# AWS Security
**Shared Responsibility Model in Cloud**
The **Shared Responsibility Model** defines the division of security responsibilities between the cloud provider and the customer:
1. **Cloud Provider Responsibility**: Security **of** the cloud, including infrastructure, hardware, software, networking, and facilities.
2. **Customer Responsibility**: Security **in** the cloud, including data protection, identity management, application security, and configuring security services.
This model ensures clarity on securing cloud environments and fosters collaborative security efforts.
***
## Identity & Access Management (IAM)
AWS IAM is a service that helps securely manage access to AWS resources by defining who can access what and under which conditions.
***
1. **Root Account User**:
* The initial account created with full access to all AWS services and resources.
* Should be used sparingly with strong security measures like MFA.
2. **IAM Users**:
* Individual users with specific permissions.
* Each user has unique credentials and access policies.
3. **IAM Roles**:
* Temporary credentials assigned to AWS resources or users for specific tasks.
* Ideal for granting permissions without sharing credentials.
4. **IAM Groups**:
* Collection of IAM users with shared permissions.
* Simplifies access management by applying a single policy to multiple users.
5. **IAM Policies**:
* JSON documents defining permissions for users, roles, or groups.
* Policies specify allowed or denied actions on AWS resources.
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}
```
> * **Effect**: `Allow` grants permission.
> * **Action**: Specifies `s3:*` (all actions on S3).
> * **Resource**: Targets a specific S3 bucket.
#### IAM Assume Role
Assume Roles are the roles defined for a shorter amount of time dynamic access which does not require username or password for authentication and roles are assumed for temporary amount of time.
> EX: Cofee shop : Once single person is taking order one day and the same it making cofee other day , We can give him two roles so we allocate the assume role for the task to be done on that day by temperory roles
{% content-ref url="../../cyber-security-base/cloud-security/amazon-web-services-aws/aws-roles-assume-role" %}
[aws-roles-assume-role](https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/cloud-security/amazon-web-services-aws/aws-roles-assume-role)
{% endcontent-ref %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/exam-prep-notes/aws-cloud-practitioner/aws-security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
Identity & Access Management (IAM)
AWS IAM is a service that helps securely manage access to AWS resources by defining who can access what and under which conditions.
***
1. **Root Account User**:
* The initial account created with full access to all AWS services and resources.
* Should be used sparingly with strong security measures like MFA.
2. **IAM Users**:
* Individual users with specific permissions.
* Each user has unique credentials and access policies.
3. **IAM Roles**:
* Temporary credentials assigned to AWS resources or users for specific tasks.
* Ideal for granting permissions without sharing credentials.
4. **IAM Groups**:
* Collection of IAM users with shared permissions.
* Simplifies access management by applying a single policy to multiple users.
5. **IAM Policies**:
* JSON documents defining permissions for users, roles, or groups.
* Policies specify allowed or denied actions on AWS resources.
```bash
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}
```
> * **Effect**: `Allow` grants permission.
> * **Action**: Specifies `s3:*` (all actions on S3).
> * **Resource**: Targets a specific S3 bucket.
#### IAM Assume Role
Assume Roles are the roles defined for a shorter amount of time dynamic access which does not require username or password for authentication and roles are assumed for temporary amount of time.
> EX: Cofee shop : Once single person is taking order one day and the same it making cofee other day , We can give him two roles so we allocate the assume role for the task to be done on that day by temperory roles
{% content-ref url="../../cyber-security-base/cloud-security/amazon-web-services-aws/aws-roles-assume-role" %}
[aws-roles-assume-role](https://ghoulsec.gitbook.io/ghoulsec-vault/cyber-security-base/cloud-security/amazon-web-services-aws/aws-roles-assume-role)
{% endcontent-ref %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ghoulsec.gitbook.io/ghoulsec-vault/exam-prep-notes/aws-cloud-practitioner/aws-security.md?ask=