CPSC 4820 - DAY 14 MARCH 29, 2018 ================================================================================ Best Practice: Secure your infrastructure everywhere. -Isolate parts of your infrastructure. -Encrypt data in transit and at rest. -Enforce access control granularity, using the principle of least privilege. -Enforce multi-factor authentication. -Leverage managed service -Log access of resources -Automate your deployments to keep security consistent. Security - the ability to protect information, systems, and assets while delivering business value through risk assessements. Apply security at all layers. Enable traceability. Automate responses to security events. focus on securing your system. automate security best practices. Key areas for security: -Data Protection -Priviledge Managment -Infrastructure protection -Defective controls De-militarized zone (DMZ) Custom SSL certificate support. Content can be made private in S3 by requiring users to use a signed URL to access content in S3. Origin Access Identity - a user that performs actions on behalf of the user requesting the job. Direct access is not allowed. Encrypting Data --------------- Symmetric Encryption - Same key used to encrypt or decrypt data. Common encryption algorithm is AES. AWS Key Management Service (KMS) - is a managed encryption service that enables you to easily encrypt your data. -Two tiered key hierarchy using envelope encryption. -Data keys are unique. -AWS KMS master keys encrypt data keys. -AWS KMS master keys never leave the AWS KMS system. Data stored in S3 requires AWS credentials for access. -Access to Amazon S3 can be over HTTP or HTTPS -AWS S3 logging allows auditing of access to all objects -Amazon S3 supports access control lists and policies for every bucket, prefix (directory/folder), and object. Amazon provices server-side encryption (AES-256) using AWS maintained keys or customer provided keys. -AWS encryption keys are further encrypted with a rotating key. Can also encrypt data before storage in Amazon S3 (client-side encryption). Amazon Glacier data is encrypted by default. SAML - Security Assertion Markup Language - open standard for exchanging and authorization data between parties, specifically between an identity provider and a service provider.