With automated tools like Trusted Advisor and Audit Manager, you will be able to demonstrate this security and compliance when necessary.
Shared responsibility model
This means AWS takes responsibility for maintaining the security of the virtualization layers, server operating systems and physical security of the facilities. The customer is responsible for ensuring the operating systems and applications running within their AWS environment are patched and updated, as well as the firewall configuration and encryption of data. This allows customers to have greater control over their environment.
Identity and access management
These users and groups can be allowed explicit access to specific applications within your environment, including read-only access and full access. When creating groups and users, be sure to grant access based on the least privilege principle.
Working with Cognito
AWS also provides Cognito for authentication, authorization and user management for use with your web and mobile apps. Through a cognito user pool, a user is allowed to create an account, sign in to applications and use third-party services such as Google and Facebook to sign in to your apps (if you choose to allow this). It also integrates with SAML and OIDC identity providers such as Active Directory Federated Services (ADFS) in Windows, allowing for single sign-on with on-premises Exchange systems. Once authenticated through Cognito, users may temporarily assume an IAM role through a Cognito identity pool. These temporary credentials will allow users access to specific resources and services, such as allowing a mobile application user to upload an image to a specific S3 bucket. Using identity pools will allow you to control who has access to which resources and options within your application. Additionally, through single sign-on services such as SAML, you will be able to restrict access to various AWS resources by the organizational unit in your current environment.
Using AWS Organizations for account management
AWS allows you to centrally manage your various accounts through a service known as AWS Organizations. Organizations allow you to consolidate billing for all member accounts, as well as centralize and standardize various items such as backups, usable services, support for IAM and more. There are two different account types within an organization: master and member accounts. A master account is an account that created the organization and allows you to create other accounts, invite existing accounts to the organization, and remove accounts from the organization. Member accounts are all other accounts under the same organization. Additionally, you may group your accounts within your organization into organizational units. These could be broken down into categories such as production, development and testing, or regions such as North America, Europe, Asia or any structure that helps you better apply policies. These policies can be applied to the organizational units and will flow down to all accounts which are contained within.
Using Trusted Advisor
S3 bucket permissions Security groups, unrestricted ports IAM use Multi-factor authentication on the root account Elastic Block Store public snapshots RDS public snapshots
Trusted Advisor also offers an organizational view, which allows you to run trusted advisor checks for all accounts within your organization and compile the reports into a single source. This option is very useful to large enterprise customers.
AWS risk and compliance program
In addition to the above security services, AWS offers the Audit Manager service to help your organization stay in compliance. Audit Manager assists in automating compliance reviews, supporting many common compliance standards such as GDPR, HIPAA and PCI DSS. Audit Manager allows you to create your compliance framework to support internal audits. These reports are generated with links to detailed evidence showing the results of the audit. Please note that while Audit Manager collects evidence that is needed for showing compliance, it does not directly assess your compliance yourself. To ensure your company is fully within legal compliance, legal counsel or compliance experts are still needed.
