☁️ Security & Compliance
IAM, Shared Responsibility Model, Shield, WAF, KMS
🤝 Shared Responsibility Model
AWS javobgarligi ("Security OF the cloud"): Hardware, global infratuzilma, datacenters, managed services. Mijoz javobgarligi ("Security IN the cloud"): EC2 OS patch, application kodi, IAM konfiguratsiya, ma'lumotlar shifrlash, network konfiguratsiya.
🔐 AWS IAM (Identity and Access Management)
Users — individual shaxslar. Groups — userlar to'plami (policy biriktirish uchun). Roles — AWS xizmatlari yoki tashqi identitylar uchun vaqtinchalik ruxsat. Policies — JSON formatdagi ruxsat hujjatlar. Principle of Least Privilege — faqat kerakli ruxsatlar bering.
🛡️ AWS Shield & WAF
AWS Shield Standard — bepul, DDoS himoyasi (layer 3/4). AWS Shield Advanced — pullik, layer 7 DDoS, 24/7 DRT (DDoS Response Team) support. AWS WAF — Web Application Firewall, SQL injection, XSS va boshqa web hujumlardan himoya.
🔑 AWS KMS & Encryption
AWS KMS (Key Management Service) — shifrlash kalitlarini boshqarish. Encryption at rest: S3, EBS, RDS ma'lumotlarini shifrlash. Encryption in transit: SSL/TLS. CloudHSM — dedicated hardware security module.
📊 Shared Responsibility: AWS vs Mijoz
| Xizmat | AWS javobgarligi | Mijoz javobgarligi |
|---|---|---|
| EC2 (IaaS) | Hardware, Hypervisor, Network | OS patch, App, Firewall config, Data |
| RDS (PaaS) | Hardware, OS, DB engine patch | DB konfiguratsiya, foydalanuvchilar, Data shifrlash |
| S3 (Managed) | Hardware, Durability, Availability | Bucket policy, ACL, versioning, shifrlash |
| Lambda (Serverless) | Infratuzilma, Runtime patch | Kod, IAM roles, environment variables |
💡 Asosiy nuqtalar
- AWS — infratuzilma xavfsizligi, Siz — ma'lumotlar va config xavfsizligi
- IAM: Users, Groups, Roles, Policies
- Least Privilege Principle — har doim minimal ruxsat
- Shield Standard: bepul DDoS, Shield Advanced: pullik
- KMS: encryption key management
- MFA — Root account va IAM userlarda majburiy
🎯 Imtihon maslahatlari
- "Security OF the cloud" = AWS javobgarligi (hardware, AZ, global infra)
- "Security IN the cloud" = Sizning javobgarligingiz (IAM, data, OS, config)
- IAM Role vs IAM User: EC2/Lambda uchun har doim Role, hech qachon User credentials
- CloudTrail = kim nima qildi (audit log), CloudWatch = metrics va monitoring — FARQ MUHIM!
- MFA Root account uchun — imtihon har doim shuni so'raydi
⚠️ Ko'p adashadigan
- RDS OS patchini mijoz boshqaradi deb o'ylash — Xato! RDS managed, OS AWS boshqaradi
- CloudTrail va CloudWatch ni aralashtirib yuborish: Trail=audit, Watch=metrics
- IAM Policy ni IAM Role deb o'ylash. Policy = ruxsatlar, Role = vaqtinchalik identitet
🧠 Eslab qolish: "OF vs IN": AWS = Security OF the cloud (infra), Siz = Security IN the cloud (data+config)
Security & Compliance bo'yicha o'zingizni sinab ko'ring
Bepul interaktiv quiz, mock imtihon va to'liq darslar — CertMaster platformasida.
Bepul boshlash →