Shared responsibility model
While AWS manages security of the cloud, security in the cloud is responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.
AWS WAF
Web Application Firewall
Is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Operate at level 7
AWS Shield
Is a managed distributed deniel of service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is non need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
Amazon Inspector
Is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices.
After performing assessment, it produces a detailed list of security findings priortized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via Amazon Inspector console or API.
AWS trusted advisor
An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS env. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. Advisor will advise you on Cost Optimization, performance, security, fault tolerance.
- Core checks and recommendations (FREE)
- Full trusted advisor - Business and enterprise companies only
AWS CloudTrail
It increases visibility into your user and resource activity by recording AWS management console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
Cloudwatch vs AWS Config
- Cloudwatch is used for monitoring performance
- AWS Config is used to monitor configurations of your AWS Resources.
Trusted Advisor key services
- Cost optimizations
- Performance
- Security
- Fault tolerance
- Service limits
AWS Penetration testing
Simulated cyber attack against your computer system to check for exploitable vulnerabilities.
Can be tests on 8 services without prior approval
- EC2 instances, NAT gateways, ELB’s
- RDS
- CloudFront
- Aurora
- API gateway
- Lambda and Lambda edge functions
- Lightsail resources
- Elastic beanstalk environments
AWS KMS
Works at regional basis.
- Secure key management and encryption and decryption.
- Manages customer master keys
- Ideal for S3 objects, database passwords and API keys stored in system manager parameter store.
- Encrypt and decrypt data, up to 4 KB in size.
- Integrated with most AWS services.
- Is on shared hardware.
CloudHSM
- Dedicated hardware security module (HSM)
- More expensive
- Compliant FIPS 140-2 Level 3
- Single tenant, dedicated hardware, multi-AZ cluster
Parameter Store
- Component of Systems Manager (SSM)
- Secure serverless storage for configuration and secrets.
- Values can be stored encrypted (KMS) or plaintext
- Set TTL to expire values such as passwords
- No cost to use, however limit of 10000 parameters per account.
Secrets Manager
- Charge per secret stored and per 10000 API calls
- Automatically rotate secrets
- Apply the new key.password in RDS for you
- Generate random secrets.
Amazon GuardDuty
- Intelligent threat protection for accounts and workloads
- Uses machine learning algorithms
- One click to enable (30 day trial)
- Input data includes
=> Cloudtrail event logs
=> VPC flow logs
=> DNS logs
AWS Control tower
- The easiest way to set up and govern a new, secure, multi account AWS environment
- Allows you to provision multiple AWS accounts in few minutes
- Those accounts will conform to company policies
- Used for large enterprises with multiple AWS accounts
AWS Security hub
- A comprehensive view of your security alerts across multiple AWS accounts
Provides a single place that aggregates, organises, and prioritises your security alerts or findings from multiple AWS services - such as GuardDuty, Inspector, Amazon Macie, IAM access analyzer and AWS Firewall manager - across multiple AWS accounts.
Compromised IAM credentials
- Determine what resources those credentials have access to
- Invalidate the credentials so they can no longer be used to access your account.
- Consider invalidating any temporary security credentials that might have been issued using the credentials.
- Restore appropriate access
- Review access to your AWS account
Athena
Interactive query service which enables you to analyse and query data located in S3 using SQL
- Serverless, nothing to provision, pay per query/ per TB scanned
- No need to setup complex Extract/Transform/Load (ETL) processes.
- Works directly with data stored in S3
- Can be used to query files stored in S3
- Generate business reposts on data stored in S3.
- Analyse AWS cost and usage reports
- Run queries on click-stream data
Macie
security service which uses Machine learning and NLP to discover, classify and protect sensitive data stored in S3
- Uses AI to recognise if your S3 objects contain sensitive data such as PII
- Dashboards, reporting and alerts
- Works directly with data stored in S3
- Can also analyse cloudtrail logs
- Great for PCI-DSS and preventing ID theft
Artifact
Use to retrieve compliance reports
