Security and Compliance in AWS

Jason Moore

These are my notes and thoughts on security and compliance on AWS.

Security as a Primary Focus in AWS

Security stands as one of the most critical priorities for Amazon Web Services (AWS) across all its offerings. One of the most significant advantages of leveraging a cloud provider like AWS is the ability to implement extraordinarily robust security measures. Due to economies of scale, AWS can deploy security mechanisms that far surpass what most individual organizations could feasibly achieve, both in terms of financial investment and technical expertise. The sheer scale of AWS’s infrastructure allows for advanced threat detection, continuous monitoring, and rapid response capabilities that would be prohibitively expensive or complex for a single enterprise to replicate in an on-premises environment.

The Shared Responsibility Model

In any large-scale IT ecosystem—especially one as intricate as a cloud platform—responsibilities are divided across multiple layers of services and components. AWS operates under a Shared Responsibility Model, which clearly delineates the security obligations between AWS and its customers.

At the foundational level, AWS assumes full responsibility for the physical and infrastructural security of its data centers. This encompasses everything from the structural integrity of facilities, power redundancy, cooling systems, and physical access controls to the underlying network hardware, cabling, and virtualization layers (including hypervisors, CPU, memory, and storage resources).

However, the division of responsibilities shifts depending on the service model being used:

  • Infrastructure as a Service (IaaS):

    • AWS manages the host infrastructure, including the physical hardware and virtualization layer.

    • The customer is responsible for everything from the operating system upward, including guest OS security, application configurations, network policies, and data protection.

  • Platform as a Service (PaaS):

    • AWS takes on a larger role, managing not just the infrastructure but also the runtime environment, middleware, and development frameworks.

    • The customer’s responsibility is limited to application code and data management, making PaaS particularly advantageous for DevOps teams who need rapid deployment without worrying about OS patching or middleware maintenance.

  • Software as a Service (SaaS):

    • AWS handles all aspects of the software stack, from infrastructure to application maintenance.

    • The customer’s role is minimal, typically restricted to user management, data input, and basic configuration.

Understanding this model is crucial for ensuring compliance and avoiding security gaps.

Managed vs. Unmanaged Services

A key decision for organizations using AWS is whether to opt for managed or unmanaged services. Each approach has distinct advantages and trade-offs:

  • Managed Services:

    • AWS assumes responsibility for installation, patching, updates, and security of the resource.

    • Ideal for organizations that prefer hands-off management, allowing internal teams to focus on business logic rather than infrastructure upkeep.

    • Typically comes at a higher cost due to the added convenience and reduced operational burden.

  • Unmanaged Services:

    • The customer retains full control but must handle maintenance, security, and troubleshooting.

    • Offers greater flexibility and lower costs but requires in-house expertise to manage effectively.

The choice depends on an organization’s technical capabilities, budget, and strategic priorities.

Regulatory Compliance in AWS

For applications handling sensitive data—such as financial records, healthcare information, or government data—regulatory compliance is non-negotiable. AWS assists customers in meeting these obligations through AWS Artifact, a service accessible via the AWS Management Console.

AWS Artifact provides:

  • Certification reports and audit documents from third-party assessors (e.g., SOC, ISO, PCI-DSS).

  • The ability to review and accept compliance agreements for specific regulatory frameworks.

  • Options to terminate agreements if compliance requirements change.

This service simplifies adherence to standards like GDPR, HIPAA, and FedRAMP by centralizing compliance documentation.

Data Security Strategies

Protecting data in the cloud requires a multi-layered approach, including:

  1. Encryption – Essential for ensuring confidentiality in a multi-tenant environment.

  2. Key Management – Securing cryptographic keys to prevent unauthorized access.

  3. Masking & Obfuscation – Hiding sensitive data in non-production environments.

  4. Tokenization – Replacing sensitive data with non-sensitive placeholders.

  5. Anonymization – Removing personally identifiable information (PII) from datasets.

Encryption in Different Data States

  • Data in Transit:

    • Most vulnerable during transmission (e.g., between services or to end-users).

    • TLS/SSL (HTTPS) is the standard for securing web traffic.

    • AWS ensures encryption between its services, but customers must enforce it for external communications.

  • Data at Rest:

    • Refers to stored data on disks, databases, or backups.

    • Requires volume encryption, database-level encryption, or application-layer encryption.

    • Unlike traditional data centers, cloud environments retain VM images even when powered off, necessitating strong encryption.

  • Data in Use:

    • Actively processed data (e.g., in memory or during computation).

    • Solutions like Information Rights Management (IRM) help control access dynamically.

Challenges with Encryption

  • Key Security – If keys are compromised, encryption fails.

  • Performance Overhead – Encryption can impact system speed.

  • Vendor Lock-in – Proprietary encryption may hinder migration.

Hashing for Data Integrity

Hashing converts data into a fixed-length fingerprint, enabling quick integrity verification. This is particularly useful in cloud environments where:

  • VM images may be replicated across regions.

  • Large datasets require validation without full comparison.

Common hashing algorithms (SHA-256, MD5) ensure that files remain unaltered.

Key Management Best Practices

Since encryption keys are the linchpin of security, their management is critical:

  • Store keys in trusted systems (e.g., AWS Key Management Service).

  • Limit access to keys using IAM policies.

  • Rotate keys periodically to mitigate exposure risks.

In cloud environments, shared infrastructure adds complexity, making it essential to evaluate whether the provider’s key management meets compliance needs.

Tokenization for Data Protection

Tokenization replaces sensitive data (e.g., credit card numbers) with randomized tokens that are meaningless outside the system. Benefits include:

  • Reduced compliance scope (since real data isn’t stored).

  • No performance overhead (unlike encryption).

  • Seamless integration with existing applications.

Data Loss Prevention (DLP)

DLP strategies prevent unauthorized data exposure through:

  1. Discovery & Classification – Identifying sensitive data across systems.

  2. Monitoring – Tracking data movement and access patterns.

  3. Enforcement – Blocking policy violations (e.g., unauthorized file transfers).

DLP Challenges in Cloud

  • Data dispersion across regions complicates tracking.

  • Dynamic storage makes it harder to maintain consistent controls.

  • Endpoints (e.g., mobile devices) require additional safeguards.

Data De-identification Techniques

To protect privacy, organizations use:

  • Static Masking – Creating sanitized copies of datasets for testing.

  • Dynamic Masking – Real-time redaction based on user permissions.

  • Anonymization – Removing indirect identifiers (e.g., age, location) to prevent re-identification.

AWS Identity and Access Management (IAM)

IAM governs who can access AWS resources and what they can do. Best practices include:

  • Avoiding the Root Account – Use IAM users with least-privilege access.

  • Enabling Multi-Factor Authentication (MFA) – Adds an extra layer of security.

  • Leveraging Groups & Roles – Simplifies permission management at scale.

Federated Access (SAML/Active Directory)

  • Allows integration with existing identity providers (e.g., Microsoft AD).

  • Eliminates the need for duplicate user accounts in AWS.

AWS Support Plans

While AWS offers a free basic support tier, production environments should consider:

  • Developer/Business Support – Faster response times, technical guidance.

  • Enterprise Support – Dedicated account managers, infrastructure reviews.

You should also read: