Zero Trust Architecture on AWS (Pure info from my experience)
What is Zero Trust Architecture?
"Zero trust is an architectural approach where inherent trust in the network is removed, the network is assumed hostile and each request is verified based on an access policy." - gov.uk
What is Zero Trust Architecture on AWS?
Zero Trust Architecture on AWS is a security model that replaces the traditional security model of perimeter-based security with a security model that is based on trust. It is a security model that is based on the principle of least privilege and the principle of least trust.
Afaik, AWS does not have a built-in Zero Trust Architecture. However, there are some features that can help you implement a Zero Trust Architecture.
- AWS Organizations
- AWS Identity and Access Management (IAM)
- IAM Identity Center: It allows you to manage user identities and access to AWS resources. It is a centralized identity store that you can use to manage your users and their access to AWS resources. Also, you can enforce MFA for all users quickly. The best part is that you can manage permissions for all users in one place.
- AWS Certificate Manager (ACM): It allows you to manage SSL/TLS certificates for your AWS resources. It's a managed service. So, you don't need to worry about the underlying infrastructure. It integrates with most of the AWS services.
- AWS Key Management Service (KMS): It allows you to manage encryption keys for your AWS resources. You can also rotate keys, and audit the usage of keys.
There are many more features that can help you implement a Zero Trust Architecture on AWS. However, the above are the most important ones.
RDS Zero Trust Architecture Example
Let's start with deploying the RDS instance. You must enable the VPC and subnets (either isolated or private. Isolated is recommended). After that, enable Point in Time Recovery (PITR) and automated backups. (Non-zero trust architecture related). Limit the access to the RDS instance from people (with IAM policies) and services (Security Groups) that need it. Create a bastion host to access the RDS instance. No need to enable public access to the bastion host because you can use aws ssm session manager to access the bastion host.
So, it's almost done. Make sure you enable encryption at rest and in transit.
- Every user must use MFA to access to their accounts.
- Each request must be verified based on an access policy.
- Each request must be encrypted at transit.
- Data at rest must be encrypted.
- The access to the bastion host must be granted to the users that need to access to the RDS instance.
Final thoughts
I just want to say that Zero Trust Architecture is not a one-time configuration. It is a security model that you need to follow and update it regularly.
I enjoyed writing this article. If you have any questions, please let me know.
Thank you for reading.
Best regards,