Describe multi-factor authentication (MFA).
Differentiate between the AWS Identity and Access Management (IAM) security levels.
Explain the main benefits of AWS Organizations.
Describe security policies at a basic level.
Summarize the benefits of compliance with AWS.
Explain additional AWS security services at a basic level.
Example EC2 Shared responsible
AWS - (Security of cloud)- Physical, network, Hypervisor
Customers are responsible for security IN the cloud
If you do not secure it, that is your fault
If you do not monitor sensitive data, that is your fault
AWS is responsible for Security of the CLOUD
Just know the first model**
Patching software on Amazon EC2 instances
Setting permissions for Amazon S3 objects
User Permissions and access
such as spin up AC2 Instances, S3 Bucket, databases, blockchange services etc
Turn on MFA - MultiFactor Authentication, Randize token to login, Email
Do not use
AWS Identity and Access Management (AWS IAM)
Principle of least Privilege - User is granted access only to what they need
Assign an IAM Policy to an IAM User
IAM Policy It is a JSON document
{
"version": "2012-10-17".
"Statement": {
"Effect": "Allow",
"Action": s3:ListBucket",
"Resource": "arn:aws:s3:::coffee_shop_reports"
}
}
Effect: Allow or deny
Action: Any AWS API calls
Resource: Which AWS resource the API call is for
IAM Group - Attach user to group
AWS IAM
-------
Root User
Users
Groups
Policy
Role
Create identity in AWS IAM Roles
Associated permission - Allow or deny
Role - Assumed for Temporary amount of time
No Username or password
Access temporary permission
AWS roles
Users
External Identity
Application
Other AWS Service
Avoid creating IAM users by
Federating Users using they can use Corporate Identity to roles.
Permission system that regulates access to AWS resources
Allows you t assign permission to groups of users
Access auditing using AWS CloudTrail
Integrates with other identity Tech (Microsoft Active Directory)
4 Key concepts: User, Group, Role and Policies/Permission
Users- Specific Individual, can receive personal logins
Group - a collection of users
Roles - Collection of policies (DB Read, DB Write)
Policy - Low level permission to resources (allow or deny)
Use Least Previlage Model
Exercise caution when modifying policies
https://www.youtube.com/watch?v=y8cbKJAo3B4
AWS Organizations
It is a central location to manage multiple AWS account
consolidate and manage multiple AWS accounts within a central location.
Centralized management
Consolidated billing
Hierarchical group of accounts Organizational units
AWS services and API actions access control
SCP - Service control policies
Questions
The correct two response options are:
An individual member account
An organizational unit (OU)
In AWS Organizations, you can apply service control policies (SCPs) to the organization root, an individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.
You can apply IAM policies to IAM users, groups, or roles. You cannot apply an IAM policy to the AWS account root user.
AWS Compliance Programs
Set of internal policies and procedures of a company to comply with laws, rules, and regulations, or to uphold business reputation
Ex. HIPAA
Safeguards medical information
PCI DSS
When you want to sell things online and handle credit card information
AWS Artifact - Compliance report done by 3rd party
White papers
AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. AWS Artifact consists of two main sections: AWS Artifact Agreements and AWS Artifact Reports.
Which tasks can you complete in AWS Artifact? (Select TWO.)
Access AWS compliance reports on-demand.
Review, accept, and manage agreements with AWS.
NOTES:
Consolidate and manage multiple AWS accounts within a central location- This task can be completed in AWS Organizations.
Create users to enable people and applications to interact with AWS services and resources- This task can be completed in AWS Identity and Access Management (IAM).
Set permissions for accounts by configuring service control policies (SCPs)- This task can be completed in AWS Organizations.
How do we prove AWS meets a compliance?
Go into AWS Artifiact, choose package or Artifact, it will generate a PDF, and within this PDF you will click a link to get the files that you want
AWS Shield Standard automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks.
As network traffic comes into your applications, AWS Shield Standard uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.
AWS Shield Advanced is a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.
It also integrates with other services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing. Additionally, you can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
Slowloris attack - Elastic Load Balance
Well architected system -
AWS Shield Standard
AWS Shield Standard automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks.
As network traffic comes into your applications, AWS Shield Standard uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.
AWS Shield Advanced
AWS Shield Advanced is a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.
It also integrates with other services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing. Additionally, you can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
Additional Security Services
AWS Key Management Service (AWS KMS)
The coffee shop has many items, such as coffee machines, pastries, money in the cash registers, and so on. You can think of these items as data. The coffee shop owners want to ensure that all of these items are secure, whether they’re sitting in the storage room or being transported between shop locations.
In the same way, you must ensure that your applications’ data is secure while in storage (encryption at rest) and while it is transmitted, known as encryption in transit.
AWS Key Management Service (AWS KMS) enables you to perform encryption operations through the use of cryptographic keys. A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data. You can use AWS KMS to create, manage, and use cryptographic keys. You can also control the use of keys across a wide range of services and in your applications.
With AWS KMS, you can choose the specific levels of access control that you need for your keys. For example, you can specify which IAM users and roles are able to manage keys. Alternatively, you can temporarily disable keys so that they are no longer in use by anyone. Your keys never leave AWS KMS, and you are always in control of them.
AWS WAF
AWS WAF is a web application firewall that lets you monitor network requests that come into your web applications.
AWS WAF works together with Amazon CloudFront and an Application Load Balancer. Recall the network access control lists that you learned about in an earlier module. AWS WAF works in a similar way to block or allow traffic. However, it does this by using a web access control list (ACL) to protect your AWS resources.
Server side encryption is enable at rest by DynomoDB table
integrates with AWS Key Management Service (AWS KMS)
In-Transit- Encryption SSL and SSL Certificate eg Redshift - SQL
Amazon Inspector
Suppose that the developers at the coffee shop are developing and testing a new ordering application. They want to make sure that they are designing the application in accordance with security best practices. However, they have several other applications to develop, so they cannot spend much time conducting manual assessments. To perform automated security assessments, they decide to use Amazon Inspector.
Amazon Inspector helps to improve the security and compliance of applications by running automated security assessments. It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions.
After Amazon Inspector has performed an assessment, it provides you with a list of security findings. The list prioritizes by severity level, including a detailed description of each security issue and a recommendation for how to fix it. However, AWS does not guarantee that following the provided recommendations resolves every potential security issue. Under the shared responsibility model, customers are responsible for the security of their applications, processes, and tools that run on AWS services.
Amazon GuardDuty
Amazon GuardDuty is a service that provides intelligent threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
After you have enabled GuardDuty for your AWS account, GuardDuty begins monitoring your network and account activity. You do not have to deploy or manage any additional security software. GuardDuty then continuously analyzes data from multiple AWS sources, including VPC Flow Logs and DNS logs.
If GuardDuty detects any threats, you can review detailed findings about them from the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.
Which statement best describes an IAM policy?
A document that grants or denies permissions to AWS services and resources
Note:
An IAM role is an identity that you can assume to gain temporary access to permissions.
An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?
IAM Role
Although you can attach IAM policies to an IAM group,
Question
Granting only the permissions that are needed to perform specific tasks
Question
AWS Shield
As network traffic comes into your applications, AWS Shield uses a variety of analysis techniques to detect potential DDoS attacks in real time and automatically mitigates them.
Question
Which task can AWS Key Management Service (AWS KMS) perform?
Create cryptographic keys.
No comments:
Post a Comment