WS6 – AWS Identity and Access

Management (IAM) & Cloud Security

and Privacy Issues.

Module: Cyber Security for Business and

Network Management.
Session Learning Objectives

Session Learning Objectives:

❑Describe AWS Identity and Access Management (IAM) – Shared Responsibility.

❑Discuss Cloud Security and Privacy.

❑Examine cloud Risk Analysis.

❑Identify General Data Protection Regulation (GDPR) and Compliance for Cloud.

2
AWS Identity and Access Management (IAM)

What is AWS IAM?

❑ Identity and access management is one of the first services you will use in AWS.

❑ This service allows you to define users and the type of access they will be allowed to have.

❑ It is a global service, i.e., IAM resources are available to all regions of the AWS cloud.

❑ Allows you to control access to all your AWS services using policies and assigning them to
specific users in order to define operational groups like system administrators, database
administrators, storage administrators, and security administrators.

https://youtu.be/SXSqhTn2DuE
3
AWS Identity and Access Management (IAM- cont.)

What is AWS IAM?

❑ Handles and provides authentication and verification for users, roles, or specific
resources.

❑ IAM is a tool that centrally manages access to launching, configuring,

managing, and terminating resources in your AWS account.

❑ Grant different permissions to different people or applications.

❑ It is a free service. There is no charge for you to define users, group roles, and
access control.

https://youtu.be/4y_V-u6fIPU
4
Cloud Security and Privacy

What is cloud security and privacy?

Security is one of the main concerns that threatens

the survival of the cloud ecosystem. These include:

❑ Data breaches.
❑ Data loss.
❑ Network Security.
❑ Data Access.
❑ System vulnerabilities.
❑ Account hijacking.
❑ Malicious insider.
❑ Advanced persistent threats.

5
Image source : https://now.symassets.com
 Cloud Security and Privacy
What is cloud security and privacy?
Data breaches occur when an unauthorised third-party Account hijacking : Stealing and using of the account
maliciously gains access to data at rest in cloud details of a legitimate user for disreputable purpose.
infrastructure or data in motion, compromising its integrity.
Malicious insider : Can be anyone who has current
Network security: This happens when an elastic cloud access or former disgruntled employee.
infrastructure is incorrectly configured or has unauthorised
access, leading to data leakage. Advanced persistent threats : This is a secretive
computer network attacks in which assault codes are
injected into a vulnerable system and remain undetected
Data locality: Cloud consumers are not aware of where their over a long period of time.
data is stored due to virtualization, but there are legal
implications for using, sharing, and storing data that exist Shared Technology, shared dangers : Vulnerable and
and vary from one country to another. misconfigured components of a cloud services in a shared
multi-tenant cloud system.

System vulnerabilities Exploitable programme bugs in the Compromised credentials and broken authentication:
operating systems. Many cloud applications are equipped towards clients’
collaborations, thereby releasing open cloud
administrations to pernicious clients.
6
Cloud Risk Analysis

What is cloud risk analysis?

❑Cloud security assessment involves evaluating an organisations cloud

infrastructure in order to ascertain its level of security.

❑This procedure is crucial for any cloud-based organisation to have a deeper

understanding of existing threats and identify any vulnerabilities.

❑The outcome entails identifying potential entry sites, detecting indications of

potential compromise, and implementing future safeguards to enhance the
protection of vital assets.

7
Cloud Risk Analysis

❑ The transition to enterprise cloud computing is growing rapidly, potentially outgrowing security
processes and practices.

❑ The sheer scale of the cloud, with cloud estates spanning across multiple clouds, accounts,
workloads, and applications, makes proper security a challenge.

❑ Malicious actors are not only able to enter environments via improper network configurations,
workload vulnerabilities, and compromised identity credentials, but they can also execute recon
once in an environment.

❑ Attackers exploit overprivileged identities to move laterally through an environment in search of

an accumulation of power or the right high-value asset.

8
Benefits of cloud risk assessment

❑ Detect Compromise: Performing a cloud risk assessment is not the same as auditing your
cloud for signs of compromise, but it is an opportunity to come across variances from what the
normal baseline looks like—an identity accessing an asset from a location they never had
before. These are signs of potential compromise and may help you catch onto an attacker’s
activity.

❑ Better Secure Assets: A risk assessment is an opportunity to start at the core of your business—the
data itself—and work outwards to determine every entity that can access this information.

❑ Remain Compliant: Cloud service providers follow requirements like ISO/IEC 27001, ISO/IEC 27002,
and NIST SP 800-53, which all require risk assessments, not to mention an organisation’s own internal
standards or industry requirements.

9
 Cloud Risk Analysis(Cont.)

What are the benefits of cloud risk assessment?

❑ Prevent Misconfigurations : Cloud misconfigurations are a leading cause of attacker entry. These
misconfigurations are caused by improper or insufficient use of controls within the cloud environment.

❑ Reveal Risky Identities and Permissions : Microservices and a proliferation of machine identities,
such as APIs, roles, service accounts, serverless functions, and more, largely run the cloud.

10
 Cloud Risk Assessment steps
What are key steps for a Cloud Risk Security Assessment?
❑ Identify assets – Involves gathering a proper inventory of all
assets present in your estate

❑ Classify and prioritize - helps by establishing what the asset

is, where it is, and how valuable it is to the organization.

❑ Identify threats - perform vulnerability test to reveal any

potential points of entry an attacker could exploit. - following
the Principle of Least Privilege. This states identities should
hold only the permissions absolutely necessary to their job
function.

❑ Evaluate risk.

❑ Implement controls.

11
 Steps to mitigate Cloud security risks
Steps to mitigate cloud security

❑ Preventative Controls - Once you identify risks, the next step is to implement controls to prevent future
concerns.

❑ Detective Controls : Detective controls can be implemented to ensure future detection of cloud risks.
Continuous monitoring features in security tools are an excellent example.

❑ Corrective Controls : Corrective controls include things like policy updates, patching vulnerabilities, rotating
access keys, or cleaning up unused or orphaned identities.

12
 General Data Protection Regulation(GDPR) and Compliance for Cloud

Overview of GDPR in Cloud

To be compliant with the GDPR regulations as cloud users. Ensure you follow these practical tips:

❑ Overview: Make a comprehensive list of all the cloud apps and services you use in your business.
Find out where they overlap and limit their use to the most efficient apps.

❑ Data location: find out where these apps store your data. Please note that the headquarters of the
provider is rarely the place where your data are stored. Moreover, the data may be distributed across
different data centres.

❑ Protection of data against loss, alteration, or unauthorised processing. Ensure that the apps meet
security standards.

13
General Data Protection Regulation(GDPR) and Compliance for Cloud

Overview of GDPR in Cloud(cont.)

▪ Data processing agreement: limit the use of cloud apps to those apps that you really need and that meet the requirements
mentioned above. Enter into a processing agreement with the provider that ensures GDPR compliance.

Make sure the agreement includes the following provisions:

▪ Only the necessary data: the app provider may only collect the personal data of your users or staff that is necessary for the
operation of the app. Pay particular attention when collecting 'sensitive’ data, such as race or ethnic origin, political
opinions, religious beliefs, etc.

▪ Limited use: the data may only be used in connection with the app and may not be shared with other users.
▪ Ownership: the user remains the owner of his or her data.
▪ Portability: the app provider provides a procedure for the user to access the data collected about him or her.
▪ Data deletion: all data will be deleted immediately when you stop using the service.

▪ Keep in mind that fines for GDPR non-compliance can be extremely expensive!

14
AWS Shared Responsibility Model

What is AWS Shared Responsibility Model?

❑ Security and compliance are shared responsibilities

between AWS and customers.

❑ The AWS shared responsibility model basically indicates

which part of the security will be handled by AWS and
which part is handled by the customers.

❑ We can say that AWS is responsible for the security of

the cloud, i.e., implementing anything related to physical
implementation, i.e., physical facilities and systems.

❑ According to the model, customers are responsible for

security in the cloud, i.e., securing every application and
data set that they implement in the cloud.

Image source : https://awsacademy.com

15
AWS Shared Responsibility Model

What is AWS Shared Responsibility Model?

❑ AWS is responsible for protecting the infrastructure, including the hardware, software, networking,
and facilities that run the AWS cloud services.

❑ While the customer is responsible for the encryption of data at rest and the encryption of data in
transit from one system to another.

❑ Customer should ensure that the network is configured for security.

❑ Customers should manage security credentials and logins safely.

❑ The customer should ensure firewall configuration and the security of the operating system and
applications that run on any computer instances they launch, e.g., using the Amazon EC2 service.

16
AWS Shared Responsibility Model

What is AWS Responsibility in Cloud?

❑ AWS is responsible for the security of the physical data centre.

❑ AWS is responsible for the security of the global infrastructure that

runs all the services that are offered by the AWS cloud. The global
infrastructure includes AWS regions, availability zones, and edge
locations.

❑ AWS is responsible for the physical infrastructure that holds your

resources, including redundancy and intrusion detection. They provide
these so you can take advantage of compute, storage, databases,
networking, and other services that are available.

❑ AWS ensures that the virtualization infrastructure provides isolation

between consumer workloads. E.g., EC2 instances of one customer
are isolated from the computer environments of another customer.

Image source : https://awsacademy.com

17
AWS Shared Responsibility Model

What is Customer Responsibility in Cloud?

❑ As a customer, you are responsible for what you deploy when using
AWS services.

❑ The security steps to undertake depend on what you use and the
complexity of your applications.

❑ If you use an EC2 application, you are responsible for the operating
system that runs on EC2 instances.

❑ You are responsible for securing your applications and your security
groups and network settings appropriately.

❑ You are responsible for managing the security of your AWS data.

❑ When you use the AWS service, you maintain full control over your
data.

Image source : https://awsacademy.com

18
 Activity : Group Presentation (1 hour)

LogicMeld Corporationis a multinational corporation specialising in e-commerce. They store customer data,
including personal information such as names, addresses, and payment details, in the cloud. With operations
expanding globally, LogicMeld Corporation recognises the importance of maintaining GDPR compliance to protect
customer data and avoid regulatory penalties. You have been assigned to prepare a presentation for the top
executives in group capturing the following:

Group A : How LogicMeld Corp. can map and classify the personal data they store in the cloud. Measures they need to put in
place to ensure accurate and up-to-date data mapping.

Group B: The criteria LogicMeld Corp. needs to consider when selecting cloud service providers in terms of GDPR compliance.
How can LogicMeld Corp. ensure that their chosen providers adhere to GDPR standards?

Group C : How can LogicMeld Corp. ensure lawful international transfers of personal data from the EU to countries outside the
European Economic Area (EEA)? What training and awareness programmes can LogicMeld Corp. provide to employees
regarding GDPR compliance and cloud data handling?

Group D: How does LogisMeld Corp. ensure that employees understand their responsibilities and follow best practices? What
strategies does LogicMeld Corporation employ to adapt to evolving regulatory requirements and technological advancements?

19
How this unit links to the Employability Pyramid?

How do you relate the knowledge and skills acquired during this
workshop to your overall employability and enhance your
employability in the current job market?

3
6
Any Questions?

QUESTIONS?

21
Thank you
 References

1. aws.amazon.com (n.d.). How to perform a cloud risk assessment. Available form: https://securityboulevard.com/2023/08/how-to-perform-a-cloud-risk-
assessment/#:~:text=A%20cloud%20security%20risk%20assessment%20is%20an%20analysis,present%20risks%20and%20determine%20gaps%20in%20s
ecurity%20coverage. (Accessed 12th April 2024).

2. Combell.com(2020) Cloud Computing and GDPR: What you need to know? Available from : https://www.combell.com/en/blog/cloud-computing-and-gdpr/
(Accessed 12th April 2024).

3. Hiran, K.K. et al. (2019) Cloud computing Master Cloud Computing Concepts, Architecture and applications with Real-world examples and Case studies. BPB
Publications.

4. now.symassets.com(n.d.). Cloud security risk you need to know. Available from : https://now.symassets.com/content/dam/norton/global/images/non-
product/misc/tlc/cloud-security-risk-you-need-to-know.png/ (Accessed 12th April 2024).

5. Prajapati, A., Ruiz, J.C. and Tamassia, M. (2023) AWS Cloud Computing Concepts and Tech Analogies. Packt Publishing Ltd.

6. Shea. T. (2023) How to Perform a Cloud Risk Assessment https://securityboulevard.com/2023/08/how-to-perform-a-cloud-risk-

assessment/#:~:text=A%20cloud%20security%20risk%20assessment%20is%20an%20analysis,present%20risks%20and%20determine%20gaps%20in%20s
ecurity%20coverage. (Accessed 12th April 2024).

23