FIT5225 · Cloud Computing And Security
Cloud Security
Security is the thread that runs through every other chapter, pulled together here into the capstone. It opens with the foundations — the CIA triad (Confidentiality, Integrity, Availability) and the four A's (Authentication, Authorization, Accounting/Audit, and the perennially-confused authentication vs authorization pair) — then maps them onto AWS. The network half is the VPC and its two firewalls: stateful, instance-level Security Groups (SG) versus stateless, subnet-level Network ACLs (NACL), where rule order and the allow/deny model are the classic gotchas, plus NAT gateways and the fact that VPC peering is not transitive. The identity half is Cognito (User Pools vs Identity Pools), IAM least-privilege, and encryption in transit and at rest. Over it all sits defense-in-depth — layered controls — and the reminder from chapter one that 'the cloud is secure' is only half the truth: most breaches are customer-side misconfiguration. Quizzes over-test these tables.
What this chapter covers
- 01Foundations: the CIA triad & the four A's (authN vs authZ)
- 02The shared-responsibility line, revisited for security
- 03VPC networking: Security Groups vs Network ACLs (stateful vs stateless)
- 04Rule order, NAT gateways, and why peering is not transitive
- 05Identity: Cognito User Pools vs Identity Pools, IAM least-privilege
- 06Encryption (in transit / at rest) & defense-in-depth
Worked example: Security Group vs Network ACL — pick the firewall
- +2(a) The Security Group allows inbound 443 at the instance level; it is stateful, so the response to an allowed inbound request is automatically allowed out — you don't write a matching outbound rule.
- +2(b) The Network ACL does the subnet-wide block: it operates at the subnet level and supports explicit deny rules (Security Groups are allow-only), so it can drop one IP for everything in the subnet.
- +1(c) The NACL gotcha is rule order: rules are evaluated by number, lowest first, and the first match wins — so the deny for the bad IP must have a lower rule number than any broader allow, or the allow fires first.
- +0Note — NACL is stateless: unlike the SG, a NACL needs an explicit return-traffic rule because it does not track connections.
Key terms
- CIA triad
- The three goals of information security: Confidentiality (only authorised parties can read the data), Integrity (the data is not tampered with) and Availability (authorised users can access it when needed). Every security control maps to protecting one or more of these; encryption serves confidentiality, hashing/signing serves integrity, redundancy serves availability.
- Authentication vs authorization
- Authentication proves who you are (verifying identity — a password, a token); authorization decides what you are allowed to do (your permissions). AuthN comes first, then authZ. They are constantly mixed up and the quiz exploits it: a login is authentication, a permission check is authorization.
- Security Group vs Network ACL
- AWS's two VPC firewalls. A Security Group is stateful and instance-level, allow-rules only, with automatic return traffic. A Network ACL is stateless and subnet-level, supports both allow and deny, evaluates rules in number order (first match wins) and needs explicit return-traffic rules. SG = the instance's firewall; NACL = the subnet's firewall.
- Cognito User Pool vs Identity Pool
- Two AWS Cognito services that are easy to confuse. A User Pool is a user directory that handles sign-up and sign-in (authentication) and issues tokens. An Identity Pool (federated identities) exchanges those tokens for temporary AWS credentials so the user can access AWS resources (authorization to AWS). User Pool = who you are; Identity Pool = what AWS access you get.
- Defense-in-depth
- Layering multiple, independent security controls so that no single failure exposes the system — network segmentation (VPC, subnets), firewalls (SG, NACL), identity (IAM least-privilege), encryption in transit and at rest, and monitoring. The idea is that an attacker must defeat every layer, not just one.
Cloud Security FAQ
What is the difference between a Security Group and a Network ACL?
A Security Group is a stateful, instance-level firewall with allow-rules only — its return traffic is automatic. A Network ACL is a stateless, subnet-level firewall that supports explicit deny as well as allow, evaluates rules in number order with first-match-wins, and needs an explicit rule for return traffic. Use the SG for instance access and the NACL for subnet-wide allow/deny; this is one of the most over-tested tables in the unit.
Authentication vs authorization — how do I never mix them up?
Authentication is 'who are you?' — proving identity (logging in, presenting a token). Authorization is 'what may you do?' — checking permissions once your identity is known. AuthN always precedes authZ. Map any scenario to the question it answers: verifying a password is authentication; deciding whether that verified user can delete a bucket is authorization.
Why isn't VPC peering transitive?
Because each peering connection is a direct, point-to-point link between two VPCs and AWS deliberately does not route traffic through an intermediate VPC. If A peers with B and B peers with C, A still cannot reach C — you would need a direct A-to-C peering (or a transit gateway). It is a frequent trap because people assume peering chains like normal routing.
If the provider secures the cloud, what's left for me to secure?
Your half of the shared-responsibility line: your data, your identity and access management (IAM least-privilege), your OS/network/firewall configuration (Security Groups, NACLs), your application code, and your encryption. Most real cloud breaches are customer-side misconfiguration — an open S3 bucket, an over-broad IAM policy — so 'the cloud is secure' never means 'my system is secure'.
Exam move
Treat this chapter as a set of tables to over-learn, because that is exactly how it is tested. Lock down the two perennial confusions first — authentication vs authorization, and Security Group (stateful, instance, allow-only) vs Network ACL (stateless, subnet, allow+deny, ordered, first-match-wins) — and be ready to pick the right control for a described scenario. Know the NACL rule-order gotcha and that VPC peering is not transitive. For identity, separate Cognito User Pools (sign-in / who you are) from Identity Pools (temporary AWS credentials / what you can access). Tie everything back to the CIA triad and the shared-responsibility line, and remember the strategic refrain from chapter one: secure technology is not a secure system, and most breaches are customer-side misconfiguration.