In a brand new series, I am building a web-based application on AWS to help illustrate the basics of cloud computing. This series of articles is ideal for anyone new to AWS and security professionals that want to understand some key principles of securing AWS workloads in the cloud.
If you are brand new to AWS, don’t worry because I step you through every part of the process of building this basic application to help you get started in your AWS cloud computing journey.
If you are a security professional, this series will be very helpful to you because it is critical that you understand the assets, architecture, and attack surface in order to be able to properly recommend security controls and countermeasures in the context of your own AWS environment.
To benefit the most from this series of articles, a basic background in IT would be helpful.
The Web Phonebook Application will allow you to create, edit, update, and delete (CRUD) your most important contact information from anywhere in the world via this cloud application hosted on the AWS cloud platform.
The Web Phonebook Application will be accessible via a web browser on any computing device such as a mobile phone, tablet, or computer.
The solution will also be scalable because we are using Amazon EC2 Auto Scaling which directs traffic to the application based on demand.
For security and identity management, we will be using Amazon IAM.
- The application will be built in an AWS VPC (Virtual Private Cloud) and hosted on EC2 instances.
- The information will be stored in Amazon RDS (relational database service).
- Images will be stored in S3 buckets.
- We will use Amazon Cloudwatch to monitor the application’s health.
Before building and deploying any AWS cloud-based resource, make sure you fully understand the AWS Shared Responsibility Model. By understanding the model, you will know what aspects of security you are responsible for versus AWS. Don’t assume anything and read this document carefully.
In the next article, I dig into more of the details before starting the development process. If you are brand new to AWS, don’t worry because I step you through every part of the process of building this basic application to help you get started in your AWS cloud computing journey.
- AWS Overview
- AWS Regions and Availability Zones
- AWS Global Infrastructure
- Tools To Build With on AWS
- AWS Shared Responsibility Model
- AWS VPC (Virtual Private Cloud)
- Amazon EC2 Compute
- Amazon EC2 Auto Scaling
- Amazon RDS (Relational Database Service)
- S3 Object Storage Buckets
- Amazon IAM (Identity & Access Management)
- ELB (Elastic Load Balancing)
- Amazon Cloudwatch
Tim Layton specializes in demystifying the complexities and technical jargon associated with cloud computing security and risk management for business stakeholders across the enterprise. Tim is a cloud security thought leader defining actionable and defensible strategies to help enterprise stakeholders make risk-based decisions and prioritize investments in the new digital frontier.
Stay Connected With Tim Layton
Get My Free Cloud Security Journal
COMMON CYBERSECURITY RISK TERMS DEFINED
Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. (NIST 800–30)
Threat: potential cause of an unwanted incident, which can result in harm to a system or organization. (ISO 27001)
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. (NIST 800–30)
Vulnerability: weakness of an asset or control that can be exploited by one or more threats. (ISO 27001)
Likelihood: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. (NIST 800–30)
Likelihood: chance of something happening. (ISO 27001)
Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (NIST 800–30)
Risk: effect of uncertainty on objectives. (ISO 27001)
Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. (NIST 800–30)
Compensating Security Control: A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. (NIST 800–30)
Impact Level: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. (NIST 800–30)
Residual Risk: Portion of risk remaining after security measures have been applied. (NIST 800–30)
Security Posture: The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST 800–30)
Get My Free Cloud Security Journal