Giter Site home page Giter Site logo

aws-security-and-compliance's Introduction

AWS Security and Compliance

AWS Review Notes Table of Contents

Understanding the Shared Responsibility Model

  • In the public cloud, there is a shared security responsibility between you and AWS.

  • AWS is responsible for protecting and securing their infrastructure.

    • AWS is responsible for its global infrastructure elements: Regions, edge locations, and Availability Zones.
    • Building security. AWS controls access to its data centers where your data resides.
    • AWS maintains networking components: generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.
    • AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.

  • You are responsible for how the services are implemented and managing your application data.

    • Application data. You are responsible for managing your application data, which includes encryption options.
    • Security Configuration. You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.
    • Patching. You are responsible for the guest operating system (OS), which includes updates and security patches.
    • Identity and Access Managment. You are responsible for application security and identity and access management.
    • Network Traffic. You are responsible for network traffic protection, which includes security group firewall configuration.
    • Installed software. You are responsible for network traffic protection, which includes security group firewall configuration.

  • EC2 Shared Responsibility Model

    • Customer
      • Installed applications
      • Patching the guest operating system
      • Security controls
    • AWS
      • EC2 service
      • Patching the host operating system
      • Security of the physical server

  • Lambda Shared Responsibility Model

    • Customer
      • Security of code
      • Storage of sensitive data
      • IAM for permissions
    • AWS
      • Lambda service
      • Upgrading Lambda languages
      • Lambda endpoints
      • Operating system
      • Underlying infrastructure
      • Software dependencies

  • Which security responsibilities are shared?

    • Patch Management

      • AWS: Patching infrastructure
      • Customer: Patching guest OS and applications

    • Configuration Management

      • AWS: Configuring infrastructure devices
      • Customer: Configuring databases and applications

    • Awareness and Traing

      • AWS: AWS Employees
      • Customer: Customer Employees.

    • How do I report abuse of AWS resources? Contact the AWS Trust & Safety team using the Report Amazon AWS abuse form or by contacting [email protected].

  • Study for the Exam

    • Shared Responsibility Model
      • Going into the exam, remember what you are responsible for and what AWS is responsible for.

Leveraging the Well-Architected Framework

  • The 6 pillars of the Well-Architected Framework describe design principles and best practices for running workloads in the cloud.

  • Here are a few examples of applying best practices and design principles from the 6 pillars of the Well-Architected Framework in the real world.

    • Operational Exellence
      • You can use AWS CodeCommit for version control to enable tracking of code changes and to version-control CloudFormation templates of your infrastructure.
    • Security
      • You can configure central logging of all actions performed in your account using CloudTrail.
    • Reliability
      • You can use Multi-AZ deployments for enhanced availability and reliability of RDS databases.
    • Performance Efficiency
      • You can use AWS Lambda to run code with zero administration.
    • Cost Optimization
      • You can use S3 Intelligent-Tiering to automatically move your data between access tiers based on your usage patterns.
    • Sustainability
      • You can use EC2 Auto Scaling to ensure you are maximizing utilization.

Understanding IAM Users

Identity and Access Management (IAM) IAM allows you to control access to your AWS services and resources. Permissions. Roles. MFA

  • Helps you secure your cloud resources
  • You define who has access
  • You define what they can do
  • A free global service
  • Identites vs Access
    • Identities. Who can access your resources
      • Root user
      • Individual users
      • Groups
      • Roles
    • Acess. Whatresources they can acces
      • Policies
      • AWS managed policies
      • Customer managed policies
      • Permissions boundaries

Authntication (Who) vs Authorization (What)

  • Authentication is where you present your identity (username) and provide verification (password).
  • Authorization determines which services and resources the authenticated identity has access to.

Users are entities you create in IAM to represent the person or application needing to access your AWS resources.

  • The root user is created when you first open your AWS account.

  • What can only the root user do?

    • Close your account
    • Change email address
    • Modify your support plan

  • Individual users are created in IAM and are used for everyday tasks.

  • What can individual users do?

    • Perform administrative tasks
    • Access application code
    • Launch EC2 instances
    • Configure databases

  • Did you know applications can be users?

  • You'll create a user in IAM so you can generate access keys for an application running on-premises that needs access to your cloud resources.

  • Don't forget activity performed by users in your account is billed to your account!

  • The principle of least privilege involves giving a user the minimum access required to get the job done.

    • Create access keys for an IAM user that needs access to the AWS CLI. The AWS Command Line Interface (CLI) allows you to access resources in your AWS account through a terminal or command window. Access keys are needed when using the CLI and can be generated using IAM.

Groups A group is a collection of IAM users that helps you apply common access controls to all group members. - Administrators perform administrative tasks such as creating new users. - Developers use compute and database services to build applications. - Analysts run budget and usage reports.

  • Note: Do not confuse security groups for EC2 with IAM groups. EC2 security groups act as firewalls, while IAM groups are collections of users.

  • Key Takeaways - Groups

    • Used to group users that perform similar tasks.
    • Access permissions apply to all members of the group.
    • Access is assigned using policies and roles.

  • Apply the same access controls to a large set of users. Groups save you time by allowing you to apply the same access permissions to more than one user at once. When a user no longer needs access, they can be removed from the group.

  • Studying for the Exam

    • Users and groups
      • Going into the exam, understand the differences between users and group.
    • Root user tasks
      • Remember the tasks that only the root user can do.
    • Principle of least privilege
      • Don't forget about the principle of least privilege.
    • Real-world use cases
      • Don't forget the real-world use cases for IAM.

Understanding IAM Permissions

Roles Roles define access permissions and are temporarily assumed by an IAM user or service.

  • You assume a role to perform a task in a single session.

  • Assumed by any user or service that needs it.

  • Access is assigned using policies.

  • You grant users in one AWS account access to resources in another AWS account.

  • You can attach a role to an instance that provides privileges (e.g., uploading files to S3) to applications running on the instance. Roles help you avoid sharing long-term credentials like access keys and protect your instances from unauthorized access.

Policies You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

  • You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users access permissions for the bucket and the objects in it.

IAM Best Practices

  • Enable MFA for privileged users.
    • You should enable multi-factor authentication (MFA) for the root user and other administrative users.
  • Implement strong password policies.
    • You should require IAM users to change their passwords after a specified period of time, prevent users from reusing previous passwords, and rotate security credentials regularly.
  • Create individual users instead of using root.
    • You shouldn't use the root user for daily tasks.
  • Use roles for Amazon EC2 instances.
    • You should use roles for applications that run on EC2 instances instead of long-term credentials like access keys.

IAM Credential Report The IAM credential report lists all users in your account and the status of their various credentials.

  • Lists all users and status of passwords, access keys, and MFA devices

  • Used for auditing and compliance

  • Studying for the Exam

    • Users, groups, roles, and policies
      • Going into the exam, understand the differences between users, groups, roles, and policies.
    • IAM best practices
      • Don't forget to familiarize yourself with IAM best practices.
    • Real-world use cases
      • Don't forget the real-world use cases for IAM.
    • IAM credential report
      • Don't forget the importance of the IAM credential report.

Exploring Application Security Services

AWS has several software-based security tools available to help you monitor and protect your resources.

Firewall

  • Firewalls prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you've defined.

WAF (Web Application Firewall) WAF helps protect your web applications against common web attacks.

  • Protects apps against common attack patterns
  • Protects against cross-site scripting
  • Protects against SQL injection
  • You can deploy a web application directly to an EC2 instance and protect it from cross-site scripting attacks using WAF. You can even deploy WAF on CloudFront as part of your CDN solution to block malicious traffic.

Distributed Denial of Service (DDoS)

  • A DDoS attack causes a traffic jam on a website or web application in an attempt to cause it to crash.

Shield
Shield is a managed Distributed Denial of Service (DDoS) protection service.

  • Always-on detection
  • Shield Standard is free
    • Provides free protection against common and frequently occurring attacks
  • Shield Advanced is a paid service
    • Provides enhanced protections and 24/7 access to AWS experts for a fee
  • DDoS protection via Shield Advanced is supported on several services.
    • CloudFront
    • Route53
    • Elastic Load Balancing
    • AWS Global Accelerator
  • Shield Advanced will give you notifications of DDoS attacks via CloudWatch metrics. Additionally, with Shield Advanced, you have 24/7 access to AWS experts to assist during an attack.

Macie Macie helps you discover and protect sensitive data.

  • Uses machine learning

  • Evaluates S3 environmen

  • Uncovers personally identifiable information (PII)

  • Macie can be used to find sensitive data like passport numbers, social security numbers, and credit card numbers on S3.

  • Studying for the Exam

    • WAF
      • Going into the exam, don't forget WAF protects against SQL injection and cross-site scripting attacks.
    • Shield
      • Don't forget Shield provides DDoS protection and works with CloudFront, Route 53, Elastic Load Balancing, and AWS Global Accelerator.
    • Macie
      • Remember that Macie helps you find sensitive information.

Exploring Additional Security Services

Config Config allows you to assess, audit, and evaluate the configurations of your resources.

  • Track configuration changes over time
  • Notifications via Simple Notification Service (SNS) of every configuration change
  • Delivers configuration history file to S3
  • Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.

Guard Duty GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior

  • Uses machine learning
  • Built-in detection for EC2, S3, and IAM
  • Reviews CloudTrail, VPC Flow Logs, and DNS logs
  • GuardDuty's anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.

Inspector nspector works with EC2 instances to uncover and report vulnerabilities.

  • Agent installed on EC2 instance
  • Reports vulnerabilities found
  • Checks access from the internet, remote root login, vulnerable software versions, etc.
  • Inspector has several built-in rules to access your EC2 instances to find vulnerabilities and report them prioritized by level of severity.

Artifact Artifact offers on-demand access to AWS security and compliance reports.

  • Central repository for compliance reports from third-party auditors
  • Service Organization Controls (SOC) reports
  • Payment Card Industry (PCI) reports
  • Artifact provides a central repository for AWS' security and compliance reports via a self-service portal.

Cognito Cognito helps you control access to mobile and web applications.

  • Provides authentication and authorization

  • Helps you manage users

  • Assists with user sign-up and sign-in

  • Cognito provides functionality that allows your users to sign in to your application through social media accounts like Facebook and Google.

  • Studying for the Exam

    • Config
      • Remember that Config allows you to identify changes to various resources over time.
    • GuardDuty
      • Don't forget GuardDuty identifies malicious or unauthorized activities in your AWS account.
    • Inspector
      • Don't forget Inspector only works for EC2 instances.
    • Artifact
      • Don't forget Artifact provides you with compliance reports.
    • Cognito
      • Don't forget Cognito controls access to mobile and web applications.

Utilizing Data Encryption and Secrets Management Services

Data encryption encodes data so it cannot be read by unauthorized users.

  • Data in-flight
    • Data that is moving from one location to another
  • Data at rest
    • Data that is inactive or stored for later use

Key Management Service (KMS) KMS allows you to generate and store encryption keys.

  • Key generator
  • Store and control keys
  • AWS manages encryption keys
  • utomatically enabled for certain services
  • When you create an encrypted Amazon EBS volume, you're able to specify a KMS customer master key.

CloudHSM CloudHSM is a hardware security module (HSM) used to generate encryption keys.

  • Dedicated hardware for security
  • Generate and manage your own encryption keys
  • AWS does not have access to your keys
  • CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

Secrets Manager Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

  • Rotate, manage, and retrieve secrets

  • Encrypt secrets at rest

  • Integrates with services like RDS, Redshift, and DocumentDB

  • Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.

  • Studying for the Exam

    • KMS
      • Going into the exam, don't forget AWS manages KMS keys.
    • CloudHSM
      • Don't forget you manage the keys generated with CloudHSM.
    • Secrets Manager
      • Don't forget Secrets Manager has built-in integration for RDS, Redshift, and DocumentDB.

aws-security-and-compliance's People

Contributors

pslucas0212 avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.