Here are some notes I took during the AWS transformation day 2018


Customers interact with AWS via API, even when using AWS CLI.

  1. System Architect --> API via WebUI, CLI, SDK, etc. --> Amazon Services (S3, DynamoDB, etc.)
  2. Application User --> Application

[1] Forms the outer application access ring which is accessed by [2]

Shared Responsibility

Amazon mangages security of the cloud Customer manages security in the cloud

The Paths Amazon audited by Ernest & Young.

Findings were that AWS "[..] was protected against unauthorized access, use, or modification to meet AWS' commitments and system requirements [..]"

AWS only protects it's own path against cyberrisk, but not the customer's application/data path.

How to secure your AWS environment (Services Command Path)

Get IAM right. This can work in conjunction with AWS CloudTrail and AWS Config. CloudTrail and ElasticSearch can for example prove that no other regions except for the allowed ones were used. This might be neccessary for compliance with privacy laws in Germany.

How to secure your AWS environment (Services Data Path)

  • Amazon CloudFront
  • Amazon Route 53
  • Elastic Load Balancing

Services Data Path

All data passing through these services is "washed", so that for example invalid HTTP requests or DDoS attacks are dropped.

Optional AWS Shield can further protect data.

Betram Dorn AWS Security and Compliance Specialist