1. Security on AWS

Shared Responsibility Model

Customer Responsible for security IN the cloud	AWS Responsible for security OF the cloud
Customer data	Regions, availability zones & edge locations
Platform, application & IAM	Physical level and below
OS patching on EC2	Fire, power, climate management
Antivirus	Storage device decommissioning according to industry standards
Network and firewall configuration	Personnel security
Multi-factor authentication	Network device security & ACLs
Password and key rotation	API access points use SSL for secured communication
Security groups	DDos protection
Resource-based policy	EC2 instances and spoofing protection
Access control list	Port scanning even if it's your environment
VPC	EC2 instances hypervisor isolation
OS level patches	Instances on the sane physical devices are separated at the hypervisor level they are independent of each other
Data in transit & data at rest	Underlying OS patching for Lambda, RDS, Dynamo DB, and other managed services customers focus on security

The user created when the AWS account is created
The credentials are the email & password used when signing up for the AWS account
By default, the root user has full administrative rights & access to every part of the account

We should not use the root user for daily work & administration
- another account that has admin rights should be used
The root user account should not access keys. Delete them if they exist
The root user should use MFA

A new user has an implicit deny for all AWS services and requires a policy be added to grant them access
Users receive unique credentials (username, password & access keys)
Users can have IAM policies applied directly to them, or they can be a member of a group that has policies attached
With policies, an explicit deny always overrides an explicit allow from attached policies
- for instance, AWS will ignore all policies attached to a user if a single deny-all policy is added

A document that states one or more permissions (JSON formatted)
An explicit deny always overrides an explicit allow.
This allows for the users of a deny-all policy to quickly restricts all access a user may have

AWS provides pre-built policy templates to assign to users & groups
Examples include:
- Administrator access: Full access to all AWS resources
- Power-user access: Admin access, except it does not allow user/group management
- Read-only access: Only view AWS resources (e.g., user can only view what is in S3 buckets)

You can create custom IAM policies using the policy generator or write them from scratch
More than one policy can be attached to a user/group at the same time
Policies can not be directly attached to AWS resources (such as an EC2 instance)

Temporary security credentials in AWS managed by Security Token Service (STS)
Another entity can assume the specific permissions defined by the Roles
These entities include:
- AWS resources (e.g., EC2 instance)
- A user outside of AWS needs temporary access

We must use role because policies cannot be attached directly to AWS resources
Services can only have one role attached at a time
You should never pass or store credentials to an EC2 instance - instead, use role
You may change the role of running EC2 instances through the console or URI

Cross-account access (delegation)
- Provide access to another AWS account from another account

TO BE UPDATED