新钛云服已累计为您分享673篇技术干货

AWSBasic knowledge of safety include the use of well documented plan,To be prepared for the security threats and drill,All protection infrastructure layer,Use the identity system and enforcement authority level division、Monitor the cloud、As far as possible, using automated tools and protect static and transmit the data in the.

使用AWSNot means that the organization is not responsible for protecting the entire cloud infrastructure,而是与 AWS 分担责任.

简而言之,AWS The cloud infrastructure as a whole to protect,创建 AWS 并为客户提供 AWS 云服务的硬件、软件、Network and facilities.Customers have the responsibility to protect them in AWS To create the infrastructure：他们的数据、操作系统、网络、The application and other resources.For each cloud provider,This might be different.

做好准备：Against security threats to develop plans and strategies

Before starting the use of any security service,Organizations must develop a plan of how to deal with security threats and strategies.Preparation is the most important AWS One of the basic knowledge of safety.AWS Suggest to make a safety requirements according to its（如法规）Incident management process.

根据 AWS 的说法,The organization shall run event rehearsal,To ensure the team to prepare.Exercise also can identify the organization's weakness、The low efficiency of detecting threats、Improved security incident investigation method and how to recover from a security incident.

To protect all the infrastructure layer

Cloud infrastructure all layers need to be protected.In the responsibility sharing model,AWS 负责运行 AWS 的基础层,The customer is responsible for them in AWS Running on the environment.对于组织来说,Know what they are responsible for, and they can use which security tools are best practices.

AWSIt is recommended to use the virtual private cloud （VPC） 在 AWS Create a separate private virtual network environment.此外,添加 AWS WAF（Web 应用程序防火墙）Firewall can prevent for critical applications and data such as unauthorized access.

AWS WAF 是 AWS 安全性的基础,可保护 Web 应用程序和 API From the typical Web 漏洞的攻击.Organizations can create safety rules to prevent common attack traffic patterns,While allowing other traffic passed to the application.

AWSFirewall manager to enable an organization to in all its AWS Account and have a consistent application firewall rules.使用 AWS Firewall manager organization can from a central location configuration and management of all firewall rules and strategies.通过这种方式,AWS Firewall manager to the entire cloud infrastructure, from the conservation organization.

做好准备：Against security threats to develop plans and strategies

Before starting the use of any security service,Organizations must develop a plan of how to deal with security threats and strategies.Preparation is the most important AWS One of the basic knowledge of safety.AWS Suggest to make a safety requirements according to its（如法规）The event management process.

根据 AWS 的说法,The organization shall run event simulation,To ensure the team to prepare.Simulation also can identify the organization's weakness、The low efficiency of detecting threats、Improved security incident investigation method and how to recover from a security incident.

To protect all the infrastructure layer

Cloud infrastructure all layers need to be protected.In the responsibility sharing model,AWS 负责运行 AWS 的基础层,The customer is responsible for them in AWS Running on the environment.对于组织来说,Know what they are responsible for, and they can use which security tools are best practices.

AWSIt is recommended to use the virtual private cloud （VPC） 在 AWS Create a separate private virtual network environment.此外,添加 AWS WAF（Web 应用程序防火墙）Firewall can prevent for critical applications and data such as unauthorized access.

AWS WAF 是 AWS 安全性的基础,可保护 Web 应用程序和 API From the typical Web 漏洞的攻击.Organizations can create safety rules to prevent common attack traffic patterns,While allowing other traffic passed to the application.

AWSFirewall manager to enable an organization to in all its AWS Account and have a consistent application firewall rules.使用 AWS Firewall manager organization can from a central location configuration and management of all firewall rules and strategies.通过这种方式,AWS Firewall manager to the entire cloud infrastructure, from the conservation organization.

Using identity system and enforcement authority level division

身份访问管理 （IAM） Such as identity system are of great help in protecting cloud resources from its improper use.此类系统是AWS The basis of the overall security and safety.IAM To enable an organization to follow the principle of least privilege,The user only has been granted access to the operational data needed.

借助 AWS IAM,Organizations can use the service as a way to grant different levels of access,And influence the user impact on cloud resources.Account manager can use based on the identity of the strategy to the user grant permission.The strategy for the influence of different users and groups of different.

Logo can be bound to a user or a group of users.Whether the logo notify security policy allows the user to perform certain actions or access certain resources.The degree of which allows the user to perform operations and resources is a sign of how many privileges has awarded them.

除 AWS IAM 外,Control user access to other AWS 服务包括 Amazon Cognito 和 AWS Single Sign-On （SSO）.

CognitoGranted to authorized users access to the organization application.Users can access the application is may authorize the backend employees,May also be only need access to the front of daily users.

AWS SSO Allows an organization's employees to use more than one set of credentials to access AWS 账户.应用程序、Account and associated permissions can be centrally managed.

Monitor the cloud

Organizations cannot protect themselves from unable to detect threats.This is why monitoring cloud environment is important for security reasons.Through fully monitor,当发生安全事件时,Organization quickly alerted.

在安全事件发生后,最好有日志,Provide lead to security incidents are performed on the history of and who will perform the operation.Amazon security services have such monitoring and logging.

Amazon Detective Automatically log data collection organizations all cloud resources,And use this information to determine possible sources of safety problems.

Amazon GuardDuty Will continue to monitor the cloud,And if there is a threat analysis of log data、Unusual activity and abnormal behavior.

Amazon Macie Based on machine learning is a service,可自动查找、分类和保护敏感数据.例如,个人身份信息 （PII） Or intellectual property can be made of Amazon Macie To find and protect.

AWSSecurity center is a control panel,Used to compile from a variety of AWS Security services to inform and alert.中心聚合、Organizations monitoring information,And to see its administrators to set the priority.

Automated security features

Many of the services set forth in section a are automated tools.This is very important to the administrator,Because it will be a lot of boring and time-consuming tasks from their plates removed,And don't need the task becomes the responsibility of the various service.

By making software to take over the data analysis, or monitoring activities such as task,Administrators have more time for a project to directly affect the organization's business needs in the.此外,Automation strategy deployment and implementation process, such as cloud instances can more easily expand quickly.

Static protection and transmission of data

另一个 AWS Security is based on the data are not protect data access and mobile,And throughout the organization in the network to transmit data to protect the data.

Static data can be used by encryption and access control as mentioned above, to protect.Transmission of data can be encrypted、Security key and certificate management、安全协议（Such as transport layer security （TLS）、VPN And can detect to remove data from a specific boundary of tools to try to protect.同样,有几种 AWS Services can perform these tasks.

AWSThere are two kinds of security services can provide encrypted：AWS CloudHSM 和 AWS Key Management Service （KMS）.

AWS CloudHSM Hardware security module is based on the cloud （HSM） 服务,Organizations can use it in the cloud to create their own encryption key.These modules afterFIPS 140-2 3 级验证,This means that they comply with the federal information processing codes.

AWS KMS Is to create and control the encryption keys managed way.With the aid of this service,Organizations can span multiple AWS Service and control the use of keys in the application of.AWS KMS 也使用 HSM.Both are provided to prevent data in static required to be an attacker to access encrypted.

The security of data transmission protocol is the key to ensure the security of the transmission of data.安全套接字层/传输层安全性 （SSL/TLS） Certificate can be AWS Certificate manager preset、管理和部署.Through the security agreement,Data through the network transmission will be encrypted.

AWSThe key manager to ensure database credentials or API The key such as confidential security.Storage and control are classified through the console、CLI 或 API Focus on.使用此服务,Confidential not hard-coded into the application.相反,对 AWS The key manager API Call retrieves the key.

It means to check the application code can't find can be granted to them further access to the confidential.It can protect in any state in the application of data.

总结：AWSBasic knowledge of security key points：

1. Every organization should formulate how to protect its cloud environment and effective implementation of plans.

2.  A firewall is a good way to protect the cloud infrastructure layer.

3.  Identity access management and the principle of least privilege is the fundamental element of cloud security.

4.  By monitoring and recording the cloud activity,Can more easily find the person or the reasons lead to security incidents.

5.  自动化使 IT The administrator's life easier,Because they no longer need to focus on the monotonous and demanding task.

6. Encryption is to protect the static and transmission of the data in the common and effective method.

原文链接：https://www.sdxcentral.com/cloud/definitions/aws-security-fundamentals/

    推荐阅读    

    推荐视频