Following three pillars—IAM, VPC, and Encryption—form foundation of every secure AWS architecture.
1. Identity and Access Management (IAM)
IAM is the gatekeeper of your AWS account. It answers two questions: Who are you (Authentication) and What are you allowed to do (Authorization)?
Core Components
-
Users: Unique identities for people or applications.
-
Groups: Collections of users. It is a best practice to assign permissions to a group (e.g., Developers) rather than individual users.
-
Roles: Temporary identities. Unlike users, roles don’t have permanent passwords or keys. They are assumed by services (like an EC2 instance) or users for a specific period.
-
Policies: JSON documents that define permissions. They explicitly state which actions (e.g.,
s3:PutObject) are allowed on which resources.
IAM Best Practices
- Start with zero permissions and grant only what is strictly necessary.
- Always enable MFA, especially for the Root User and administrative accounts.
- After initial setup, create an IAM user for yourself and lock away the root credentials.
2. Virtual Private Cloud (VPC)
A VPC is your own private, isolated section of the AWS network. It is where you launch resources like web servers and databases.
Key Networking Layers
-
Subnets: You divide your VPC into subnets.
-
Public Subnets: Connected to the internet via an Internet Gateway. Use these for web servers.
-
Private Subnets: Isolated from the internet. Use these for databases and sensitive application logic.
-
-
Security Groups: Stateful virtual firewalls that control traffic at the instance level. If you allow a request in, outbound response is automatically allowed.
-
Network ACLs (NACLs): Stateless firewalls that control traffic at the subnet level. They act as a second layer of defense.
3. Data Encryption
Encryption ensures that even if someone gains unauthorized access to your storage or intercepts your network traffic, they cannot read the actual data.
Data at Rest
This refers to data stored on disks (S3 buckets, RDS databases, EBS volumes).
-
AWS KMS (Key Management Service): The primary service used to create and manage encryption keys. It integrates with almost every other AWS service.
-
Server-Side Encryption (SSE): AWS handles encryption process for you. For example, in S3, you can simply check a box to ensure all uploaded files are encrypted.
Data in Transit
This refers to data moving between your users and your servers, or between different AWS services.
-
TLS/SSL: Use HTTPS for all web traffic. AWS Certificate Manager (ACM) allows you to provision and manage SSL certificates for free.
-
VPC Peering/VPN: When moving data between VPCs or from your office to AWS, use encrypted tunnels like a Site-to-Site VPN.
Lets summarize...
| Feature | Your Responsibility | AWS Responsibility |
| IAM | Creating strong passwords and MFA | Physical security of identity servers |
| VPC | Configuring Security Groups & Subnets | Protecting the underlying network hardware |
| Encryption | Choosing to turn on encryption & managing keys | Providing hardware-based encryption modules |