Prescribing Security

Controls in AWS
AWS Identity and Access Management (IAM)
It is a fundamental component of Amazon Web Services (AWS) that enables
you to manage access to AWS services and resources securely. With IAM,
administrators can centrally control access, monitor user activity, and
integrate identity management seamlessly into their AWS environment.
• Role-based Access Control : IAM roles are used to grant permissions to
entities such as AWS services or applications, allowing them to access
resources securely without the need for permanent credentials.
• Security Features : IAM provides security features like Multi-factor
Authentication (MFA) for added protection, access keys for programmatic
access, and identity federation for integrating with external identity
providers.
AWS IAM Identity Center
• The AWS IAM Identity Center is a centralized management console
within AWS Identity and Access Management (IAM) that facilitates the
administration of user identities, groups, roles, and permissions across AWS
services securely.
• User Management : The IAM Identity Center allows administrators to
create, modify, and delete user accounts, set user passwords, manage user
permissions, and assign roles based on job responsibilities or organizational
hierarchies.
• Audit and Monitoring : The Identity Center offers audit logs and
monitoring capabilities, enabling administrators to track user activity,
changes to permissions, and security events for compliance, auditing, and
troubleshooting purposes.
Route Tables, Security Groups, and Network
ACLs
Route Tables
• Route Tables in AWS are used to define rules for
routing network traffic between subnets, virtual
private clouds (VPCs), and the internet.
• They determine how inbound and outbound traffic is
directed within a VPC or between a VPC and external
networks.
• Each route table contains entries called routes, which
specify the destination for traffic (CIDR block) and
the target (e.g., internet gateway, virtual private
gateway, or another instance in the VPC).
Route Tables, Security Groups, and Network
ACLs
Security Groups
• Security Groups act as virtual firewalls that
control inbound and outbound traffic for EC2
instances, databases, and other resources within a
VPC.
• They enforce network access controls by allowing
or denying traffic based on defined rules.
• Security Groups consist of inbound and outbound
rules that specify allowed traffic based on IP
protocols (e.g., TCP, UDP, ICMP), port numbers,
and source/destination IP addresses or CIDR
blocks.
 Route Tables, Security Groups, and Network
ACLs
Network ACLs
• Network ACLs are another layer of security that operate
at the subnet level within a VPC, controlling inbound
and outbound traffic similar to Security Groups but with
additional granularity.
• They provide a rule-based mechanism to allow or deny
traffic based on IP addresses, protocols, port ranges, and
traffic direction (inbound or outbound).
• Network ACL rules are evaluated in order from lowest
to highest rule number, and the first matching rule
(based on the rule number, protocol, and port) is applied.
 AWS Key Management System
• AWS Key Management Service (KMS) is a managed service that enables users
to create and control cryptographic keys used to encrypt and decrypt data across
AWS services and applications.

• Key Creation and Management : AWS KMS

allows users to create and manage cryptographic
keys, including customer master keys (CMKs) for
encrypting data and data keys for encrypting
specific pieces of data.
• Encryption and Decryption : AWS KMS
provides encryption and decryption capabilities
for sensitive data, ensuring data confidentiality
and integrity.
AWS Certificate Manager
• AWS Certificate Manager (ACM) is a managed
service provided by Amazon Web Services (AWS)
that simplifies the process of provisioning,
managing, and deploying SSL/TLS certificates for
use with AWS services and external resources.
• Certificate Provisioning : CM automates the
process of obtaining SSL/TLS certificates,
eliminating the need for manual certificate
generation and renewal.
• Public and Private Certificates : ACM supports
both public and private SSL/TLS certificates. Public
certificates are issued by ACM and can be used for
securing public-facing websites and applications.
 AWS Security, Identity, and Compliance Tools
• AWS CloudTrail : AWS CloudTrail is a service provided by Amazon Web
Services (AWS) that enables governance, compliance, operational auditing, and
risk auditing of AWS accounts. AWS CloudTrail records and logs API calls
made on AWS services and resources within an AWS account. This includes
calls made via the AWS Management Console, AWS Command Line Interface.
• AWS IAM Access Analyzer : AWS IAM Access Analyzer is a service
provided by Amazon Web Services (AWS) that helps users analyze and
evaluate resource policies to identify unintended public or cross-account access
to AWS resources. It scans policies for potential risks, including overly
permissive access grants, cross-account access, and public access to resources.
 AWS Security, Identity, and Compliance Tools

• AWS Security Hub : AWS Security Hub is a comprehensive security service

provided by Amazon Web Services (AWS) that helps users manage security and
compliance across their AWS accounts and resources. It consolidates security
data and insights into a unified dashboard, allowing users to gain a holistic view
of their security posture and identify potential threats and vulnerabilities.

• Amazon Inspector : Amazon Inspector is an automated security assessment

service provided by Amazon Web Services (AWS) that helps users identify
security vulnerabilities and compliance issues in their AWS resources and
applications. Amazon Inspector uses an agent-based approach to assess the
security posture of EC2 instances and other supported resources.
 Designing Reliable
&
Resilient Architectures
 Recovery Time Objective ( RTO )
• RTO refers to the targeted duration within which a
business process or system must be restored after a
disruption or disaster to avoid unacceptable
consequences. It measures the time it takes to recover
a system to a functional state after an incident.
• RTO helps in setting expectations for how quickly a
system or service should be back online after a failure.
It directly impacts business operations and customer
experience.
• If a system has an RTO of 4 hours, it means that after
a disaster, the system should be fully operational
within 4 hours to meet business requirements.
Recovery Time Objective ( RTO )
• RTO can be managed through strategies such as:

Having redundant systems in different availability zones (AZs) or regions

to ensure quick failover in case of an outage.

Using services like AWS Elastic Load Balancing (ELB) and Auto Scaling
to automatically redirect traffic and scale resources as needed.

Implementing AWS Disaster Recovery (DR) services like AWS Backup,

AWS Disaster Recovery Orchestration (AWS DRO), and AWS Disaster
Recovery (DR) Tools for efficient recovery workflows.
 Recovery Point Objective ( RPO )
• RPO refers to the maximum tolerable amount of data loss that an organization
can afford during a disruption or disaster. It defines the point in time to which
data must be recovered after an incident.
• RPO helps in determining how frequently backups or data replication should
occur. It ensures that data loss is within acceptable limits for the organization.
• If a system has an RPO of 1 hour, it means that data must be backed up or
replicated at least every hour. In case of a disaster, the organization can recover
data up to the last backup taken within that hour.
Recovery Point Objective ( RPO )
• RPO can be managed through strategies such as:

Regularly backing up data using AWS services like Amazon S3 (Simple

Storage Service) for object storage, Amazon RDS (Relational Database
Service) for databases, or AWS Backup for centralized backup management.
Implementing data replication across AWS regions using services like
Amazon Aurora Global Database, Amazon S3 Cross-Region Replication, or
AWS Storage Gateway for hybrid cloud setups.
Utilizing AWS data protection services such as AWS Backup, AWS
DataSync, and AWS Storage Gateway for efficient data backup, transfer,
and recovery.
RPO & RTO
Disaster Recover Strategies
• Disaster recovery strategies encompass proactive measures and plans
designed to swiftly restore critical systems and data following disruptive
events, ensuring business continuity and minimizing downtime and data loss.
• Few Disaster Recovering Strategies are as follows :
AWS Elastic Disaster Recovery
Pilot Light
Warm StandBy
Multi Site
AWS Elastic Disaster Recovery
• AWS Elastic Disaster Recovery (EDR) is a
concept that leverages AWS cloud services
to create scalable and efficient disaster
recovery solutions.
• AWS Elastic Disaster Recovery emphasizes
cost optimization by providing pay-as-you-
go pricing models, resource optimization
strategies, and cost management tools like
AWS Cost Explorer
• It allows organizations to automate and
orchestrate recovery workflows, including
failover processes and recovery testing.