AWS cloud security operations are one of the things that's easy to forget about. In fact, one of the most important things to think about. There's been a lot of high profile incidents recently. Capital one comes to mind where people weren't actually doing exactly what they needed to do to secure their cloud infrastructure. So we're going to talk about that in this next section to start off with, let's talk about something called the shared security model. What this is, it's a way of allowing a customer and AWS together to work towards securing their applications. So at the top here, what we have is we have the customer aspect of the cloud security. This could be anything from the data. Or it could be the operating system and then in terms of this line here, you have what AWS is responsible for. So this would be where the AWS foundational services would be kept. So this would be compute storage and all these infrastructure pieces as well, things like the regions or maybe the availability zones. So what's happening here is that there's a partnership where each one is going to be responsible for where a certain component. It's really going to be impossible for AWS to completely decide in the in the case of let's say, customer data here how to actually make that secure. The operator of the cloud has to work along with a D bus. Likewise, in this case over here, things like the foundational services. It's going to be impossible for you to go out and go to the AWS data center and make sure that no one's breaking into it and it's got proper security credentials. So these are really a partnership type model. So let's go to the actual security of the cloud itself. So some of the things that AWS is responsible for is the physical security. So they're actually going through and making sure that physical access to the data centers are controlled and need based. They're also making sure that the hardware is secure, so they're buying hardware that has the correct configuration, also the network configuration. That's another thing that AWS is responsible for, and then also the virtualization. So they're making sure that is set up in a way that is secure so under this shared security model, AWS is operating and managing and controlling these components. And this goes all the way from the host OS to the virtualization layer to the physical security of the facilities. So a few examples here would be, physical security of data would be need based access, 24/7 security guards, two factor authentication. Hardware infrastructure would be things like servers, storage devices and other applications. Software infrastructure would be the host operating systems. The network would be routers, switches, load balancers, firewalls, cabling and then, in terms of virtualization, it's making sure that this is actually isolated, right, that you're not able to access another person's account. So this infrastructure is what AWS is responsible for. And then, in terms of some of these higher level managed services as well, that's another component of what AWS can actually manage. And these managed services it could be things like the regions, the availability zones, the edge access the operating systems of firewall configuration. So services like the relational database service (RDS) they're managing the patches on the operating system. And so a few different things to consider about this is a managed service like, let's say, DynamoDB or Redshift or EMR. Are those services AWS is going to handle a basic security tasks like the OS and database patching the firewall configuration, disaster recovery and then the customers don't have to worry about that. So that's actually part of the partnership that you're buying into when you're buying this relational database service, for example. And so a few different examples, though, is that in terms of patch management, the AWS is responsible for that. But the customers, it's their responsibility to make sure that their guest operating system is patched up right in the virtualization environment for configuration. AWS is going to manage the configuration, but customers are going to be responsible again for a guest operating system. And then in terms of customer specific controls, these would be things like how the application is actually deployed. So let's dig into that, let's go to this next section here and talk about the security of the data in the cloud for the customer. So what are some of the things that are responsible in an application? Right, if you're building an application inside the AWS cloud, you're going to be responsible to make sure that you've defined the passwords correctly and that you have the right roles that access that application. Likewise, that you've had account management that you've set up so that there is a difference between the production environment and, let's say, the development environment. And this would be the principle of least privilege. So in a cloud infrastructure that's secured by AWS, the customers are responsible for anything that they put into the cloud. So this would be things like data applications. And so a few other things to consider in this is that, customers are going to retain the control of the security they choose to implement their own data and operating systems. And this really means that the shared security model depends on what AWS services a customer is going to actually use. So let's look at an example here of how this could work. So let's say that in this example here, we've got some accounts and credentials here over the accounts up here and then we've got maybe the ecosystem of you have S3. You have EC2 instance and then inside of this EC2 instance as well maybe you have some kind of a database to a DB right here. So this is all going to be something that the customer needs to make sure that they secure. And so this is going to be things like the application and the security groups, Right. So who has access to the ports that could be exposed in S3 EC2 and then what do the accounts that actually can access that and in terms of the global infrastructure, so we'll just call this G I. This would be where AWS is going to have the responsibility. So this would be the data center. They're going to control that they're going to make sure that the network is secure. They're also going to make sure that the virtualization layer is secure as well. So these are the breakdown of the different customer responsibilities. So the customer is responsible for managing a guest os the applications, the security groups but AWS in summary is responsible for protecting that global infrastructure. And also it's a best practice for customers to protect the AWS credentials and set up individual account so that the principle of least privilege is used.
