Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS Security Specialty (HSM (Users (CryptoOffice (CO) (no key mgmt, user…
AWS Security Specialty
-
Security basics
CIA
Confidentiality
- IAM
- MFA
- how to keep data confidential
- bucket policies
- ACLs in VPCs
- etc
Integrity
- no data changes in transit
- File permissions
- Version control, MFA deletes
- encryption
- SSL certificates
Availability
- autoscaling
- multiple AZ
- multiple regions
- DNS failover
-
Non-repudiation
In digital security, non-repudiation
means
- A service that provides proof of the integrity and origin of data.
- An authentication that can be said to be genuine with high confidence.
Security of AWS
-
Datacenters
- Fire detection and suppression
- power
- climate and temp
- mgmt
- storage device decommissioning
- availability
- incident response
- company-wide executive review
- comms
Network security:
- sec net architecture
- secure access points
- transmission protection
- corporate segregation
- fault-tolerant design
- net monitoring and protection
AWS access:
- account review and audit
- background checks
- credentials policy
-
-
-
-
-
Web identity federation
Cognito
user pools
-
The Cognito User Pool will store user profile information and provide sign-up and sign-in capabilities
standard set of attributes available for all users in the pool. These are implemented following the OpenID Connect specification.
You can also optionally create up to 25 custom attributes to match any unique claims requirements you may have for your applications.
Client secrets are known only to your application and the authorization server. They are used for server-side applications authentication and are not needed for JavaScript applications. They are also are not compatible with the Amplify JS SDK since it's a client library.
identity pools
-
Cognito Identity Pool providing the ability to assume an Identity and Access Management (IAM) role from within the application.
You will need to create a Cognito Identity Pool linked to the Cognito User Pool and app client ID you just created
-
Organizations
SCPs
Strategy
Deny list
All allowed by default, deny specific
FullAWSAccess
-
attached by default to the root, all organizational units (OUs), and all accounts
-
-
- SCPs affect only principals
- SCPs don't affect resource-based policies directly
- Any account has only those permissions permitted by every parent above it
- Can't block inheritance
- no allow in SCP -> block
- SCPs do not affect any service-linked role
For example, consider an Amazon S3 bucket that's owned by account A in an organization. The bucket policy (a resource-based policy) grants access to users from accounts outside the organization. Account A has an SCP attached. That SCP doesn't apply to those outside users. It applies only to users that are managed by account A in the organization.
-
-
-
-
-
-
-
KMS
Grants
-
-
-
Grants can be retired by any of the following principals:
- The AWS account (root user) in which the grant was created
- The retiring principal in the grant, if any
- The grantee principal, if the grant includes
kms:RetireGrant permission
Constraints
-
EncryptionContextSbuset
{"Department":"Finance", "Classification": "Public"}
For example, Amazon EBS sends the volume ID as the encryption context when encrypting/decrypting a volume, and when you take a snapshot the snapshot ID is used as the context. If AmazonEBS did not use this encryption context, an EC2 instance would be able to decrypt any EBS volume under that specific CMK.
-
-
-
Alias
A key alias allows you to abstract key users away from the underlying Region-specific key ID and key ARN
-
-
-
Envelope encryption
AWS KMS generates data keys which are used to encrypt data locally in the AWS service or your application.
The data keys are themselves encrypted under a CMK you define.
Data keys are not retained or managed by AWS KMS.
AWS services encrypt your data and store an encrypted copy of the data key along with the encrypted data.
When a service needs to decrypt your data, it requests AWS KMS to decrypt the data key using your CMK.
If the user requesting data from the AWS service is authorized to decrypt under your CMK, the AWS service will receive the decrypted data key from AWS KMS.
The AWS service then decrypts your data and returns it in plaintext
While AWS KMS does support sending data up to 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with AWS KMS it must be transferred over the network
cross-account access
key policy defines account, which are allowed to access CMK
-
-
-
-
S3 Security
-
-
reqs
-
-
-
READ/READ_ACP via ACLs, if not owner
-
-
-
-
-
S3 bucket policies
user level
alice can put, but not delete
john can read, but not put
-
-
-
S3 ACL
-
-
Bucket level permissions:
- list/write
- read/write bucket permissions
principals:
- access for you AWS account
- access for other AWS accounts
- public access
- log delivery group
-
-
-
-
-
-
-
-
-
