Principle of Least Privilege
Ref: https://www.udemy.com/course/aws-certified-machine-learning-engineer-associate-mla-c01/learn/lecture/45286997
- 🔧 Grant only necessary permissions to perform a task (and no other permissions)
- Basic security principle, apply it anywhere in IT
- 💡 If you give extra permissions to someone/something, there's a chance those permissions will be misused
- You can start with broad permissions in early development stages…
- Since you don't know exactly how the final system works
- ❗ …But lock permissions down once you have a better idea of exact services & operations a workload requires
- Example: Policy granting permissions to only read CSV files for a specific S3 bucket, and nothing else!
- ❗ IAM Access Analyzer → generates least-privilege policies based on access activity
- Useful tool to quickly grasp how optimal policies could look like
Data Masking and Anonymization
Ref: https://www.udemy.com/course/aws-certified-machine-learning-engineer-associate-mla-c01/learn/lecture/45287001
- Data masking = Obfuscation of data
- Normally for sensitive data: Personal Identifiable Information (PII), passwords, masking all but the last 4 digits of a credit card…
- Supported in Glue DataBrew and Redshift
- Example: credit card masking in Redshift
- Anonymization = replace data with other data so source is untraceable
- Some techniques:
- Replace with random
- Shuffling
- Encryption (deterministic or probabilistic)
- Hashing
- âť—Â Or just delete sensitive data and don't import it in the first place!!
- 💡 Usually the best solution when it's possible!
General AWS Security
Ref: https://www.udemy.com/course/aws-certified-machine-learning-engineer-associate-mla-c01/learn/lecture/45287015
- Use IAM identities and policies
- âť—Â Do not use root account except to create a first IAM admin user, for billing and for deleting the account
- Set up IAM user accounts only with permissions they need
- Use MFA
- Greatly increases credential security