and Regulatory Compliance Requirements for data security by using dedicated HSM appliances within the AWS cloud.

·         AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but additional protection is necessary for some applications and data that are subject to strict contractual or regulatory requirements for managing cryptographic keys.



6). AWS Key Management Service (KMS)


·         AWS KMS is an Encryption and Key Management Service scaled for the cloud.

·         KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.


·         AWS KMS is a managed service that makes it easy for you to Create and Control The Encryption Keys used to encrypt your data.

·         AWS KMS is integrated with other AWS  services including Amazon EBS, Amazon S3, Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, and Amazon RDS to make it simple to encrypt your data with encryption keys that you manage.

·         AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs.


·         You can perform the following management actions on keys by using AWS KMS:

1.       Create, describe, and list keys

2.       Enable and disable keys

3.       Set and retrieve key usage policies

4.       Create, delete, list, and update key aliases


·         With AWS KMS you can also perform the following cryptographic functions using keys:

·         Encrypt, decrypt, and re-encrypt data

·         Generate data keys that can be exported from the service in plaintext or which can be encrypted under a key that doesn't leave the service

·         Generate random numbers suitable for cryptographic applications


7). AWS WAF  (Web Application Firewall)


·         AWS WAF is a web application firewall service that lets you monitor the web requests (HTTP and HTTPS)  that are forwarded to Amazon CloudFront and lets you control access to your content.

·         Use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses that requests originate from or values of query strings in the requests.

·         CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked.




Arun Manglick































No comments:

Post a Comment