Compute and data security

1. Compute and data security

In the previous video, we learned about securing data in-transit, meaning data that is transmitted over a network. In this video, we'll learn how to secure computing resources and data at-rest, or data on hard disks.

2. Securing customer data

As the service provider, AWS is responsible for security of the cloud. They secure data centers and infrastructure. However, protecting customer data is a customer responsibility. The cloud user must protect all resources where the data resides: compute, network, and storage. Let's see how to secure compute and storage.

3. Compute security strategies

To keep your EC2 servers secure, it is important to keep the credentials secure. For example, instead of passwords, use SSH keys to login if possible. Updating operating system with the latest patches minimizes vulnerabilities. Network traffic to and from an EC2 can be controlled using a security group. EC2 instances can also be assigned a role which eliminates the need to store any credentials on the instance. Let's review security groups in detail.

4. Security groups

A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. There are a few differences between security groups and NACLs. Security groups allow fine-grained traffic to and from an individual server. NACL rules apply to the entire subnet. Unlike a NACL, they are stateful - they remember connection status. Finally, security groups allow outbound traffic by default.

5. Data security strategies

There are two strategies to secure data at-rest, which is the data on hard disks. The first is encryption, which can be used with data in network disk drives attached to servers and S3. The keys for encryption can be stored in a central key management service called KMS. AWS manages the encryption process behind the scenes. The other strategy is to secure S3 buckets. Let's look at how to do that.

6. S3 public access and recovery

S3 is a popular data storage solution and often a target for exploits. Public access means anyone on the Internet can read the data. It is important to check public access is not inadvertently opened. Public access can be quickly turned ON or OFF using the AWS console. For S3 disaster recovery, solutions like versioning, glacier archive, and data replication can help.

7. Encryption at-rest

Encryption at rest means that your data is locked up and protected when it is stored on a computer or a server. It works automatically with storage services like S3 and EBS. Customers can manage encryption keys using AWS Key Management Service (KMS) or bring their own keys and help meet compliance.

8. Security resources

Let's discuss additional AWS resources available on security. AWS Knowledge center contains answers to the most frequent customer questions. The Security blog contains deep-dives into security best practices, new features, and how-to guides. AWS documentation is the official resource for production functionality, limitations, and API references. Finally, Security Hub is a central tool that consolidates security finding from multiple AWS and third-party tools.

9. Let's practice!

Let's work on some exercises!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.