A place for my notes, views and ideas. All posts are ordered in order of their publication date. For my and your reference an approximate time to read is also provided.

@Thoughts: Mitigating Cyber Risks on AWS

25 October 2017

API

Customers interact with AWS via API, even when using AWS CLI.

  1. System Architect --> API via WebUI, CLI, SDK, etc. --> Amazon Services (S3, DynamoDB, etc.)
  2. Application User --> Application

[1] Forms the outer application access ring which is accessed by [2]

Shared Responsibility

Amazon mangages security of the cloud Customer manages security in the cloud

The Paths Amazon audited by Ernest & Young.

Findings were that AWS "[..] was protected against unauthorized access, use, or modification to meet AWS' commitments and system requirements [..]"

AWS only protects it's own path against cyberrisk, but not the customer's application/data path.

How to secure your AWS environment (Services Command Path)

Get IAM right. This can work in conjunction with AWS CloudTrail and AWS Config. CloudTrail and ElasticSearch can for example prove that no other regions except for the allowed ones were used. This might be neccessary for compliance with privacy laws in Germany.

How to secure your AWS environment (Services Data Path)

  • AWS WAF
  • Amazon CloudFront
  • Amazon Route 53
  • Elastic Load Balancing

Services Data Path

All data passing through these services is "washed", so that for example invalid HTTP requests or DDoS attacks are dropped.

Optional AWS Shield can further protect data.

Betram Dorn AWS Security and Compliance Specialist