Security is the most important part of cloud computing. The "Shared Responsibility Model" means the cloud provider secures the hardware, but you are responsible for securing the data and access.
1. IAM (Identity and Access Management)
IAM is how you control who can do what in your cloud account.
The Principle of Least Privilege
Rule: Give users and services only the permissions they need to do their job, and nothing more.
Check Current User Permissions
Action:
aws sts get-caller-identityResult:
{
"UserId": "AIDAX1234567890ABCDEF",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/devops-admin"
}2. Roles vs. Users
- IAM Users: For actual people (requires passwords/access keys).
- IAM Roles: For applications or services (e.g., an EC2 instance that needs to talk to S3). Roles use temporary credentials, which are much more secure.
3. Security Groups (Network Security)
A Security Group acts as a virtual firewall for your server.
Example: Typical Web Server Rules
Action:
# List rules for a security group
aws ec2 describe-security-groups --group-ids sg-0a1b2c3d --query "SecurityGroups[*].IpPermissions"Result:
[
{
"FromPort": 80, "ToPort": 80, "IpProtocol": "tcp",
"IpRanges": [{"CidrIp": "0.0.0.0/0"}] # Open to everyone
},
{
"FromPort": 22, "ToPort": 22, "IpProtocol": "tcp",
"IpRanges": [{"CidrIp": "203.0.113.10/32"}] # Open ONLY to company IP
}
]4. Cloud Security Best Practices
- Enable MFA: Multi-Factor Authentication for all users.
- Rotate Keys: Change your API access keys every 90 days.
- Use CloudTrail: Monitor every single API call made in your account.
- No Root User: Never use the "Root" account for daily tasks.
Summary
- IAM: Control access to resources.
- Roles: Better than Users for automation.
- Security Groups: Firewall at the instance level.
- Least Privilege: The golden rule of DevOps security.