Security and Compliance Flashcards
Amazon Inspector
- Automated Security Assessments
- For EC2 instances
- Leveraging the AWS System Manager (SSM) agent
- Analyze against unintended network accessibility
- Analyze the running OS against known vulnerabilities
- For Container Images push to Amazon ECR
- Assessment of Container Images as they are pushed
- For Lambda Functions
- Identifies software vulnerabilities in function code and package
dependencies - Assessment of functions as they are deployed
- Reporting & integration with AWS Security Hub
- Send findings to Amazon Event Bridge
AWS Shield
DDOS Protection on AWS
- AWS Shield Standard: protects against DDOS attack for your website
and applications, for all customers at no additional costs - AWS Shield Advanced: 24/7 premium DDoS protection
- AWS WAF: Filter specific requests based on rules
- CloudFront and Route 53:
- Availability protection using global edge network
- Combined with AWS Shield, provides attack mitigation at the edge
- Be ready to scale – leverage AWS Auto Scaling
AWS WAF
Web Application Firewall
- Protects your web applications from common web exploits (Layer 7)
- Layer 7 is HTTP (vs Layer 4 is TCP)
- Deploy on Application Load Balancer, API Gateway, CloudFront
- Define Web ACL (Web Access Control List):
- Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
- Protects from common attack - SQL injection and Cross-Site Scripting (XSS)
- Size constraints, geo-match (block countries)
- Rate-based rules (to count occurrences of events) – for DDoS protection
AWS Network Firewall
Protect your entire Amazon VPC
* From Layer 3 to Layer 7
protection
* Any direction, you can inspect
* VPC to VPC traffic
* Outbound to internet
* Inbound from internet
* To / from Direct Connect & Siteto-Site VPN
AWS Firewall Manager
Manage security rules in all accounts of an AWS Organization
* Security policy: common set of security rules
* VPC Security Groups for EC2, Application Load Balancer, etc…
* WAF rules
* AWS Shield Advanced
* AWS Network Firewall
* Rules are applied to new resources as they are created (good for
compliance) across all and future accounts in your Organization
AWS KMS
Key Management Service
- Anytime you hear “encryption” for an AWS service, it’s most likely KMS
- KMS = AWS manages the encryption keys for us
- Encryption Opt-in:
- EBS volumes: encrypt volumes
- S3 buckets: Server-side encryption of objects
- Redshift database: encryption of data
- RDS database: encryption of data
- EFS drives: encryption of data
- Encryption Automatically enabled:
- CloudTrail Logs
- S3 Glacier
- Storage Gateway
CloudHSM
- KMS => AWS manages the software
for encryption - CloudHSM => AWS provisions
encryption hardware - Dedicated Hardware (HSM =
Hardware Security Module) - You manage your own encryption
keys entirely (not AWS) - HSM device is tamper resistant, FIPS
140
-2 Level 3 compliance
Types of KMS Keys
Customer Managed Key:
* Create, manage and used by the customer, can enable or disable
* Possibility of rotation policy (new key generated every year, old key preserved)
* Possibility to bring-your-own-key
- AWS Managed Key:
- Created, managed and used on the customer’s behalf by AWS
- Used by AWS services (aws/s3, aws/ebs, aws/redshift)
- AWS Owned Key:
- Collection of CMKs that an AWS service owns and manages to use in multiple accounts
- AWS can use those to protect resources in your account (but you can’t view the keys)
- CloudHSM Keys (custom keystore):
- Keys generated from your own CloudHSM hardware device
- Cryptographic operations are performed within the CloudHSM cluster
ACM
AWS Certificate Manager
Let’s you easily provision, manage, and deploy
SSL/TLS Certificates
* Used to provide in-flight encryption for websites (HTTPS)
* Supports both public and private TLS
certificates
* Free of charge for public TLS certificates
* Automatic TLS certificate renewal
* Integrations with (load TLS certificates on)
* Elastic Load Balancers
* CloudFront Distributions
* APIs on API Gateway
AWS Secrets Manager
Newer service, meant for storing secrets
* Capability to force rotation of secrets every X days
* Automate generation of secrets on rotation (uses Lambda)
* Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
* Secrets are encrypted using KMS
* Mostly meant for RDS integration
AWS Artifact
(not really a service)
Portal that provides customers with on-demand access to AWS
compliance documentation and AWS agreements
* Artifact Reports - Allows you to download AWS security and compliance
documents from third-party auditors, like AWS ISO certifications, Payment
Card Industry (PCI), and System and Organization Control (SOC) reports
* Artifact Agreements - Allows you to review, accept, and track the status of
AWS agreements such as the Business Associate Addendum (BAA) or the
Health Insurance Portability and Accountability Act (HIPAA) for an individual
account or in your organization
* Can be used to support internal audit or compliance
Amazon GuardDuty
Intelligent Threat discovery to protect your AWS Account
* Uses Machine Learning algorithms, anomaly detection, 3rd party data
* One click to enable (30 days trial), no need to install software
* Input data includes:
* CloudTrail Events Logs – unusual API calls, unauthorized deployments
* CloudTrail Management Events – create VPC subnet, create trail, …
* CloudTrail S3 Data Events – get object, list objects, delete object, …
* VPC Flow Logs – unusual internal traffic, unusual IP address
* DNS Logs – compromised EC2 instances sending encoded data within DNS queries
* Optional Features – EKS Audit Logs, RDS & Aurora, EBS, Lambda, S3 Data Events…
* Can setup EventBridge rules to be notified in case of findings
* EventBridge rules can target AWS Lambda or SNS
* Can protect against CryptoCurrency attacks (has a dedicated “finding” for it
AWS Config
- Helps with auditing and recording compliance of your AWS resources
- Helps record configurations and changes over time
- Possibility of storing the configuration data into S3 (analyzed by Athena)
- Questions that can be solved by AWS Config:
- Is there unrestricted SSH access to my security groups?
- Do my buckets have any public access?
- How has my ALB configuration changed over time?
- You can receive alerts (SNS notifications) for any changes
- AWS Config is a per-region service
- Can be aggregated across regions and accounts
AWS Macie
- Amazon Macie is a fully managed data security and data privacy service
that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. - Macie helps identify and alert you to sensitive data, such as personally identifiable information (PII)
AWS Security Hub
- Central security tool to manage security across several AWS accounts and automate
security checks - Integrated dashboards showing current security and compliance status to quickly take
actions - Automatically aggregates alerts in predefined or personal findings formats from various
AWS services & AWS partner tools: - Config
- GuardDuty
- Inspector
- Macie
- IAM Access Analyzer
- AWS Systems Manager
- AWS Firewall Manager
- AWS Health
- AWS Partner Network Solutions
- Must first enable the AWS Config Service
