Security

Encryption

• Best practice is to lock away or delete the root user access keys. Never store in an S3 bucket, even if encrypted.
• Data at rest
  • Client-side encryption can be done by 1) using a customer master key (CMK) stored in KMS, or 2) using a master key that you store in your application. You can’t use S3 managed keys client-side
  • Server-side encryption can be done in several ways
    • SSE-C: use customer-provided keys and manage them yourself (on-prem)
    • SSE-S3: Amazon manages the keys
    • SSE-KMS: keys are managed in Amazon Key Management Service
    • CloudHSM: generate and use your own encryption keys, held in the cloud in Amazon’s HSM
• Data in motion
  • SSL/TLS is for encrypting data in transit, not data at rest.
  • SSL/TLS is synonymous with HTTPS traffic. It goes over port 443.

Amazon GuardDuty

• use with CloudWatch+SNS to trigger notifications to services 

IAM

• The permissions boundary for an IAM entity (user or role) sets the max permissions that the entity can have

AWS Accounts

• To apply security restrictions across multiple AWS accounts, use Service Control Policy (SCP). For just a single account, use IAM policies.
• You can migrate an account to another AWS organization, e.g.  if you divest a business unit

AWS CloudTrail

• Audit trail of API calls
• Logs Data Events (resource operations) aka Data Plane Operations
• Logs Management Events (management operations on resources) aka Control Plane Operations
• Use other tools such as VPC Flow Logs to capture network packets