1
00:00:00,000 --> 00:00:01,100
‫Welcome to this section

2
00:00:01,100 --> 00:00:02,890
‫on security and compliance.

3
00:00:02,890 --> 00:00:04,161
‫We're going to start right away with the shared

4
00:00:04,161 --> 00:00:06,750
‫responsibility model.

5
00:00:06,750 --> 00:00:08,850
‫So this is something we've seen all along this course,

6
00:00:08,850 --> 00:00:11,730
‫but now it is time for us to formally introduce it.

7
00:00:11,730 --> 00:00:15,890
‫So, AWS responsibility is the security of the cloud.

8
00:00:15,890 --> 00:00:18,312
‫That means that all the infrastructure they provide to you,

9
00:00:18,312 --> 00:00:20,840
‫that includes the hardware, the software facilities,

10
00:00:20,840 --> 00:00:21,720
‫networking.

11
00:00:21,720 --> 00:00:22,839
‫They have to protect it

12
00:00:22,839 --> 00:00:25,881
‫because this infrastructure will run

13
00:00:25,881 --> 00:00:29,920
‫all the services that you're using on AWS.

14
00:00:29,920 --> 00:00:32,920
‫On top of it, any service that is managed by AWS,

15
00:00:32,920 --> 00:00:37,920
‫such as S3 DynamoDB, RDS, is the responsibility of AWS.

16
00:00:39,120 --> 00:00:41,510
‫But once they provide a service to you,

17
00:00:41,510 --> 00:00:45,180
‫then how you use that service is your responsibility.

18
00:00:45,180 --> 00:00:47,060
‫So for example, as a customer,

19
00:00:47,060 --> 00:00:50,830
‫you are responsible for the security in the cloud.

20
00:00:50,830 --> 00:00:53,940
‫So in the instance of EC2 instance, your customer,

21
00:00:53,940 --> 00:00:57,080
‫so you, is responsible for the management of all the

22
00:00:57,080 --> 00:01:00,040
‫operating system that includes patching the operating system

23
00:01:00,040 --> 00:01:01,580
‫and making updates to it.

24
00:01:01,580 --> 00:01:02,920
‫You must configure the firewall,

25
00:01:02,920 --> 00:01:05,840
‫so that means that's you Mister Green figure, for example,

26
00:01:05,840 --> 00:01:08,235
‫the network ACL and the security group,

27
00:01:08,235 --> 00:01:10,939
‫and also you need to make sure that your EC2 instance has

28
00:01:10,939 --> 00:01:13,900
‫the correct IAM information through the use of,

29
00:01:13,900 --> 00:01:15,720
‫IAM instance role.

30
00:01:15,720 --> 00:01:17,640
‫Then, we also need to ensure that we

31
00:01:17,640 --> 00:01:18,800
‫encrypt the application data,

32
00:01:18,800 --> 00:01:21,710
‫according to our compliance requirements.

33
00:01:21,710 --> 00:01:23,480
‫Then, there are some controls that are shared.

34
00:01:23,480 --> 00:01:26,054
‫For example, patch management, configuration management,

35
00:01:26,054 --> 00:01:30,010
‫awareness and training are both shared between you and AWS.

36
00:01:30,010 --> 00:01:32,530
‫For example, for batch managements,

37
00:01:32,530 --> 00:01:33,861
‫if using something like RDS,

38
00:01:33,861 --> 00:01:36,750
‫then AWS will do the patch management for us.

39
00:01:36,750 --> 00:01:39,480
‫And if we are using something like EC2 then we have to

40
00:01:39,480 --> 00:01:40,700
‫patch our operating system,

41
00:01:40,700 --> 00:01:43,140
‫so the shared control is here.

42
00:01:43,140 --> 00:01:44,788
‫For example, for awareness and training,

43
00:01:44,788 --> 00:01:46,947
‫AWS has to train their employees

44
00:01:46,947 --> 00:01:49,660
‫to use their facilities correctly,

45
00:01:49,660 --> 00:01:52,620
‫and to make sure they adhere to their security guidelines.

46
00:01:52,620 --> 00:01:55,523
‫And you have to make sure to train your employees correctly,

47
00:01:55,523 --> 00:01:56,940
‫to use the cloud,

48
00:01:56,940 --> 00:02:00,350
‫and doing this training is one of these ways, obviously.

49
00:02:00,350 --> 00:02:03,350
‫Next, let's look at a detailed technology, for example.

50
00:02:03,350 --> 00:02:04,420
‫So for RDS,

51
00:02:04,420 --> 00:02:08,027
‫the responsibility of AWS is to manage the underlying

52
00:02:08,027 --> 00:02:11,080
‫EC2 instance and to the civil SSH access,

53
00:02:11,080 --> 00:02:13,160
‫to automate the database patching,

54
00:02:13,160 --> 00:02:15,440
‫to automate the operating system patching,

55
00:02:15,440 --> 00:02:17,510
‫and to edit the underlying instance and disk

56
00:02:17,510 --> 00:02:19,950
‫to guarantee that it functions over time.

57
00:02:19,950 --> 00:02:22,520
‫Your responsibility as a user of RDS

58
00:02:22,520 --> 00:02:24,470
‫is to check that the ports,

59
00:02:24,470 --> 00:02:26,350
‫IP security groups inbound rules

60
00:02:26,350 --> 00:02:28,920
‫in your database security group are set up correctly.

61
00:02:28,920 --> 00:02:31,710
‫It's also to make sure that the in-database user creation

62
00:02:31,710 --> 00:02:34,376
‫and the permission of these users is done the way you want,

63
00:02:34,376 --> 00:02:37,180
‫and also you need to make sure that if you want to create a

64
00:02:37,180 --> 00:02:39,710
‫database with or without public access.

65
00:02:39,710 --> 00:02:41,702
‫And if you wanted to configure a database you could use

66
00:02:41,702 --> 00:02:43,400
‫parameter groups, for example,

67
00:02:43,400 --> 00:02:45,500
‫to force only encrypted connections.

68
00:02:45,500 --> 00:02:47,114
‫Finally, if you wanted to encrypt the data

69
00:02:47,114 --> 00:02:48,728
‫within the database, it is again,

70
00:02:48,728 --> 00:02:51,223
‫your responsibility to enable.

71
00:02:52,630 --> 00:02:54,200
‫Next, for Amazon S3,

72
00:02:54,200 --> 00:02:56,607
‫The responsibility of AWS is to guarantee you

73
00:02:56,607 --> 00:02:59,070
‫to get unlimited storage,

74
00:02:59,070 --> 00:03:01,770
‫to guarantee you to get encryption when you enable it,

75
00:03:01,770 --> 00:03:05,150
‫and to ensure the separation of data between all your,

76
00:03:05,150 --> 00:03:07,800
‫all the different customers of AWS.

77
00:03:07,800 --> 00:03:08,980
‫As well, they need to make sure

78
00:03:08,980 --> 00:03:12,650
‫that all the employees of AWS can not access your data.

79
00:03:12,650 --> 00:03:14,840
‫Your responsibility is to configure your bucket

80
00:03:14,840 --> 00:03:16,500
‫the way you want to make sure

81
00:03:16,500 --> 00:03:18,680
‫the bucket policy adheres to your standards,

82
00:03:18,680 --> 00:03:22,180
‫and also to use IAM users and roles accordingly.

83
00:03:22,180 --> 00:03:24,140
‫And finally, if you want to encrypt your data,

84
00:03:24,140 --> 00:03:27,440
‫it is your responsibility to enable it and to use the

85
00:03:27,440 --> 00:03:29,670
‫encryption scheme that works for you.

86
00:03:29,670 --> 00:03:30,860
‫So, hopefully that makes sense.

87
00:03:30,860 --> 00:03:34,420
‫Here is a diagram from the website of AWS,

88
00:03:34,420 --> 00:03:37,841
‫which shows the responsibility in the cloud is a customer

89
00:03:37,841 --> 00:03:42,210
‫and responsibility of the cloud is for AWS.

90
00:03:42,210 --> 00:03:43,939
‫So as a customer, your data,

91
00:03:43,939 --> 00:03:45,910
‫the applications, the platform,

92
00:03:45,910 --> 00:03:48,120
‫identity, and access management is up to you,

93
00:03:48,120 --> 00:03:50,010
‫operating system, network and firewall configuration,

94
00:03:50,010 --> 00:03:50,843
‫as well.

95
00:03:50,843 --> 00:03:52,770
‫Then your client's side data encryption,

96
00:03:52,770 --> 00:03:54,230
‫your server-side encryption,

97
00:03:54,230 --> 00:03:57,363
‫and your network traffic protection is all yours.

98
00:03:57,363 --> 00:03:59,990
‫AWS instead, is responsible for their software,

99
00:03:59,990 --> 00:04:01,260
‫so their services,

100
00:04:01,260 --> 00:04:04,680
‫also making sure that the compute, storage, database,

101
00:04:04,680 --> 00:04:06,160
‫and networking are working correctly when they

102
00:04:06,160 --> 00:04:07,530
‫provide it to you,

103
00:04:07,530 --> 00:04:09,234
‫and they're responsible for their hardware

104
00:04:09,234 --> 00:04:11,200
‫and the global infrastructure.

105
00:04:11,200 --> 00:04:14,740
‫So the regions, the AZ, and the edge locations.

106
00:04:14,740 --> 00:04:16,100
‫Hopefully that makes sense because their shared

107
00:04:16,100 --> 00:04:19,150
‫responsibility comes up at least two to three questions

108
00:04:19,150 --> 00:04:20,310
‫in your exam.

109
00:04:20,310 --> 00:04:22,091
‫So understanding what is your responsibility

110
00:04:22,091 --> 00:04:25,750
‫and what is the responsibility of AWS is very important.

111
00:04:25,750 --> 00:04:26,720
‫I hope that was helpful

112
00:04:26,720 --> 00:04:28,670
‫and I will see you in the next lecture.