List Security and Compliance Domain
- 25% of the exam
- Define the AWS shared responsibility model
- Define the AWS cloud security and compliance concepts
- Identify AWS access management capabilities
- Identify resources for receiving security-related support
Older IT Security Processes
- Server rooms secured with key cards
- Off-site data centers
- Lots of security devices and people
- Difficult to access
What is the Shared Responsibility Model?
AWS’s security of the cloud vs Customer’s responsibility in the cloud
- Security of cloud computing infrastructures and data is a shared responsibility between the customer and AWS
- AWS (Security of the Cloud, protecting the infrastructure) - Physical security of data centers hosting the AWS cloud, security of hardware, software, networking etc that runs the cloud computing services.
- Customer (Security in the cloud, protecting varying levels of security functions depending on cloud services used)
- Protecting customer data and data encryption
- Identity and Access Management
- Patching operating systems of VMs
- Configuring firewalls
- Data encryption
Pillars of Security
- Identity and Access Management (IAM)
- Detective Controls
- Infrastructure Protection
- Data protection
- Incident Response
Data should be secure when __ ___ & __ _____
At Rest
In Transit
Principle of Least Privilege
Provide access to resources that a person needs to do their job and no more - done via IAM
What are the recommended security practices?
- Shared responsibility model
- Security pillar of well-architected framework
- Principle of least privilege
What is IAM?
Identity and Access Management
- Manage access to services and resources on the AWS cloud
- Manage users and groups
- Provide access to users or other AWS services
- Permissions are global
What is a Federated User?
Allow existing identities in your enterprise to access AWS without having to create IAM User for each identity
- EXAMPLES: Think logging into a website with your Google credentials; A business, Microsoft Active Directory users have federated access your AWS cloud instance using Identity Federation.
What are the benefits of IAM?
- Enhanced Security
- Granular Control
- Ability to provide temporary credentials
- Flexible security credential management
- Federated Access
- Seamless integration across various AWS services
What is WAF?
Web Application Firewall
What are the benefits of a WAF?
- Firewall service for web applications
- Protects web apps running on the AWS Cloud from common web exploits, attacks that force your app to consume excessive resources, compromise security or availability
- Improve web traffic visibility
- Cost-effective web app protection
- Security against web attacks
- Easy to deploy and maintain
What is AWS Shield?
- Defends against DDoS attacks
- Provides detection and automatic mitigation
- Minimize application downtime and latency during an attack
What are the AWS Shield Tiers?
Standard:
- Auto enabled
- Free
- Protects web apps against a majority of common DDoS attacks
- Comprehensive availability protection against all known infrastructure attacks when used with CloudFront and Route53.
Advanced
- 24/7 access to AWS DDoS attacks
- Integrates with AWS WAF
- higher level protections, transport layer protections and traffic monitoring
- Financial protection against DDoS - related spikes in charges for EC2, elastic load balancers, CloudFront and Route 53
What is Amazon Inspector?
- Auto security assessment service for apps
- Assess for exposure, vulnerabilities and derivations from best practices
- Detailed reports for vulnerabilities
- Security teams can get reports validating tests were performed
What is AWS Trusted Advisor?
- Guides provisioning of resources to follow AWS best practices
- Scans infrastructure and advises on how it is or is not following AWS best practices
- Five Categories: Cost optimization, performance, security, fault tolerance, service limits
- Action recommendations
What are the 7 core trusted advisor checks?
- S3 bucket permissions
- Sec Groups - Ports unrestricted
- IAM Use
- MFA on root account
- EBS public snapshots
- RDS public snapshots
- Service Limits
List Trusted Advisor checks on ENT plan
- Extended types of checks
- Notifications through weekly updates
- Setup automated actions in response to alerts using CloudWatch
- Programmatic access to scan results via AWS support API.
What is AWS Guard Duty?
- 24/7 threat detection service for the AWS Cloud
- Monitors for malicious activity and unauthorized behavior
- Analyzes events to send actionable alerts via CloudWatch
- Uses machine learning, anomaly detection and integrated threat intelligence to identify threats
- Easy to deploy
