## AWS Security Fundamentals ### Week 1 - Basic concepts, AWS compliance programs, securing AWS accounts using AWS IAM --- **Shared Responsibility Model** * AWS is responsible for security of the cloud & securing infrastructure of the regions * Meanwhile customer is responsible for security β€œin” the cloud. Whatever we build must be secured by ourselves. Kinda like a home alarm system. They give us the system but we still have to turn it off and on. **Compliance** * Our environment needs to be PCI compliant * Need an environment that is compliant with FedRAMP * Need to maintain adequate governance over the entire IT controlled environment Best compliance practices: * Understand compliances objectives & requirements * Establish controlled environment that meets those objs and reqs * Understand validation required based on our organizations risk tolerance * Verification of operating effectiveness of our controlled environment **Best practices for AWS accounts:** * Principle of Least Privilege Access – Provision the minimum needed access policies * MFA should be used for AWS root account along with every account you are trying to protect * Strong passwords * Use roles and groups to assign permissions * Monitoring using Amazon CloudWatch and AWS CloudTrail **AWS Organisations** AWS Organisations can: * Automate account creation and management * Create groups of accounts * Govern access to AWS services resources region by policies * Set up single payment method for all AWS accounts with consolidated billing * Share resources across accounts How to make an AWS Organisation: * Choose an account as a master account * Make the org in this master account * Either creat an organization unit (OU) or member account * Create service control policies to the OU or member account Best practices for creating new organisations: * Plan ahead for the structure of your organization * Keep Master account free of any operational AWS resources * Use AWS CloudTrail * Apply Least Privilege Practice * Assign policies to OUs rather than accounts, will allow you to maintain a better mapping between your organizational structure and the level of AWS access needed * Test new and modified policies on a single account before scaling up * Use the APIs and AWS CloudFormation **Identity and Access Services** 3 use cases of when you need to provide access to a user: * User accesses an AWS account and resources (ex. single sign on for a dev to log into an AWS account using credentials to run an AWS lambda function) * Allowing resources to access other resources * Need to be able to validate the identity and permissions of your applications resources * Use short term credentials called IAM roles * Allow end users to access the application AWS Organizations: * Service that helps you create and manage multiple AWS accounts * Consolidated billing - roll up billings from multiple accounts to a central master account AWS Identity and Access Management (IAM): * Enables you manage access to AWS services and respurces securely * Manage IAM users and their access * Manage IAM roles and their permissions * Manage federated users and their permissions * AWS managed policy - Standalone policy that is created and administrated by AWS * Customer managed policy - Standalone policy that you create and administer in your AWS account * Inline policy - Policy that is embedded in a priciple entity such as a user, a group, or a role AWS Single Sign On (SSO): * Cloud service that makes it easy to centrally manage SSO access to multiple AWS accounts Amazon Cloud Directory: * Enables you to build flexible cloud native directories for organizing hierarchies of data among multiple dimensions **Directory Services** Amazon Cognito: * Cognito User Pools - an identity store * Stores all your users ### Week 2 - Network isolation and endpoint security --- **Network Isolation**