Helpful if you want to make a one-to-one relationship between a policy and the principal entity

Can be used only for one principal entity

Power users can do everything what Admins except managing IAM users and groups

can be broken to user level, e.g. Alice can PUT but not DELETE objects

Simple way to grant cross-account to S3 service without using IAM
roles

Example: You have lots of employees in various groups and subgroups and you have one bucket to which only 2 accounts should have access. It's much easier to do it via Bucket Policy rather than denying access in all IAM policies

Limits for IAM: 2 kb for users, 5 kb for groups, 10 kb for roles. S3 bucket policies have limits up to 20 kb.

If you use the policy generator you have to add /* at the end of bucket's ARN - without it you can still do actions on any object (only actions against bucket will be denied, e.g. list all objects)!!! On the other hand if you put /* then everyone else can list its content.

ACLs are as old as the S3 and the predate the IAM.

BUT they can be useful for setting up access control mechanism for individual object

Bucket policies are limited to 20 kb in size so ACLs can become useful if your bucket policy grows too large

The account number can be taken from: click your user name -> My Security Credentials -> Account Identifiers

The command aws s3api list-buckets will give you the canonical user ID for your IAM

Policies are CASE SENSITIVE!!! e.g. you'll get an error while trying to assign "DENY" rule. But "Deny" will be accepted

Those which are created and administered by AWS

Explicit DENY always override ALLOW. So if you explicitly DENY access in bucket policy and allow access in IAM then a DENY rule will be applicable

By default a least privilege rule is being followed and by default decision is made always to DENY, e.g. if no there's no ALLOW rule then it will be DENY.

{"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/"
},
{
"Sid": "PublicReadGetObject",
"Effect": "Deny",
"Principal": {
"AWS": ""
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}

By default it's made via SSL, so no need for specifying additional policies to turn it on (no need to use aws:SecureTransport condition).

The objects can be replicated only once. So after replicating you cannot replicate it again

Source and destination buckets must have versioning enabled

Source and destination have to be in different regions

If the source bucket owner also owns the object, the bucket owner has full permissions to replicate the object. If not, the object owner must grant the bucket owner the READ and READ ACP permissions via the object ACL

The best practice is to replicate CloudTrail logs to the bucket owned by totally different account

Objects created with server-side encryption using customer provided (SSE-C) encryption keys

Objects created with server-side encryption using AWS KMS managed (SSE-KMS) encryption keys - UNLESS YOU EXPLICITLY ENABLE THIS OPTION

Objects to which the bucket owner doesn't have permissions (e.g. when the object owner is different from bucket owner)

If you specify Filter element in a replication configuration rule, S3 does not replicate the delete marker.
More: https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-what-is-isnot-replicated.html

If don't specify the Filter element, Amazon S3 assumes replication configuration is a prior version V1. In the earlier version, Amazon S3 handled replication of delete markers differently.

If you specify an object version ID to delete in a DELETE request, Amazon S3 deletes that object version in the source bucket, but it doesn't replicate the deletion in the destination bucket. In other words, it doesn't delete the same object version from the destination bucket. This protects data from malicious deletions.

You need a separate certificate for your ELB and separate certificate for CloudFront distribution

you can grant read permissions when configuring CloudFront distribution or you can do it by yourself (by updating the Origin Access Identity permissions)

It takes a lot of time distribute this change *from several hours to 24 hours even)

they can be change without any notification or can give unnecessary permissions, e.g. AmazonEC2RoleforSSM allows also for reading and writing to S3 (details: https://cloudonaut.io/aws-ssm-is-a-trojan-horse-fix-it-now/)

If you give public access via ACL to an object (so it can be accessible anonymously), the Deny permission in Bucket Policy won't work (it's applicable only to authenticated users)

Here's how policies work together

They can be generated also via CLI, e.g.
$ aws s3 presign s3://rzepsky/hello.txt --expires-in 300

Cross-access users (from different AWS account)

Federation with Mobile Apps (e.g. Facebook, Google, OpenID providers)

Allows you to log in using your FB, Google Amazon Creds

Cognito maps token from Web ID provider (e.g. FB) to IAM roles to access AWS resources

Behaves as Identity Broker between your app and Web ID providers

User pools - user directories; users can login directly to user pools or indirectly via ID providers (e.g. FB)

Identity pools - create unique identities, can give temporary credentials to AWS resources

OAuth scope - options to verify identity, e.g. phone mail.

Authorization code grant - Cognito will give you authorization code back to process it further on the backend side

How does it work-diagram

after you accept they become immutable. In other words once it is accepted and applied it cannot be changed or removed!

for example RDP/SSH sessions are NOT logged

Logs are delivered every 5 active minutes (with up to 15 minutes delay)

Every hour log files are delivered with 'digest' file to validate the log's integrity

It uses SHA-256 hashing and SHA-256 with RSA for digital signing

Allows for specifying permission boundary even for root account

you can use SSE-S3 or SSE-KMS for encrypting logs

Prevent logs from being deleted by configuring S3 MFA Delete

you can move/delete logs after every X days by using S3 Lifecyclemanagement

pushed from your systems/apps as well as other AWS services

Certificates for CloudFront have to be stored in US East (N. Virginia) region or in IAM (certs can be imported to IAM only via CLI)

to enable it in all region you have to do it manually

configuration of Config that records and stores Config Items

Collection of Config Items for a resource over time

requires IAM role (with Read only permissions to the all resources, Write access to S3 logging bucket, Publish access to SNS)

you can for example generate here your keys to EC2

you control keys (Amazon doesn't have access to your keys)

require a role with ec2:DescribeInstances permission

Rules can be evaluated periodically or when configuration change happened

will advice you on Cost Optimization, Performance, Security, Fault Tolerance

For more than basic checks you have to upgrade your support plan to Business or Enterprise

AWS Managed Keys cannot be rotated manually!

once you removed public key in the console, you still can log in to the instance using this key (in metadata the key is still accessible)

to encrypt it : detach volume, create snapshot, copy AMI and enable encryption

you can have multiple keys attached to the instance (e.g. for different users and each has different keys)

you cannot use KMS with SSH for EC2. But you can with CloudHSM

you should use Key Policies for static permissions and for explicit deny

a generated Grant Token can be passed to KMS API

if you want to encrypt objects in the bucket, the key has to be in the same region as the bucket

<Error>
<Code>InvalidArgument</Code>
<Message>
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7E8FBBAA6A8A9A6C</RequestId>
<HostId>
I8n34c6XU03lbq1VFs6dWF3JYV5NPTxxnZzzwV+zHOf+yCPcoR0UbONCBNqLrfekvYPkgoxNotM=
</HostId>
</Error>

BUT if you use SSE-S3 (Amazon stores keys, not you) then when the object is public, then anonymously you can display it

1 key per CMK (you cannot use someone else's key if it's in use)

create new CMK with no key material -> import new encrypted key material into that CMK -> change CMK identifier in your app to the key ID for the new CMK

if you imported your own key you don't have to wait 7-30 days for deletion, but you can delete it by clicking button

administrators can create, delete and decrypt keys

administrator cannot use key. You have to explicitly point the same user as a key user (no tonly administrtaor)

to specify a condition, e.g. policy condition to disable access after a date

for example kms:ViaService limits use of CMK requested from particular service, e.g. only allows requests which come from particular Lambda

to configure access for external account you have to enable it in Key Policy in owner account, as well as you have to specify the access in IAM policy for the external account

if enabled then it's rotated once a year automatically through opt-in or on-demand manually

https://aws-certified-security-images.s3.eu-central-1.amazonaws.com/cognito_diagram.png

separate keys per business unit and data classification

key-value pair logged in clear text within CloudTrail passed during encryption and then during decryption to ensure the integrity

AWS DDoS protection whitepaper: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

re:Invent Video: DDOS Best Practices:

minimize the attack surface (e.g. by using Bastion Host with whitelisted IPs, the attack surface is limited to exposed, few hardened entry points)

Safeguard Exposed Resources (e.g. by using geolimitatio, CloudFront, Route53, WAFs)

in Route53 using alias Record Sets you can redirect traffic to CloudFront distribution, Private DNS

only few regions allow for integrating WAF with ALB

Amazon may share this hardware with other instances from the same AWS account (if those instances are not dedicated instances)

some 3rd party software say you have to run their software on dedicated host

allows you for automatic certificate renewal unless it wasn't imported or associated with Route53 private hosted zone

to have Perfect Forward Secrecy use ECDHE-... ciphers

It is recommended to use ELBSecurityPolicy-2016-08 security policy (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)

Network LB should be used if you need ultra high performance or you need to terminate TLS/SSL on the EC2 instance. Usually you should use ALB

At least 2 subnets have to be specified for ALB provisioning (1 subnet = 1 availability zone)

in Elastic Load Balancer you can terminate TLS/SSL connection either on the LB or on your EC2 instances

ALB supports ONLY TLS/SSL termination on the LB and only supports HTTP/S

by default the steady-state limit is 10 000 rps (requests per second)

Burst limit is up to 5 000 requests across all APIs

you can (NOT enabled by default) enable caching (default for 5 minutes, can be raised up to 1 hour)

allows you to execute any command on the EC2 instance without SSH

you can use this service with EC2, CloudFormation, Lambda etc.

common use case: automating common admin tasks on thousands of instances (e.g. based on tags)

you can store them as plain text or you can encrypt them using KMS

FIPS 140-2 is a US government computer security standard used to approve cryptographic modules. level 4 is the highest, AWS HSM reaches just level 3

hypervisor automatically scrubs (sets to 0) unallocated EBS memory (no risk of accessing someone else data)

in PV, CPU supports 4 privilege modes: Ring 0 is used by host OS and guest OS uses only Ring 1-3

but custom NACL by default denies all inbound and outbound traffic

NACL can have multiple subnets but a subnet can have just 1 NACL (old one is replaced by the newest one)

ensure to ALLOW ephemeral ports (1024-65535) in outbound traffic

SG sits only in 1 VPC (you cannot assign SG between different VPCs)

there's no transitive peering (if VPC A can communicate with B and B can communicate with C, then A cannot communicate with C unless you explicitly configure it)

creating a new VPC means creating new default route table, security group and NACL

Interface endpoint = Elastic Network Interface (ENI)

VPC endpoint is internal gateway for accessing other AWS services from private subnets

when VPC endpoint is used the source IP address uses private address, not public

in CloudWatch you have to specify a dedicated Log Group

not all traffic is recorded, e.g. DHCP, Windows license activation, DNS, metadata traffic

you cannot enable Flow Logs for VPCs that are peered outside your account

you cannot change a configuration after creating a Flow log

interactive service to query data in S3 using standard SQL

you have to create a database and a table and then propagate there data to be able to run queries against the data

needs 7-14 days to set a baseline (learn from normal behaviour)

charge based on amount of CloudTrail Events and volume of DNS and VPC Flow Logs

NAT instances can be found in AWS Marketplace

you must disable source/destination checks (enabled by default for all EC2 instances) for NAT Inastances

you have to increase instance size in case of bottlenecking

no need to patch NAT Gateways = more secure than NAT Insatances

NAT Gateways are not associated with SG, they have automatically assigned public IP

NAT Gateways should be enabled in every availability zone

no need to disable source/destination checks like in NAT Instances

similar to Parameter Store, but SM has built-in integration with RDS, Aurora, MySQL and PostgreSQL

once rotation is enabled, then SM immediately rotates the secret to test configuration

don't enable it if your apps use embedded credentials

CloudWatch Logs require an agent installed and running on EC2 instance and EC2 instance need to have a role with permissions to send logs to CloudWatch

you have to configure Relying Party Trust with AWS as the Trusted Relying Party

gives temporary creds to AWS Console (STS API AssumeRoleWithSAML)

how does it work: https://aws-certified-security-images.s3.eu-central-1.amazonaws.com/ADFS.png

Function Policy - defines which AWS resources are allowed to invoke your function

Execution Role - defines to which actions and resources Lambda should have access

Basic Log permissions are given by default to Lambda (but only basic; the detailed logging with data events has to be enabled explicitly)

S3 and Lambda Data Events are NOT enabled by default in CloudTrail - you have to enable logging them explicitly and additional charge is taken (0,1$ per 100 000 events)

AWS doesn't provide a solution for Deep Packet Inspection. You can use 3rd party solutions like Alert Logic, Trend Micro, McAfee

Simple Email Service - by default EC2 throttles traffic over port 25. Better to use port 587 or 2587

use Permission Boundaries (condition PermissionsBoundary, pointing to policy with for example region restrictions; then a user can create a role but only with attached policy with region restriction)

You can also give each role a project Tag and create a general policy to allow operations only with your project Tag by specifying the condition $[aws:PrincipalTag/project]

If you select the Enable Private DNS Name option, the standard AWS KMS DNS hostname
(https://kms.<region>.amazonaws.com) resolves to your VPC endpoint. Thanks to this the communication between VPC and KMS will not go through the public service endpoints.

When Cognito receives a SAML assertion it needs to be able to map SAML attributes to user pool attributes. When configuring Cognito to receive SAML assertions from an identity provider you need ensure that the IDP is configured to have Cognito as a relying party. API Gateway will need to be able to understand the authorization being passed from Cognito, so you should update API Gateway to use an Amazon Cognito User Pools authorizer.

Basic Lambda permissions required to log to CloudWatch Logs include: CreateLogGroup,
CreateLogStream, and PutLogEvents.

if you want to change it, call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again.

Official from Amazon: https://d1.awsstatic.com/training-and-certification/docs/AWS_Certified_Security_Specialty_Sample_Questions.pdf

https://www.whizlabs.com/aws-certified-security-specialty/

KMS uses CMK Key ID to generate unique data encryption key, which client uses to encrypt the object data

"kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey", "kms:DescribeKey"

each CMK key can have multiple ALIAS's point to it

the ALIAS key must be unique in the AWS account and region

If you're using the domain name that CloudFront assigned to your distribution, such as abc.cloudfront.net, you change the Viewer Protocol Policy for one or more cache behaviours to require HTTPS communication. In that configuration CloudFront provides SSL/TLS certificate.

If you're using your own domain name, such as example.com you need to change several CloudFront settings. You also need to use an SSL/TLS certificate provided by AWS Certificate Manager (ACM), import a certificate from a third-party certificate authority into ACM or the IAM certificate store, or create and import a self-signed certificate.

When you enable logging for a distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in. If you're using Amazon S3 as your origin, we recommend that you do not use the same bucket for your log files; using a separate bucket simplifies maintenace.

you want to provide access to multiple restricted files

If you are subject to regulatory compliance like PCI or HIPAA you might be able to use AWS Marketplace rule groups to satisfy web application firewall requirements

When kms:GrantIsForAWSResource is true, only integrated AWS services can create grants

The AWS 'CLI aws kms encrypt' is suitable for encrypting a file which is less than 4 kb

Users can reimport the key material however the key material must be the same.

What contains the IAM credential report: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

By default CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE)

Use the System Manager Patch Manager to generate the report and also install the missing patches

After account B has uploaded objects to the bucket in account A, the objects are still owned by account B and account A doesn;t have access to it. In order to fix this the option of --acl "bucket-owner-full-control" should be added when the object is uploaded via aws s3api put-object.

Service Control Policies (SCPs) are guardrails to disable service access. They DO NOT grant access

In order to use your own DNS server you need to ensure that you create a new custom DHCP options set with the IP of the custom DNS server. You cannot modify the existing set so you have to create a new one.

Data key caching stores data keys and related cryptographic material in cache. When you encrypt or decrypt data the AWS Encryption SDK looks for a matching data key in the cache. Data key caching can improve performance, reduce costs, and help you stay within service limits as your application scales.

CMK keys can be used for encrypting data in maximum 4KB in size.

Amazon Redshift uses 4-tier key-based architecture for encryption: master keys encrypts cluster key, cluster key encrypts the database key, the database key encrypts the data encryption key.

API Gateway Lambda authorizer (formerly custom authorizer) is a Lambda function that you provide to control access to your API methods.

WAF Sandwich = EC2 instance running your WAF is included in Auto Scaling group and placed in between 2 ELBs