Security and Compliance in AWS

AWS is responsible for security "of" the cloud — the infrastructure, hardware, software, networking, and facilities. The customer is responsible for security "in" the cloud — their data, identity and access management, operating system configuration, network and firewall settings, and client-side encryption. Think of it as AWS secures the building, you secure what's inside your apartment.

AWS Identity and Access Management (IAM) lets you manage access to AWS services securely. You create users, groups, and roles, and assign permissions through policies (JSON documents). Best practices: use the root account only for billing, enable MFA, follow the principle of least privilege, and use roles for applications instead of embedding access keys.

The principle of least privilege means granting only the minimum permissions necessary to perform a task. In AWS, this means starting with zero permissions and adding only what's needed. For example, if a user only needs to read S3 objects, don't give them full S3 access. This reduces security risks and limits the impact of compromised credentials.

MFA adds an extra layer of security beyond username and password. It requires something you know (password) plus something you have (a device generating a time-based code). AWS strongly recommends enabling MFA on the root account and all IAM users. Supported MFA devices include virtual authenticator apps, hardware tokens, and FIDO security keys.

Macie is a data security service that uses machine learning to automatically discover, classify, and protect sensitive data stored in S3, such as personally identifiable information (PII), financial data, or credentials. It alerts you to unencrypted buckets, publicly accessible data, and other security risks. Macie helps organizations comply with data privacy regulations.