Introduction

Defense in depth means using many layers of security to protect your cloud resources. It helps stop attackers even if one layer fails, making your system safer.

When you want to protect sensitive data in your cloud storage from unauthorized access

When you run applications that handle personal user information and need extra security

When you want to reduce the risk of a single mistake causing a big security problem

When you manage multiple cloud services and want to control access carefully

When you want to monitor and respond quickly to unusual activity in your cloud environment

Commands

This command creates a policy that allows read-only access to a specific S3 bucket. It is one layer of defense controlling who can read data.

Terminal

aws iam create-policy --policy-name AllowS3ReadOnly --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetObject"],"Resource":["arn:aws:s3:::example-bucket/*"]}]}'

Expected OutputExpected

{"Policy":{"PolicyName":"AllowS3ReadOnly","PolicyId":"ABCDEFGHIJKLMN","Arn":"arn:aws:iam::123456789012:policy/AllowS3ReadOnly","Path":"/","DefaultVersionId":"v1","AttachmentCount":0,"IsAttachable":true,"CreateDate":"2024-06-01T12:00:00Z","UpdateDate":"2024-06-01T12:00:00Z"}}

→

--policy-name - Names the policy for easy identification

→

--policy-document - Defines the permissions in JSON format

This command attaches the read-only policy to a user, limiting their access to only what the policy allows. This adds another layer by controlling user permissions.

Terminal

aws iam attach-user-policy --user-name example-user --policy-arn arn:aws:iam::123456789012:policy/AllowS3ReadOnly

Expected OutputExpected

No output (command runs silently)

→

--user-name - Specifies which user gets the policy

→

--policy-arn - Specifies which policy to attach

This command enables encryption on the S3 bucket, protecting data at rest. Encryption is another layer that keeps data safe even if accessed improperly.

Terminal

aws s3api put-bucket-encryption --bucket example-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

Expected OutputExpected

No output (command runs silently)

→

--bucket - Specifies the bucket to encrypt

→

--server-side-encryption-configuration - Defines the encryption settings

This command creates a trail to log all API activity in your AWS account. Logging helps detect suspicious actions, adding a monitoring layer.

Terminal

aws cloudtrail create-trail --name example-trail --s3-bucket-name example-logs-bucket

Expected OutputExpected

{"TrailARN":"arn:aws:cloudtrail:us-east-1:123456789012:trail/example-trail","Name":"example-trail","S3BucketName":"example-logs-bucket"}

→

--name - Names the trail for identification

→

--s3-bucket-name - Specifies where logs are stored

This command starts logging for the trail, activating the monitoring layer to track all account activity.

Terminal

aws cloudtrail start-logging --name example-trail

Expected OutputExpected

No output (command runs silently)

→

--name - Specifies which trail to start logging

Key Concept

If you remember nothing else from this pattern, remember: multiple security layers together protect your cloud better than any single layer alone.

Common Mistakes

Giving users full access instead of limited permissions

It exposes your resources to unnecessary risk if the user account is compromised

Always assign the minimum permissions needed using specific policies

Not enabling encryption on storage buckets

Data can be exposed if someone gains access to the storage without encryption

Enable server-side encryption on all sensitive storage buckets

Skipping logging and monitoring setup

You won't know if someone is trying to attack or misuse your resources

Set up CloudTrail or similar logging to track all activity

Summary

Create and attach specific IAM policies to control user permissions.

Enable encryption on storage to protect data at rest.

Set up logging with CloudTrail to monitor all account activity.