CHAPTER TWO
Staying Safe with Security and Compliance

Welcome to Chapter 2. In this chapter, you learn how to make sure you're building in the Cloud using safe processes with security and compliance well in hand. Specifically, this chapter covers the following topics:

• The shared responsibility model
• Security and compliance concepts
• Access management capabilities
• AWS Identity and Access Management (IAM)
• Identifying resources for security support

By the end of this chapter, you will know how to keep security and compliance top of mind as you journey into the Cloud. Let's get started!

Introduction

It shouldn't be a surprise that security and compliance are "job zero" at Amazon, making customer safety the main priority. AWS builds services to help achieve security and compliance, and it builds these practices into their other services. After all, millions of users entrust the AWS Cloud every second with details about their bank information, personal data, shopping preferences, and more.

NOTE: Security refers to the processes and technologies used to secure sensitive data, systems, and assets, while compliance refers to your adherence to regulatory standards to align with contractual or legal requirements.

When on a camping trip, you make sure that safety and security play an important role as you plan the trip's details. You lock your camper's doors, for example, as a security practice. You make sure to store your food in bear-proof containers and practice fire safety, ensuring that you extinguish your fire properly once your meal is done. You also make sure you have a valid pass to use the campground where you've reserved a spot and abide by local rules. By following best practices in the Cloud, you will similarly ensure that your data is transmitted and stored safely, your assets are secure, and your systems are in compliance. Let's discover some of these practices together.

The Shared Responsibility Model

What is shared responsibility? It's the concept that you, as the Cloud practitioner, and AWS share the responsibility to keep systems secure and compliant. But where is that fine line between "mine" and "theirs" drawn?

In general, AWS's responsibility is security of the Cloud while the customer's responsibility is security in the Cloud. This might come as a bit of a relief to someone who is used to handling all the security and compliance of an on-premises data center, but it also merits careful consideration since these responsibilities vary depending on the services used. These services are defined as falling into one of three categories: infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Services fall into these categories depending on their level of abstraction-how much visibility the customer has into their inner workings.

NOTE: In general, the more abstraction, the more responsibility falls on AWS for security and compliance.

Let's examine the shared responsibility model and look at a few examples of how the line is drawn between the customer's responsibility and that of AWS, depending on the type of service.

The Customer's Responsibility

If the customer is responsible for security in the Cloud, what does that mean, practically speaking? Consider three examples of services that you might select: EC2, Lambda, and RDS.

• Amazon EC2, or Elastic Compute Cloud, is an example of infrastructure as a service. It is a virtualized device, meaning you deploy software onto the instance that acts the same as software you'd install on a physical device. This means you are responsible for the security of the software that you deploy onto this instance, just as you would have been on a physical device. Any security patches or updates needed by the software or operating systems that you virtualize on this instance need to be made secure and compliant by you. AWS, however, is responsible for the security of the underlying EC2 infrastructure itself, so you're not flying completely solo!
• Amazon Lambda is a serverless compute solution that "hides" the server from the customer. In this way it qualifies as a platform as a service that allows you to run code in response to certain events, such as when an order is placed and a push notification needs to be sent to the client. Because Lambda lets you run code that you write as Lambda functions, it's your job to ensure that the code is secure and compliant. But AWS will ensure that the underlying infrastructure, operating system, and application platform powering Lambda are kept up-to-date in terms of security. It's on you to maintain the security of your code.
• AWS Relational Database Service (RDS) is a service that allows you to set up a relational database in the Cloud. It lets you install your favorite relational database-such as Maria DB, Microsoft SQL Server, Oracle, PostgreSQL, or MySQL-on top of AWS-managed infrastructure. Like the previously mentioned services, the shared responsibility model of RDS means you are responsible for the security of the databases that you install on RDS. It's also up to you to manage the username and password strategies, often with tools such as IAM or AWS Secrets Manager. You use the tools provided by RDS to ensure that your data is secure. AWS will ensure that the infrastructure underlying RDS is secure and compliant.

NOTE: You could say that while AWS is responsible for the database, the customer is responsible for the data and the access to it.

AWS's Responsibility

Now that you know that AWS's responsibility lies in making every element of the AWS Cloud safe, secure, and compliant, let's think about how this actually works. AWS takes responsibility for the security and compliance of the infrastructure of the Cloud, including its hardware, software, and networking.

One of the best-known AWS services-Simple Storage Service (S3)-offers an infrastructure layer, operating systems, and platforms with which customers can interact. AWS ensures the security of these aspects of the service, and customers manage the security and compliance of their data, its encryption, and IAM permissions to ensure proper permissions are assigned to the various assets stored on S3.

NOTE: It's worthwhile to note that compliance regulations can vary region to region. A good example is GDPR, which regulates how data is stored in Europe. You need to understand and act on the ramifications of storing data in a region with specific regulations.

Table 2.1 outlines the shared responsibility model.

Table 2.1 The Shared Responsibility Model

Note: Italics indicates the user/customer responsibility. Bold indicates the provider responsibility.

Security and Compliance Concepts

This next section looks at security and compliance, which relate to each other like making sure that the brakes on your camper work and ensuring that you've passed all your emissions inspections before hitting the road!

Finding AWS Compliance Information

Security is essential to the health of your business, and so is compliance. Compliance sounds like a scary thing, but in fact it's simply following established rules to keep your data, assets, and code safe, as well as making sure your systems are available and performant. And there are lots of rules! AWS supports 143 security standards and compliance certifications as of the publication of this book.

Some of these you might recognize, such as HIPAA, SOC, PCI-DSS Level 1, and GDPR. But there are many others, such as FedRAMP, FIPS 140-2, and NIST 800-171. Compliance requirements vary depending on your business's geographic location,...