VPC Endpoints
Connect to AWS using a private network
VPC Endpoint Gateway: S3 and DynamoDB
VPC Endpoint Interface: The rest
AWS Private Link (v)
Powers AWS endpoints
Most secure and scalable way to expose a service to 1000s of VPCs
Requires NLB/ENI
Site to Site VPN
Goes over the public internet
Auto encrypted
On premise (Customer Gateway) and AWS (VP Gateway)
Inter
DIrect-Connect
Physical connection between on-premises and VPN
Private and secure
AWS Client VPN (v)
- OpenVPN to your private network in AWS and on-premises data center
- **Allows you to connect to your EC2 instances over a private IP **
- Goes over the public internet
Transit Gateway
Transitive peering between thousands of VPC and on-premises
One single gateway to provide this functionality
Works with direct connect gateway and VPN connections
Shared Responsibility model for security (AWS)
- protecting infrastructure
- managed services like S3 and DynamoDB
Shared Responsibility model for security (Customer)
- EC2 instances (management of guest OS: security patches and updates)
- Firewall and network configuration
- IAM
- Encrypting application data
Shared control
- Patch management
- Configuration management
- Awareness and training
RDS (AWS responsibility)
- manages underlying EC2 instances and disable SSH access
- Automated DB/OS patching
- Audit the underlying instances and disk and guarantee its functions
RDS (Your Responsibility)
- Check ports / IP / Security group inbound rules in DB’s SG
- In database user creation and permissions
- Creating a DB with or without public access
- Ensure parameter groups or DB configuration to only allow SSL connections
- DB encryption settings
S3 (AWS)
- Guarantee you get unlimited storage
- Guarantee you get encryption
- Ensure the separation of data between customers
S3 (You)
- Bucket configuration
- Bucket policy/Public settings
- IAM user roles
- Enable encryption
AWS Shield Standard
- DDoS Protection
- Website and applications for all customers at no additional cost
- Cloud Front and Route 53
AWS Shield Advanced
24/7 premium DDoS Protection
AWS WAF
- Filter specific requests based on the rules
- Layer 7
- Common web exploits
- Deploy ALB, API gateway and CloudFront
- Define Web ACL: Geo-matching, rate based rules, IP addresses, HTTP, URI
AWS Network Firewall
- Protect VPC (layers 3-7)
- Inspect all aspects of VPC
AWS Firewall Manager (V)
- Manages security rules in all accounts
- Security policies: Manages all security measures
Penetration testing
- Clients may conduct penetration testing on 8 services
- DNS walking, DDoS, port flooding is not allowed
- EC2 (NAT Gateways, ELB), RDS, CloudFront, Aurora, API Gateway, Lambda, Lightsail, Elastic Beanstalk
AWS KMS
- Opt-in: EBS, S3, Redshift, RDS, EFS
- Automatically enabled: Cloudtrail logs, S3 Glacier, Storage Gateway
- types:
Customer managed keys, AWS managed keys, AWS owned keys, HSM (Crypto operations are performed within HSM cluster)
AWS Certificate Manager
- Lets you deploy SSL/TLS certificate
- Supports public and private TLS certificate
- Automatically renewed
AWS secrets manager
- Force rotation of secrets every X days (Lambda)
- Mostly for RDS integration
AWS artifact
- On demand access to AWS compliance document and AWS agreements
AWS GuardDuty
- Monitors CTS for malicious activity and unauthorized behavior
- VPC flow logs, Cloudtrail logs, S3, EBS and sends to Eventbridge and sent to SNS and Lambda
