Objective 5.1.1 Identify AWS services/features for security: IAM roles, policies, permissions; encryption; Amazon Macie; AWS PrivateLink; shared responsibility model.

Victor Moraes Comment ,

Reading time: 1 minute

IAM Components

  • IAM Roles: Identity entities that can be assumed by users, applications, or AWS services to gain temporary security credentials
  • IAM Policies: JSON documents defining permissions (identity-based or resource-based)
  • IAM Groups: Collections of users with shared permissions
  • Permission Management: Follow principle of least privilege, granting only necessary permissions
  • Authentication Methods: Single-factor vs. multi-factor authentication (MFA)

Root User Security

  • Root user has unrestricted access to all services and resources
  • Best practices: Use strong password with MFA, never share credentials, use only for essential tasks
  • Create separate IAM users with administrative permissions for daily tasks

Data Encryption

  • Encryption at Rest: Data stored on persistent media
  • Encryption in Transit: Data moving across networks
  • AWS KMS: Create and manage encryption keys
  • Client-Side vs. Server-Side Encryption: Pre-transit encryption vs. service-managed encryption
  • Default Encryption: Many AWS services encrypt by default using service-owned keys

Amazon Macie

  • Machine learning-powered data security service
  • Evaluates S3 buckets for security settings and access controls
  • Detects sensitive data (PII) through pattern matching and machine learning
  • Requires explicit configuration of sensitive data discovery jobs
  • Alerts can integrate with workflows for automated remediation

AWS PrivateLink

  • Provides private connectivity between VPCs and AWS services
  • Enables access to services without traversing public internet
  • Creates endpoint services in your VPC for secure connections
  • Particularly useful for SageMaker and other AI services

Shared Responsibility Model

  • AWS Responsibility (“Security OF the Cloud”): Infrastructure, hardware, software, networking
  • Customer Responsibility (“Security IN the Cloud”): Data security, access management, configuration
  • Responsibility varies by service type (IaaS vs. managed services)
  • For AI systems: Customers responsible for training data security, access controls, and model monitoring

Best Practices

  • Encrypt data at rest and in transit
  • Implement least privilege access control
  • Enable MFA for all users
  • Use IAM roles for temporary access
  • Restrict network access using VPCs
  • Monitor and remediate sensitive data exposure

Leave a Reply

Your email address will not be published. Required fields are marked *