0
0
AWScloud~5 mins

Security pillar principles in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Security is about protecting your cloud resources and data from unauthorized access and mistakes. The security pillar principles help you build safe and trustworthy systems in the cloud.
When you want to control who can access your cloud resources and what they can do
When you need to protect sensitive data like passwords, personal info, or payment details
When you want to monitor your cloud environment for unusual activity or threats
When you need to respond quickly to security incidents or breaches
When you want to follow best practices to keep your cloud setup secure and compliant
Commands
This command creates a new user named 'example-user' in AWS Identity and Access Management (IAM) to control access securely.
Terminal
aws iam create-user --user-name example-user
Expected OutputExpected
{ "User": { "Path": "/", "UserName": "example-user", "UserId": "AIDAEXAMPLEUSERID", "Arn": "arn:aws:iam::123456789012:user/example-user", "CreateDate": "2024-06-01T12:00:00Z" } }
--user-name - Specifies the name of the new IAM user
This command attaches a policy that grants read-only access to the user, following the principle of least privilege.
Terminal
aws iam attach-user-policy --user-name example-user --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
Expected OutputExpected
No output (command runs silently)
--user-name - Specifies the user to attach the policy to
--policy-arn - Specifies the ARN of the policy to attach
This command creates a CloudTrail trail to record all API calls for auditing and monitoring security events.
Terminal
aws cloudtrail create-trail --name example-trail --s3-bucket-name example-cloudtrail-bucket
Expected OutputExpected
{ "Name": "example-trail", "S3BucketName": "example-cloudtrail-bucket", "IncludeGlobalServiceEvents": true, "IsMultiRegionTrail": false, "TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/example-trail" }
--name - Names the CloudTrail trail
--s3-bucket-name - Specifies the S3 bucket to store logs
This command starts logging API activity with the CloudTrail trail to monitor security events in real time.
Terminal
aws cloudtrail start-logging --name example-trail
Expected OutputExpected
No output (command runs silently)
--name - Specifies which trail to start logging
This command creates a new encryption key in AWS Key Management Service (KMS) to protect data at rest.
Terminal
aws kms create-key --description "Key for encrypting sensitive data"
Expected OutputExpected
{ "KeyMetadata": { "AWSAccountId": "123456789012", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": "2024-06-01T12:00:00Z", "Enabled": true, "Description": "Key for encrypting sensitive data" } }
--description - Adds a description to identify the key's purpose
Key Concept

If you remember nothing else from this pattern, remember: control who can do what, protect data, monitor activity, and respond quickly to keep your cloud secure.

Common Mistakes
Giving users more permissions than they need
This increases the risk of accidental or malicious actions that can harm your system.
Always assign the minimum permissions necessary for users to do their job.
Not enabling logging and monitoring
Without logs, you cannot detect or investigate security incidents effectively.
Set up CloudTrail or similar services to record all important actions.
Storing sensitive data without encryption
Data can be exposed if someone gains unauthorized access to storage.
Use AWS KMS keys to encrypt data at rest and in transit.
Summary
Create IAM users with specific permissions to control access.
Use CloudTrail to log and monitor all API activity for security auditing.
Protect sensitive data using encryption keys managed by AWS KMS.