AWS -- Security¶
Identity and access management, network security, data protection, and compliance considerations for Amazon Web Services.
Identity & Access¶
IAM Users, Roles & Policies¶
AWS IAM provides fine-grained access control for all AWS services.
| Concept | Description |
|---|---|
| IAM User | Long-lived identity with console password and/or access keys. Use sparingly; prefer roles for workloads. |
| IAM Group | Collection of IAM users; policies attached to a group apply to all members. |
| IAM Role | Identity assumed by trusted entities (AWS services, federated users, other accounts). Uses temporary STS credentials. |
| IAM Policy | JSON document defining Effect (Allow/Deny), Action, Resource, and Condition. Identity-based or resource-based. |
| Permission Boundary | IAM policy that sets the maximum permissions a role or user can receive, regardless of identity-based policies. |
Avoid long-lived access keys
IAM access keys are the single largest source of credential leaks. Use IAM roles with temporary STS credentials for EC2 (instance profiles), Lambda (execution roles), EKS (IRSA / Pod Identity), and CI/CD pipelines (OIDC federation with GitHub Actions, GitLab, etc.).
Organizations & Service Control Policies (SCPs)¶
SCPs are the guardrail mechanism in AWS Organizations. They define the maximum permissions available to all principals in an account or OU. SCPs do not grant permissions -- they only restrict what identity-based policies can grant.
Common SCP patterns:
- Deny disabling CloudTrail: Prevents any principal from stopping or deleting trails
- Deny root user API calls: Blocks all root user actions except console sign-in for break-glass
- Region restriction: Denies all API calls outside approved regions
(e.g., only
us-east-1,us-west-2,eu-west-1) - Deny public S3: Prevents
s3:PutBucketPolicywith conditions that allow public access
IAM Identity Center (SSO)¶
IAM Identity Center (formerly AWS SSO) provides centralized identity management across all accounts in the organization.
| Feature | Detail |
|---|---|
| Permission Sets | Named collections of IAM policies assigned to users/groups per account |
| External IdP | Federation via SAML 2.0 or OIDC with Okta, Azure AD (Entra ID), Google Workspace, Ping Identity |
| Automatic provisioning | SCIM 2.0 for user/group sync from external IdP |
| MFA | Built-in MFA or delegated to the external IdP |
| Session duration | Configurable per permission set (1-12 hours) |
# List permission sets
aws sso-admin list-permission-sets \
--instance-arn arn:aws:sso:::instance/ssoins-XXXXXXXXXXXX
# Assign a permission set to a group for an account
aws sso-admin create-account-assignment \
--instance-arn arn:aws:sso:::instance/ssoins-XXXXXXXXXXXX \
--target-id 123456789012 \
--target-type AWS_ACCOUNT \
--permission-set-arn arn:aws:sso:::permissionSet/ssoins-XXXXXXXXXXXX/ps-XXXXXXXXXXXX \
--principal-type GROUP \
--principal-id XXXXXXXXXXXX
Network Security¶
Security Groups¶
Security groups are stateful, instance-level firewalls. All inbound traffic is denied by default; outbound is allowed by default. Rules are additive (no explicit deny). Reference other security groups in rules for dynamic, IP-free policies.
Network ACLs (NACLs)¶
NACLs are stateless, subnet-level filters. They support both allow and deny rules, evaluated in numeric order. Use NACLs as a broad second layer; rely on security groups for primary access control.
VPC Endpoints & PrivateLink¶
Keep traffic to AWS services off the public Internet:
- Gateway Endpoints: Free, route-table-based access to S3 and DynamoDB
- Interface Endpoints: ENI-based private access to 100+ AWS services (KMS, SQS, ECR, SSM, etc.)
- VPC Endpoint Policies: JSON policies restricting which principals and resources the endpoint can access
AWS Network Firewall¶
Managed stateful L3-L7 firewall deployed in inspection VPCs. Supports Suricata-compatible IPS/IDS rules, FQDN filtering, and TLS inspection. Deploy behind Transit Gateway for centralized inspection of all traffic.
AWS Firewall Manager¶
Centralized management of WAF rules, Network Firewall policies, security groups, DNS Firewall rules, and Shield Advanced across all accounts. Apply policies from a single administrator account.
Data Protection¶
KMS (Key Management Service)¶
KMS provides centralized key management for encryption at rest. Over 100 AWS services integrate natively with KMS.
| Key Type | Description |
|---|---|
| AWS managed key | Created and rotated automatically by the AWS service (free). |
| Customer managed key (CMK) | Created by you; configurable rotation (every 90-2560 days), key policy, and grants. $1/month per key. |
| Custom key store | CMKs backed by CloudHSM cluster (FIPS 140-2 Level 3). |
| External key store (XKS) | CMKs backed by keys in your own HSM outside AWS. |
S3 Encryption¶
| Mode | Key Management | Use Case |
|---|---|---|
| SSE-S3 | AWS-managed, automatic | Default encryption, no key management overhead |
| SSE-KMS | Customer managed CMK | Audit key usage via CloudTrail, cross-account key sharing |
| SSE-C | Customer-provided key per request | Full key control; AWS does not store the key |
| Client-side | Encrypt before upload | End-to-end encryption; AWS never sees plaintext |
Default S3 encryption
Since January 2023, all new S3 objects are encrypted with SSE-S3 by default. Use a bucket policy to enforce SSE-KMS if you need key audit trails or cross-account key management.
Secrets Manager¶
Secrets Manager stores and rotates secrets (database credentials, API keys, tokens). Automatic rotation uses Lambda functions to rotate credentials on a schedule.
# Create a secret
aws secretsmanager create-secret \
--name prod/db/password \
--secret-string '{"username":"admin","password":"XXXXXXXX"}'
# Enable automatic rotation (every 30 days)
aws secretsmanager rotate-secret \
--secret-id prod/db/password \
--rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:rotate-db-secret \
--rotation-rules AutomaticallyAfterDays=30
ACM (AWS Certificate Manager)¶
ACM provides free public TLS certificates and managed private CA. ACM certificates on ALB, CloudFront, and API Gateway auto-renew without manual intervention.
Compliance¶
Shared Responsibility Model¶
AWS operates under a shared responsibility model:
| Responsibility | AWS | Customer |
|---|---|---|
| Physical infrastructure | Data centers, hardware, global network | N/A |
| Hypervisor & managed services | Patching, HA of managed services (RDS, S3, Lambda) | N/A |
| Guest OS & runtime | N/A | Patching EC2 OS, container images, Lambda runtimes |
| Network configuration | N/A | Security groups, NACLs, TLS, VPN setup |
| Data encryption | Provide KMS, S3 encryption, ACM | Enable and configure encryption for each service |
| Identity & access | Provide IAM, STS, Identity Center | Configure policies, MFA, role trust, least privilege |
AWS Artifact¶
AWS Artifact provides on-demand access to AWS compliance reports (SOC 1/2/3, PCI-DSS, ISO 27001, FedRAMP, HIPAA BAA) and agreements. Download reports directly from the Artifact console.
Compliance Programs¶
AWS holds certifications and attestations including:
- SOC 1/2/3 (audit controls)
- ISO 27001, 27017, 27018 (information security)
- PCI-DSS Level 1 (payment card data)
- FedRAMP High (US government)
- HIPAA (healthcare; requires BAA)
- GDPR (EU data protection)
- C5 (Germany; cloud computing compliance)
- IRAP (Australia; government security)
- MTCS Level 3 (Singapore; multi-tier cloud security)
Compliance is not inherited
An AWS certification means the infrastructure is compliant. You must still configure your workloads correctly (encryption, access control, logging, patching) to meet your own compliance obligations. Use AWS Config conformance packs and Security Hub compliance standards to continuously validate your posture.