Introduction to Security and

Architecture on AWS
AWS ARCHITECTURE CORE CONCEPTS

David Tucker
TECHNICAL ARCHITECT & CTO CONSULTANT
@_davidtucker_ davidtucker.net
 AWS Cloud Practitioner Learning Path

Fundamental Cloud Concepts Understanding AWS Core

for AWS Services

AWS Certified Cloud

Introduction to Security &
Practitioner
Architecture on AWS
Exam Prep
Security and Architecture Overview
 Reviewing core concepts around
security and architecture

Overview Exploring the AWS Shared

Responsibility Model
Introducing the AWS Well Architected
Framework
Examining fault tolerance and high
availability on AWS
Understanding provided tools for
compliance
Acceptable Use Policy
AWS’s policy for acceptable and unacceptable uses of
their cloud platform. All users must agree with this
policy to have an account on the platform.
 Sending unsolicited mass emails is
prohibited
Acceptable Hosting or distributing harmful content is
Use Policy prohibited
Penetration tests are allowed for a list of
specific services
Least Privilege Access
When granting permission for a user to access AWS
resources, you should grant them the minimum
permissions needed to complete their tasks and no more.
Shared Responsibility Model
“Security and Compliance is a
shared responsibility between AWS
and the customer.”
Amazon Web Services, Shared Responsibility Model
 Shared Responsibility Summary

AWS Responsibility Customer Responsibility

AWS is responsible for the security Customer is responsible for security
of the cloud in the cloud
 Shared Responsibility Model
AWS Responsibility
Access & training for Amazon
employees
Global data centers and underlying
network
Hardware for global infrastructure
Configuration management for
infrastructure
Patching cloud infrastructure and
services
Customer Responsibility
Individual access to cloud resources and
training
Data security and encryption (both in
transit and at rest)
Operating system, network, and firewall
configuration
All code deployed onto cloud
infrastructure
Patching guest operating system and
custom applications
AWS Well-architected Framework
AWS Well-architected Framework
The Well-architected Framework is a collection of best
practices across ve key pillars for how to best create
systems that create business value on AWS.
fi
 Pillars of the Well-architected Framework

Operational Excellence Security Reliability

Running and monitoring Protecting information and Enabling infrastructure to
systems for business value business assets recover from disruptions

Performance Efficiency Cost Optimization

Using resources efficiently Achieving minimal costs
to achieve business value for the desired value
High-availability and Fault Tolerance
“Everything fails all the time.”
Werner Vogels - CTO, Amazon
 Reliability on AWS

Fault Tolerance High Availability

Being able to support the failure of Keeping your entire solution
components within your running in the expected manner
architecture despite issues that may occur
 Most managed AWS services provide
high-availability out of the box
When building solutions directly on EC2
fault tolerance must be architected
Building Multiple availability zones should be
Solutions on leveraged
AWS Some services can enable fault tolerance
in your custom applications
- Simple Queue Service (SQS)
- Route 53
Compliance
 Common Compliance Standards

PCI-DSS HIPAA SOC 1, SOC 2, SOC 3

Compliance standard for Compliance standard for Third-party reviews of
processing credit cards healthcare data operational processes

FedRAMP ISO 27018

Standards for US Standard for handling
government data handling Personally Identifiable Info
 Compliance Services

AWS Config AWS Artifact Amazon GuardDuty

Provides conformance Provides self-service Provides intelligent
packs for standards access to reports threat detection
Demo
Examining compliance reports in AWS
Artifact
Exploring conformance packs in AWS
Config
Scenario Based Review
Scenario 1

Jane’s company is building an

application to process credit cards
They will be processing cards directly
and not through a service
Their bank needs a PCI DSS compliance
report for AWS
Where would Jane go to get the
information?
Scenario 2

Tim’s company is considering a

transition to the cloud
They store personal information securely
in their system
Tim’s CTO has asked what the
company’s responsibility is for security
What would you tell Tim’s CTO?
Scenario 3

Ellen is a solutions architect at a startup

They are building a new tool for digital
asset management
Ellen is curious how to best leverage the
capabilities of AWS in this application
What resources would you recommend
for Ellen and her team?
Summary
 Reviewed core concepts around security
and architecture

Summary Explored the AWS Shared Responsibility

Model
Introduced the AWS Well-architected
Framework
Examined fault tolerance and high
availability on AWS
Understood provided tools for
compliance
Scenario 1

Jane’s company is building an

application to process credit cards
They will be processing cards directly
and not through a service
Their bank needs a PCI DSS compliance
report for AWS
Where would Jane go to get the
information?
Solution: AWS Artifact
Scenario 2

Tim’s company is considering a

transition to the cloud
They store personal information securely
in their system
Tim’s CTO has asked what the
company’s responsibility is for security
What would you tell Tim’s CTO?
Solution: Review the Shared
Responsibility Model
Scenario 3

Ellen is a solutions architect at a startup

They are building a new tool for digital
asset management
Ellen is curious how to best leverage the
capabilities of AWS in this application
What resources would you recommend
for Ellen and her team?
Solution: AWS Well Architected
Framework