2.2 Define AWS cloud security and compliance concepts

Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations.

An advantage of the AWS cloud is that it allows customers to scale and innovate, while maintaining a secure environment. Customers pay only for the services they use, meaning that you can have the security you need, but without the upfront expenses, and at a lower cost than in an on-premises environment.

Infrastructure Security

 * Network firewalls built into Amazon VPC.
 * In transit encryption using TLS across all services.
 * Private or dedicated connections into your data center

Infrastructure Resilience

 * Technologies built from the ground up for resilience in the face of DDoS attacks.
 * Services can be used in combination to automatically scale for traffic load.
 * Autoscaling, CloudFront, Route 53 can be used to prevent DDoS.

Data Encryption

 * At rest encryption available in EBS, S3, Glacier, RDS (Oracle and SQL Server) and Redshift.
 * Key management through AWS KMS - you can choose whether to control the keys or let AWS.
 * Server side encryption of message queues in SQS.
 * Dedicated hardware-based cryptographic key storage using AWS CloudHSM, allowing you to satisfy compliance requirements.
 * APIs to integrate AWS security into any applications you create.

Standards and Best Practices

 * A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage


 * Deployment tools to manage the creation and decommissioning of AWS resources according to organizational standards
 * Inventory and configuration management tools, like AWS Config, that identify AWS resources then track, and manage changes to those resources over time
 * Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments

Monitoring and Logging

 * Deep visibility into API calls through AWS CloudTrail, including who, what, when, and from where calls were made
 * Log aggregation options, streamlining investigations and compliance reporting
 * Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded

Identity and Access Control

 * AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources
 * AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators
 * AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience

Security Support

 * Real-time insight through AWS Trusted Advisor
 * Proactive support and advocacy with a Technical Account Manager (TAM)

Compliance Assurance Programs
From certifications, regulations to frameworks, AWS has you covered. Some of those included are:
 * Cyber Essentials Plus (UK)
 * DoD SRG (US)
 * FIPS (US)
 * ISO 9001
 * CISPE
 * GLBA
 * UK Data Protection Act
 * EU Data Protection Directive
 * FFIEC
 * G-Cloud (UK)
 * NIST
 * UK Cloud Security Principles