AWS Security and Compliance

Amazon Web Services (AWS) implements a robust, multi-layered approach to security and
compliance, ensuring customers can run workloads safely while meeting regulatory and industry
requirements.

1. Security in AWS

AWS security is based on the shared responsibility model:

 AWS’s Responsibility ("Security of the Cloud")

AWS manages and secures the underlying infrastructure — physical facilities, network,
hardware, virtualization layer, and foundational services.
 Customer’s Responsibility ("Security in the Cloud")
Customers are responsible for configuring secure workloads — e.g., user access
management, application-level security, data classification, and encryption.

Key AWS Security Components

1. Identity and Access Management (IAM)

o Fine-grained control over user and service permissions.
o Supports policies, roles, groups, and multi-factor authentication (MFA).
2. Data Protection
o Encryption at rest: AWS Key Management Service (KMS), CloudHSM.
o Encryption in transit: TLS/SSL, AWS Certificate Manager (ACM).
o Automatic encryption options for S3, RDS, EBS, etc.
3. Network Security
o Virtual Private Cloud (VPC) with security groups, network ACLs, and private
subnets.
o AWS Shield and AWS WAF for DDoS and web application attack protection.
o AWS Firewall Manager for centralized policy control.
4. Monitoring & Logging
o AWS CloudTrail for API call logging.
o Amazon CloudWatch for monitoring metrics and events.
o AWS GuardDuty for intelligent threat detection.
5. Application & Infrastructure Protection
o AWS Inspector for vulnerability assessment.
o AWS Security Hub for centralized security posture visibility.
o AWS Config for compliance auditing and configuration tracking.

2. Compliance in AWS
Compliance ensures that workloads meet legal, regulatory, and industry standards.

Global Compliance Programs Supported by AWS

AWS maintains certifications and attestations for multiple frameworks, including:

 ISO 27001 / ISO 27017 / ISO 27018 (Information security and cloud privacy)
 SOC 1, SOC 2, SOC 3 (Service Organization Control reports)
 PCI DSS (Payment Card Industry Data Security Standard)
 HIPAA (Health Insurance Portability and Accountability Act)
 FedRAMP (Federal Risk and Authorization Management Program)
 GDPR (General Data Protection Regulation) support tools

AWS Compliance Tools

 AWS Artifact – On-demand access to AWS compliance reports and agreements.

 AWS Audit Manager – Automates evidence collection for audits.
 AWS Config + AWS Security Hub – Continuous compliance monitoring.
 Well-Architected Framework – Security & Compliance Pillars for best practices.

3. Best Practices for Customers

 Enable MFA for all root and IAM users.

 Use least privilege principles when assigning IAM policies.
 Enable logging via CloudTrail and store logs in encrypted S3 buckets.
 Continuously monitor using GuardDuty, Security Hub, and Config.
 Regularly patch systems and applications.
 Classify and encrypt sensitive data.
 Review compliance reports from AWS Artifact regularly.

4. Benefits

 Security at Scale – AWS’s global infrastructure benefits from continuous investment in

advanced security.
 Regulatory Alignment – Built-in support for many international compliance
frameworks.
 Customer Empowerment – Tools to configure, monitor, and prove compliance with minimal
overhead.
AWS Shared Responsibility Model
Security and Compliance is a shared responsibility between AWS and the customer. This shared
model can help relieve the customer’s operational burden as AWS operates, manages, and controls
the components from the host operating system and virtualization layer down to the physical
security of the facilities in which the service operates. The customer assumes responsibility and
management of the guest operating system (including updates and security patches), and other
associated application software in addition to the configuration of the AWS provided security
group firewall. Customers should carefully consider the services they choose as their
responsibilities vary depending on the services used, the integration of those services into their IT
environment, and applicable laws and regulations. The nature of this shared responsibility also
provides the flexibility and customer control that permits the deployment. As shown in the
following chart, this differentiation of responsibility is commonly referred to as Security “of” the
Cloud versus Security “in” the Cloud.

AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the
infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is
composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Customer responsibility “Security in the Cloud” – Customer responsibility will be determined

by the AWS Cloud services that a customer selects. This determines the amount of configuration
work the customer must perform as part of their security responsibilities. For example, a service
such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a
Service (IaaS) and, as such, requires the customer to perform all of the necessary security
configuration and management tasks. Customers that deploy an Amazon EC2 instance are
responsible for management of the guest operating system (including updates and security
patches), any application software or utilities installed by the customer on the instances, and the
configuration of the AWS-provided firewall (called a security group) on each instance. For
abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure
layer, the operating system, and platforms, and customers access the endpoints to store and retrieve
data. Customers are responsible for managing their data (including encryption options), classifying
their assets, and using IAM tools to apply the appropriate permissions.
 Figure 1: AWS Shared Responsibility Model.

This customer/AWS shared responsibility model also extends to IT controls. Just as the
responsibility to operate the IT environment is shared between AWS and its customers, so is the
management, operation, and verification of IT controls shared. AWS can help relieve customer
burden of operating controls by managing those controls associated with the physical infrastructure
deployed in the AWS environment that may previously have been managed by the customer. As
every customer is deployed differently in AWS, customers can take advantage of shifting
management of certain IT controls to AWS, which results in a (new) distributed control
environment. Customers can then use the AWS control and compliance documentation available
to them to perform their control evaluation and verification procedures as required. The following
are examples of controls that are managed by AWS, AWS customers, or both.

Inherited Controls – Controls that a customer fully inherits from AWS.

 Physical and Environmental controls

Shared Controls – Controls that apply to both the infrastructure layer and customer layers, but in
separate contexts or perspectives. In a shared control, AWS provides the requirements for the
infrastructure and the customer must provide their own control implementation within their use of
AWS services. Examples include:

 Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure,
but customers are responsible for patching their guest operating system and applications.
 Configuration Management – AWS maintains the configuration of its infrastructure devices, but
customers are responsible for configuring their own guest operating systems, databases, and
applications.
 Awareness and Training – AWS trains AWS employees, but customers must train their own
employees.

Customer Specific – Controls that are solely the responsibility of the customer based on the
application they are deploying within AWS services. Examples include:

 Service and Communications Protection or Zone Security, which might require a customer to route
or zone data within specific security environments.

AWS Key Management Service

1. Overview
AWS Key Management Service (KMS) is a fully managed service that helps you create,
manage, and control cryptographic keys for your applications and AWS services.
It is designed for secure encryption and decryption of data, with built-in compliance and
audit capabilities.

Key purposes of KMS:

 Generate and store encryption keys.

 Manage key access permissions.
 Enable automatic key rotation.
 Integrate encryption with multiple AWS services.
 Maintain audit trails via AWS CloudTrail.

2. Core Concepts

To use KMS effectively, you need to understand a few core elements:

a) Customer Master Keys (CMKs) / KMS Keys

 Logical representation of a master key.

 Can be customer-managed (you control) or AWS-managed (AWS controls for a
specific service).
 Stored in a secure, hardware-protected environment called AWS HSMs (Hardware
Security Modules).
 Can be used for envelope encryption (explained below).
b) Envelope Encryption

Instead of encrypting large amounts of data directly with the CMK:

1. KMS generates a Data Encryption Key (DEK).

2. DEK encrypts the actual data.
3. DEK itself is encrypted with the CMK.
4. This improves performance and reduces CMK usage.

c) Key Policies & IAM Policies

 Define who can use or manage a key.

 Key policy is attached to the CMK itself.
 Can be combined with IAM roles & permissions for granular control.

d) Key Types

 Symmetric keys – single key for both encryption and decryption.

 Asymmetric keys – public/private key pairs for signing, verification, or encryption.

3. Types of KMS Keys

Type Description Ownership

Customer-managed
You create, rotate, and define policies. Customer
CMK
Automatically created when you use certain AWS
AWS-managed CMK AWS
services.
AWS-owned CMK Used by AWS internally for multiple accounts. AWS

4. Integration with AWS Services

AWS KMS is deeply integrated into many AWS services, enabling transparent encryption:

 Amazon S3 – Encrypt objects at rest (SSE-KMS).

 Amazon EBS – Encrypt volumes and snapshots.
 Amazon RDS – Encrypt database instances.
 AWS Lambda – Secure environment variables.
 Amazon DynamoDB – Encrypt table data.
5. Security and Compliance

KMS is designed to meet stringent compliance requirements such as:

 FIPS 140-2 Level 3 validation for HSMs.

 Integrated audit logging with AWS CloudTrail.
 Secure key storage with no direct access to plaintext CMKs.

6. Key Rotation

 Automatic rotation (yearly) for customer-managed CMKs.

 Manual rotation possible for asymmetric keys.
 Rotation ensures long-term cryptographic hygiene.

7. Pricing

You pay for:

 Number of KMS keys you create and store.

 Number of API requests (Encrypt, Decrypt, GenerateDataKey, etc.).

8. Example Workflow

Encrypting an object in S3 with KMS:

1. Upload file to S3 with SSE-KMS option.

2. S3 requests a DEK from KMS.
3. KMS returns an encrypted DEK and plaintext DEK.
4. S3 uses plaintext DEK to encrypt your file.
5. Encrypted DEK is stored alongside the file.
6. On retrieval, DEK is decrypted via KMS.

9. Benefits

 Centralized key management.

 Fine-grained access control.
 Easy integration with AWS ecosystem.
  Compliance-ready audit trails.
 Scalability for millions of encryption operations.

AWS Web Application Firewall

AWS Web Application Firewall (WAF) is a fully managed service by AWS that protects your
web applications from bad traffic and malicious threats. It integrates with many AWS services
including Amazon CloudFront, Application Load Balancer (ALB), API Gateway and AWS
App Runner.

AWS WAF works by allowing you to create security rules that inspect incoming HTTP(S)
requests. These rules can detect and block bad traffic so only good requests get to your application.
The firewall evaluates each request based on the criteria you set, such as the request’s IP address,
geographic location, query strings and HTTP headers. If a request matches any of your rules, AWS
WAF takes the action you specified – block, allow or count the request.

Key Features of AWS WAF

AWS WAF comes with several features that make it a reliable and scalable solution for web
application security:

1. Customizable Rules

AWS WAF allows you to create custom security rules tailored to your application’s specific
needs. You can set conditions based on various factors, such as IP addresses, HTTP headers, or
geographical location. This customization helps ensure that only legitimate traffic reaches your
application, while harmful requests are blocked.

2. Managed Rule Groups

For a faster setup, AWS WAF provides pre-configured managed rule groups that protect against
common threats like SQL injection, cross-site scripting (XSS), and malicious IP addresses.
These rules are regularly updated to stay ahead of emerging security risks, making it easy for you
to get started with minimal configuration.

3. Real-Time Monitoring and Logging

AWS WAF provides real-time monitoring and logging of web traffic. With AWS WAF Logs,
you can track detailed information about each request, including which rules were triggered and
what actions were taken. This visibility helps you analyze traffic patterns, troubleshoot issues,
and fine-tune your security settings over time.

4. DDoS Protection
AWS WAF integrates with AWS Shield, offering automatic protection against Distributed
Denial of Service (DDoS) attacks. This integration ensures your application remains available
and responsive, even during large-scale attack attempts.

5. Cost-Effective and Scalable

AWS WAF operates on a pay-as-you-go pricing model, meaning you only pay for the rules you
create and the volume of web requests your application receives. As your application grows,
AWS WAF scales automatically to handle increased traffic, ensuring continued protection
without added complexity.

Benefits of AWS WAF

 Comprehensive Security: AWS WAF provides strong protection against common web
threats such as SQL injection and cross-site scripting (XSS), ensuring your application
remains secure from these types of attacks.

 Customizable Rules: You have the flexibility to create security rules tailored to your
specific requirements, enabling you to filter traffic based on IP addresses, headers, or
other criteria.

 Pre-Configured Managed Rules: AWS offers a collection of pre-built rules that are
frequently updated to guard against known vulnerabilities, so you don’t need to worry
about manual updates.

 Scalable: As your traffic increases, AWS WAF effortlessly scales to accommodate the
higher volume, making it an excellent choice for businesses of all sizes.

 Cost-Effective: With a pay-as-you-go pricing structure, you only pay for what you use,
making it a budget-friendly option for businesses at different growth stages.

 Real-Time Insights: AWS WAF integrates with CloudWatch, providing you with
detailed logs and analytics. This feature allows you to monitor and respond to security
threats as they happen.

 DDoS Protection: AWS WAF collaborates with AWS Shield to automatically protect
against DDoS attacks, adding an extra layer of security.

 Seamless Integration with AWS: It works smoothly with other AWS services
like CloudFront, Elastic Load Balancing (ELB), and API Gateway, simplifying
deployment and enhancing efficiency.

Limitations of AWS WAF

 Complex Setup: Setting up custom rules and navigating the security options can be
challenging, particularly for users who aren't familiar with AWS or web security.
  Focus on Layer 7: AWS WAF is primarily designed to protect at the application layer
(Layer 7). It doesn't offer deep protection at lower network layers, so it may not address
all types of network-level attacks.

 Ongoing Management: Custom rules require regular updates to stay effective, which
means continuous attention and effort from your team.

 Can Get Expensive: For applications with high traffic, the pay-as-you-go pricing model
can lead to escalating costs as your traffic increases.

 Learning Curve: New users may find the AWS Console and setup process
overwhelming if they aren't already familiar with the platform.

 Limited Flexibility with Managed Rules: While AWS offers managed rules, your
control over fine-tuning them to your specific needs is somewhat limited.

 Potential Latency: A large number of rules or managing high traffic volumes can
introduce slight delays in processing requests, potentially affecting performance.

 AWS-Specific: AWS WAF is designed primarily for use with AWS services, making it
less ideal for protecting infrastructure that isn't hosted on AWS.

AWS WAF Pricing Breakdown

AWS WAF operates on a pay-as-you-go pricing model, making it cost-effective for businesses
of all sizes. The main factors influencing the pricing are:

1. Web ACL
AWS charges $5 per month for each Web Access Control List (Web ACL) you create.

2. Rules
You will be charged $1 per month for each rule you configure for your Web ACL.

3. Requests
AWS WAF charges $0.60 per million requests processed.

4. Managed Rule Groups

Managed rules come with additional costs. You pay based on the number of rules and the
traffic volume. These costs vary depending on the selected rule group.

AWS WAF Cost Example:

 Web ACL: $5 per month

 Rules: $1 per month per rule

  Requests: $0.60 per million requests

 Managed Rules: Varies based on usage

AWS Security Best Practices

1. Identity and Access Management (IAM)
AWS security starts with strong identity control.

 Principle of Least Privilege (PoLP) – Give users, roles, and applications only the
permissions they need.
 Use IAM Roles over Access Keys – Avoid long-term credentials; use temporary security
credentials via roles (e.g., EC2 roles, Lambda roles).
 Multi-Factor Authentication (MFA) – Enforce MFA for privileged accounts, especially
the root account.
 IAM Policies – Prefer managed policies for common needs, and use inline or customer-
managed policies for fine-grained control.
 Avoid Root Account for Daily Operations – Use it only for initial setup and
emergencies.

2. Data Protection

Protecting data in transit and at rest is critical.

 Encryption at Rest – Enable AWS Key Management Service (KMS) for services like
S3, RDS, EBS.
 Encryption in Transit – Use TLS/SSL for API and application communication.
 Customer-Managed Keys (CMKs) – Use your own KMS keys when you need tighter
control and auditing.
 S3 Bucket Security –
o Enable Block Public Access.
o Use bucket policies to restrict access to trusted sources.
o Enable S3 Object Lock for write-once-read-many (WORM) protection.

3. Network Security

Isolate and control traffic flow.

 VPC Design –
o Use private subnets for backend services.
 o Restrict outbound access using NAT gateways or VPC endpoints.
 Security Groups & NACLs –
o Deny by default, allow only required inbound/outbound traffic.
o Use least privilege for ports (e.g., restrict SSH to admin IPs).
 DDoS Protection – Use AWS Shield Standard (free) or AWS Shield Advanced for
critical workloads.
 Web Application Firewall (WAF) – Protect against common attacks (SQL injection,
XSS).

4. Monitoring & Logging

Continuous monitoring detects suspicious activity early.

 AWS CloudTrail –
o Enable in all regions.
o Send logs to an S3 bucket with MFA delete enabled.
 Amazon CloudWatch –
o Set up alarms for unusual patterns (e.g., high network usage, failed login
attempts).
 VPC Flow Logs – Capture IP traffic for analysis and threat detection.
 AWS Config – Track configuration changes for compliance audits.

5. Application Security

Integrate security at the code and deployment level.

 Code Scanning – Use Amazon CodeGuru or third-party tools to detect vulnerabilities.

 Secrets Management – Store API keys and credentials in AWS Secrets Manager or
Systems Manager Parameter Store, never in code.
 Least-Privilege Lambda Functions – Assign functions only the permissions they
require.

6. Backup & Disaster Recovery

Data loss prevention is a key security layer.

 Automated Backups – Enable automatic backups for RDS, DynamoDB, EBS.

 Cross-Region Backups – Store backups in a different region for disaster recovery.
 Versioning & Replication – Use S3 versioning and Cross-Region Replication (CRR).
7. Compliance & Governance
Ensure you meet industry standards and regulations.

 AWS Artifact – Access compliance reports (e.g., ISO 27001, SOC 2).
 Service Control Policies (SCPs) – Apply organization-wide permission boundaries in
AWS Organizations.
 AWS Security Hub – Centralized security posture management.

8. Incident Response
Be ready to act quickly if a breach occurs.

 Predefine Incident Response Playbooks – Automate responses using AWS Lambda

and CloudWatch Events.
 Isolate Compromised Resources – Move them to a quarantine security group.
 Forensics – Use Amazon Detective to investigate.