Design a strategy for secure access - Amazon Web Services (AWS) Tutorial

When architecting solutions in the cloud, one of the most important aspects to take care of is security. Doing so allows you to take advantage of cloud technologies while protecting your data and systems. The following design principles should be adhered to when architecting in the cloud. First, it is important to implement strong identity and access management. Consider how you will manage identities for your users and their access permissions. You can manage identities within AWS or use an external identity provider. Also, consider how you will securely grant access to external users who may need to access your resources and applications. When granting access, the best practice recommendation is to implement the principle of least privilege. This means granting only the minimum permissions required for the task or job role. AWS has different policy types that you can use to grant and control access. Identity-based policies allow you to define permissions for identities such as users and groups. Resource-based policies allow you to define who has access to a resource and what actions can they perform on it. Service control policies or SCPs, allow you to define the maximum permissions for member accounts in an AWS organization. Next, secure every layer. This includes the network, applications, code, data, instances such as EC2 instances and databases, and the operating system. AWS has tools that allow you to secure these resource types and review their security. We'll cover many of these in this section of the course. Then protect data. This is of prime importance because protecting data is key to maintaining customer confidence and complying with regulations. Data protection begins with identifying and classifying data. It is important to understand these key considerations. Does the data contain personally identifiable information or PII such as name, address, date of birth, and more? Does it contain intellectual property such as secrets and patents? Does it contain protected health information such as medical records? Does it contain financial information such as credit card details? Where is the data stored? Who owns the data? Who can access and modify data? What is the business impact if data is modified, deleted, or inadvertently disclosed? Answering these questions will help you determine the controls to implement to mitigate the risk. These include authentication, encryption, access control, and reporting. Also, it is important to protect data at rest and in transit. You can protect data at rest by encrypting it and data in transit by using secure protocols such as HTTPS. We'll talk more about these later in this section. Next, implement traceability. Traceability refers to the ability to track and monitor interactions and changes in your AWS environment. Ensure you have tools and systems to monitor, alert, and audit actions and changes in real time. You can use AWS-provided tools or tools available in the AWS marketplace to implement traceability. For example, AWS CloudTrail allows you to maintain an audit trail of actions by users and services. AWS Config allows you to record, audit, and evaluate the configuration of your AWS resources. AWS X-Ray allows you to get an end-to-end view of requests as they travel through your application, allowing you to identify the root cause of performance issues and errors. You can use VPC Flow Logs to capture information about IP traffic going to and from network interfaces in your VPC. Tag resources to label them and assign ownership. In addition to CloudTrail, you can also store logs in an Amazon S3 bucket or a CloudWatch log group for further analysis. Lastly, prepare for security events. Create and regularly update an incident response plan specific to your AWS environment. Your plan will define the ability of your team to respond to an incident, restore operations, and perform forensic analysis. To learn more about how you can create an incident response plan, I recommend reading the AWS documentation on this topic. So those are the high points to bear in mind as you architect the security of your applications and workloads. Now, let's get to the details.