DEPARTMENT OF COMPUTER ENGINEERING

EXPERIMENT NUMBER: 8

Name: - Harsh Tripathi

Roll No.:- B - 657
Date:- / /2022

AIM: To study and Implement Security as a Service on AWS

THEORY:

Q) Security of the AWS Infrastructure?

The AWS infrastructure has been architected to be one of the most flexible
and secure cloud computing environments available today. It is designed to provide
an extremely scalable, highly reliable platform that enables customers to deploy
applications and data quickly and securely. This infrastructure is built and managed
not only according to security best practices and standards, but also with the unique
needs of the cloud in mind. AWS uses redundant and layered controls, continuous
validation and testing, and a substantial amount of automation to ensure that the
underlying infrastructure is monitored and protected 24x7. AWS ensures that these
controls are replicated in every new data center or service.
All AWS customers benefit from a data center and network architecture built
to satisfy the requirements of our most security-sensitive customers. This means
that you get a resilient infrastructure, designed for high security, without the capital
outlay and operational overhead of a traditional data center.
AWS operates under a shared security responsibility model, where AWS is
responsible for the security of the underlying cloud infrastructure and you are
responsible for securing workloads, you deploy in AWS. This gives you the
flexibility and agility you need to implement the most applicable security controls
for your business functions in the AWS environment. You can tightly restrict
access to environments that process sensitive data, or deploy less stringent controls
for information you want to make public.

Q) Security Protocols and Features in AWS

AWS and its partners offer a wide range of tools and features to help you to
meet your security objectives. These tools mirror the familiar controls you deploy
within your on-premises environments. AWS provides security-specific tools and
features across network security, configuration management, access control and
data security. In addition, AWS provides monitoring and logging tools that provide
full visibility into what is happening in your environment.
 DEPARTMENT OF COMPUTER ENGINEERING
Moving production workloads to AWS can enable organizations to improve
agility, scalability, innovation, and cost savings — while maintaining a secure
environment. AWS Marketplace offers security industry-leading products that are
equivalent, identical to, or integrate with existing controls in your on-premises
environments. These products complement the existing AWS services to enable
you to deploy a comprehensive security architecture and a more seamless
experience across your cloud and on-premises environments.

Q) Security Guidance in AWS

AWS provides customers with guidance and expertise through online tools,
resources, support, and professional services provided by AWS and its partners.

• AWS Trusted Advisor is an online tool that acts like a customized cloud expert,
helping you to configure your resources to follow best practices. Trusted
Advisor inspects your AWS environment to help close security gaps, and finds
opportunities to save money, improve system performance, and increase
reliability.

• AWS Account Teams provide a first point of contact, guiding you through your
deployment and implementation, and pointing you toward the right resources to
resolve security issues you may encounter.

• AWS Enterprise Support provides 15-minute response time and is available

24×7 by phone, chat, or email; along with a dedicated Technical Account
Manager. This concierge service ensures that customers’ issues are addressed as
swiftly as possible.

• AWS Partner Network offers hundreds of industry-leading products that are

equivalent, identical to, or integrated with existing controls in your on-premises
environments. These products complement the existing AWS services to enable
you to deploy a comprehensive security architecture and a more seamless
experience across your cloud and on-premises environments, as well as
hundreds of certified AWS Consulting Partners worldwide to help with your
security and compliance needs.

• AWS Professional Services houses a Security, Risk and Compliance specialty

practice to help you develop confidence and technical capability when migrating
your most sensitive workloads to the AWS Cloud. AWS Professional
Services helps customers develop security policies and practices based on well-
proven designs, and helps ensure that customers’ security design meets internal
and external compliance requirements.
 DEPARTMENT OF COMPUTER ENGINEERING

• AWS Marketplace is a digital catalog with thousands of software listings from

independent software vendors that make it easy to find, test, buy, and deploy
software that runs on AWS. AWS Marketplace Security products complement
the existing AWS services to enable you to deploy a comprehensive security
architecture and a more seamless experience across your cloud and on-premises
environments.

• AWS Security Bulletins provides security bulletins around current

vulnerabilities and threats, and enables customers to work with AWS security
experts to address concerns like reporting abuse, vulnerabilities, and penetration
testing. We also have online resources for vulnerability reporting.

• AWS Security Documentation shows how to configure AWS services to meet

your security and compliance objectives. AWS customers benefit from a data
center and network architecture that are built to meet the requirements of the
most security-sensitive organizations.

• AWS Well-Architected Framework helps cloud architects build secure, high-

performing, resilient, and efficient infrastructure for their applications.
The AWS Well-Architected Framework includes a security pillar that focuses on
protecting information and systems. Key topics include confidentiality and
integrity of data, identifying and managing who can do what with privilege
management, protecting systems, and establishing controls to detect security
events. Customers can use the AWS Well-Architected Tool from the AWS
Management Console or engage the services of one of the APN partners to assist
them.

• AWS Well-Architected Tool helps you review the state of your workloads and
compares them to the latest AWS architectural best practices. This free tool is
available in the AWS Management Console, and after answering a set of
questions regarding operational excellence, security, reliability, performance
efficiency, and cost optimization. The AWS Well-Architected Tool then
provides a plan on how to architect for the cloud using established best practices.
 DEPARTMENT OF COMPUTER ENGINEERING
Q) How to enable encryption in a browser with the AWS
Encryption is a technique that can restrict access to sensitive data by making it
unreadable without a key. An encryption process takes data that is plainly readable or
process able (“plaintext”) and uses principles of mathematics to obscure the contents
so that it can’t be read without the use of a secret key. To preserve user privacy and
prevent unauthorized disclosure of sensitive business data, developers need ways to
protect sensitive data during the entire data lifecycle. Data needs to be protected from
risks associated with unintentional disclosure as data flows between collection,
storage, processing, and sharing components of an application. In this context,
encryption is typically divided into two separate techniques: encryption at rest for
storing data; and encryption in transit for moving data between entities or systems.
The first step of in-browser encryption is including a copy of the AWS
Encryption SDK for JavaScript with the scripts you’re already sending to the user
when they access your application. Once it’s present in the end-user environment, it’s
available for your application to make calls. To perform the encryption, the ESDK
will request a data key from the cryptographic materials provider that is used to
encrypt, and an encrypted copy of the data key that will be stored with the object
being encrypted. After a piece of data is encrypted within the browser, the cipher text
can be uploaded to your application backend for processing or storage. When a user
needs to retrieve the plaintext, the ESDK can read the metadata attached to the cipher
text to determine the appropriate method to decrypt the data key, and if they have
access to the KMS key decrypt the data key and then use it to decrypt the data.

CONCLUSION:
Hence, I have successfully studied and implemented Security as a Service on
AWS.