Please enable JavaScript.
Coggle requires JavaScript to display documents.
IAM, s3 (data consistency, standard, object based), Trusted Advisor,…
IAM
Centralized control
ID federation
shared access
granular access
MFA
password rotation
users
Groups
Policies
Roles
assigned to resources
UNIVERSAL
ROOT ACCOUNT
created when setup account, complete admin access
setup mfa
USERS
assigned access key id/secret access keys
used to access aws vs api/cli
only viewed once
s3
data consistency
read after write for PUTS of new objects
eventual consistency for overwrite PUTS and DELETES
GUARANTEES
99.9 AV
durability 99.9(11)
Charged
sharing buckets x-account
bucket policy/IAM
Programmatic access
ACL/IAM
Individual objects
Programmatic access
cross account IAM roles
programmatic/consol access
signed url
issues request as IAM user who created
limited lifetime
storage
requests
data transfer
transfer accelleration
cross region transfers
standard
IA
retrieval fee
1 zone option
99.9
99.5
intelligent tiering
glacier
deep archive
12 hours
CRR
only starts after turning on
does not inherit permissions of original
ENCRYPTION
in transit
rest
1 more item...
ssl/tls
minutes to hours
ML
99.9 av
99.99 AV
99.9(11) DURABILITY
multi devices in multiple facilities
loss of 2 facilities concurrently
object based
0-5tb
universal namespace
http 200 successful upload
MFA Delete
key
value - data
version id
metadata
subresources
ACL/Torrent
Trusted Advisor
MFA root
open s3 permissions
unrestricted SG
Service to analyze
cost optimization
performance
security
fault tolerance
service limits
cloudwatch to detect changes in security check
lambda to correct
Cloudfront
Origin
CDN - S3/EC2/ELB/R53
DISTRO
name of CDN of Edge Locations
web
rtmp(streaming)
can write to edge locations
objects are cached for ttl
clear cached content, but charged
SIgned URL
1 file=1 url
Policy
url expirations
ip range
trusted signers
different origins
KP account wide and maged by root
caching
filter by date/path/i[/exp
signed cookie
multiple files
Policy
url expirations
ip range
trusted signers
storage gateway
file
volume
tape
VTL
iSCSI
stored/cached
async backups
ebs snapshots
nfs/smb
service
replicates data into aws
guard duty
regional service for threat detection
FINDINGS
backdoor
behavior
cyrpto
pentest
SOURCE
vpc flow logs/independent stream
dns logs
does not work with 3rd party resolvers
cloudtrail events
history of api calls within account
Athena
query service
query s3 data SQL
serverless
pay per query/perTB scanned
query log files in s3
generate biz reports
cost
click stream data
Macie
security service using ML/NLP for sensitive data in s3
dashboard/reporting/alerts
analyze cloudtrail logs
pci/dss
IAM ACCESS KEYS
history
iam users/roles
access keys
ACTIONS
Disable or delete
INSPECTOR
assess ec2 network accessibility and security of apps
service linked roles
system/resource config
monitor activity
built in rules and reports
ASSESSMENTS
Network
Host
vulns
1 more item...
network reachability
ports
compromised ssh private keys
use system manager run command
remotely and securely manage instance config without opening inbound port in SG rule
console/CLI/Powershell/SDK
doesnt require key pair to connnect
associate IAM role that gies sys manager permission to perform actions.
Abuse
spam
port scan
ddos
intrusion
copyright