@Thoughts: Mitigating Cyber Risks on AWS
Customers interact with AWS via API, even when using AWS CLI.
- System Architect --> API via WebUI, CLI, SDK, etc. --> Amazon Services (S3, DynamoDB, etc.)
- Application User --> Application
 Forms the outer application access ring which is accessed by 
Amazon mangages security of the cloud Customer manages security in the cloud
The Paths Amazon audited by Ernest & Young.
Findings were that AWS "[..] was protected against unauthorized access, use, or modification to meet AWS' commitments and system requirements [..]"
AWS only protects it's own path against cyberrisk, but not the customer's application/data path.
How to secure your AWS environment (Services Command Path)
Get IAM right. This can work in conjunction with AWS CloudTrail and AWS Config. CloudTrail and ElasticSearch can for example prove that no other regions except for the allowed ones were used. This might be neccessary for compliance with privacy laws in Germany.
How to secure your AWS environment (Services Data Path)
- AWS WAF
- Amazon CloudFront
- Amazon Route 53
- Elastic Load Balancing
All data passing through these services is "washed", so that for example invalid HTTP requests or DDoS attacks are dropped.
Optional AWS Shield can further protect data.
— Betram Dorn AWS Security and Compliance Specialist