Cloud Shared Responsibility
๐ฅ Vibe Prompt
"Map security responsibilities for AWS services: EC2, S3, RDS, Lambda. Who secures what?"
Shared Responsibility Model
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Customer (Security IN the Cloud) โ
โ โโโ Data encryption (at rest/transit)โ
โ โโโ OS patching (EC2) โ
โ โโโ Firewall rules (SG, NACL) โ
โ โโโ IAM policies & access โ
โ โโโ App-level security (WAF, code) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ AWS (Security OF the Cloud) โ
โ โโโ Physical security (data center)โ
โ โโโ Network infrastructure โ
โ โโโ Hypervisor isolation โ
โ โโโ Managed service security โ
โ โโโ Global infrastructure โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Responsibility by Service Type
| Service Type | Example | Customer Responsible For | |-------------|---------|------------------------| | IaaS (EC2) | Virtual server | OS, apps, firewall, patches | | PaaS (RDS) | Managed DB | Data, access, schema | | SaaS (SES) | Email service | Content, usage | | FaaS (Lambda) | Serverless | Code, dependencies, env vars |
Cloud Security Pillars
1. IAM & Access Control
- Least privilege, MFA, roles
2. Infrastructure Protection
- VPC, Security Groups, WAF
3. Data Protection
- Encryption at rest (KMS), in transit (TLS)
4. Detective Controls
- CloudTrail, GuardDuty, Security Hub
5. Incident Response
- Automated remediation, playbooks
Cloud Security Best Practices
| Area | Practice | |------|----------| | Account | Use multiple accounts (prod, dev, logging) | | Network | VPC with private subnets, no public IPs | | Storage | S3 block public access, encrypt by default | | Compute | Use latest AMIs, scan images | | Data | Encrypt everything, rotate keys | | Monitor | Enable CloudTrail + GuardDuty + Security Hub |
AWS Security Services
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ IAM - Users, roles, policies โ
โ KMS - Encryption key management โ
โ CloudTrail - API activity logging โ
โ Config - Resource compliance โ
โ GuardDuty - Threat detection โ
โ Security Hub - Central security dashboard โ
โ Detective - Root cause analysis โ
โ Macie - Sensitive data discovery โ
โ WAF - Web application firewall โ
โ Shield - DDoS protection โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Multi-Account Strategy
Organization Root
โโโ Security (CloudTrail, GuardDuty, Log Archive)
โโโ Infrastructure (Shared services: VPC, network)
โโโ Production (Prod workloads, strict controls)
โโโ Staging (Pre-prod, less strict)
โโโ Development (Dev, relaxed controls)
Key Questions
- Who can access this resource?
- Has access been revoked for leavers?
- Is data encrypted at rest and in transit?
- Are API calls being logged?
- Are there any public S3 buckets?
- Are security groups too permissive?
Chapter Summary
- Understand core concepts and principles
- Master implementation methods and techniques
- Familiar with common issues and solutions
- Able to apply in real projects
Further Reading
- Official documentation and API references
- Open source examples on GitHub
- Technical books and online courses
- Community discussions and tech blogs