Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS Certified Security Speciality Exam Notes - Coggle Diagram
AWS Certified Security Speciality Exam Notes
VPC
NAT
Gateway
Scale to 10Gbps
More secure
Instance
Disable Source/Destination Checking
Bottleneck - single EC2 in single AZ
Must be in public subnet
Behind a SG
Security
Security Groups
Stateful - only inbound rules
NACLs
Rules in increments of 100
Custom NACLs default to deny
Steteless - need to create both in and out-bound rules
Only 1 NACL per subnet association
Flow Logs
Scope
VPC
Subnet
Network Interface
Destinations
Log Group
S3
Does not capture
Amazon DNS
Windows License Activation
Traffic to 169.254.169.254
Traffic to the default router .1
DHCP traffic
Captures
Source address
Destination address
Source port
Destination port
Protocol
Number packets
Remote Management
Bastions
Session Manager
Session logs -> CloudWatch / S3
No ports to open
Powershell / Bash interactive sessions
Connection Logs -> CloudTrail
Endpoints
Interface
Gateway
DynamoDB
S3
Transit Gateway
Subnet Reserved Addresses
.0 Network Address
.1 VPC Router
.2 DNS
.3
reserved future use
.255 Broadcast not supported so reserved
Security
KMS
Key Rotation
KMS with EBS
Grants
ViaService
Cross-Account Access
Key Policy
IAM Policy (ext acc)
Key Pairs
~/.ssh/authorised_keys
WAF
Supports
ALB
CloudFront
API Gateway
AppSync
Shield
Cloud HSM
AWS Certificate Manager (ACM) :star:
Types
Private CA
Public Cert
Auto-renews
Can't Export
Works With
ELB
CloudFront
API Gateway
ElasticBeanstalk
AWS System Manager :star:
Parameter Store
Passed to CloudFormation/Lambda/etc...
Can store passwords (secrets manager better?)
Value can be encrypted with KMS
Run Command
Automate common admin tasks
Needs SSM agent
Works with on-prem & EC2
Use case: update security patches at scale
Session Manager
Athena :star:
Interactive query service for data in S3
Use case: analyse CloudTrail Logs
Macie :star:
Detects PII in S3 data
Uses machine learning to classify data
Classify data by
Content Type (eg JSON)
File ext
Theme (Amex, VISA)
RegEx
Can also analyse CloudTrail logs for sus activity
GuardDuty :star:
Monitors AWS infra for malicious behaviour
Monitors for
Failed logins
Port scanning
CloudTrail Logs
VPC Flow Logs
DNS Logs
Centralised threat detection
Automated response using CloudWatch Events + Lambda
Needs 7-14 days to baseline
Findings appear in GuardDuty dashboard + CloudWatch events
Secrets Manager :star:
Stores (database) credentials, API/SSH keys
Auto rotates credentials (RDS etc...)
Secrets in key-value pair
Integrates with RDS
MySQL
PostreSQL
Aurora
Supports non-RDS using Lambda functions
When enabled it immediately rotates the creds :warning:
Uses Lambda function to rotate credentials
Secret deletion period 7-30 days
Security Hub :star:
Central hub for security alerts
Automated checks
PCI-DSS
CIS
Ongoing account security audits
Integrations
GuardDuty :!:
Macie :!:
Inspector :!:
IAM Access Analyzer
Firewall Manager
3rd Party Tools
CloudWatch / CloudWatch Events
Requires AWS Config for CIS checks
Amazon Detective
:star:
Collates logs for investigations
Log Sources
VPC Flow Logs
CloudTrail
GuardDuty Findings
Resource Access Manager (RAM) :star:
Share resources between accounts in Orgs
Share
Transit Gateways
Subnets
License Manager
R53 Resolver Rules
Create resources centrally
Firewall Manager :star:
Uses Orgs
Roll out to child accounts
WAFs
WAF Rules
Shield
Manage SGs
Deploy Network Firewalls
Deploy R53 DNS Firewall
Logging & Monitoring
CloudTrail
CloudWatch
AWS Config
Inspector
Trusted Advisor
VPC Flow Logs
S3
S3 Bucket Policies
S3 ACLs
Conflicting Policies
Forcing Encryption
CloudFront Integration
Cross-region Replication
CloudFront - Custom SSL Certs
S3 Pre-signed URLs
Glacier Vault Lock
Encryption Options
SSE-S3
SSE-KMS
SSE-C
Protecting data at rest
Permissions
Versioning
Replication
Backup
Encryption
Access Control
IAM
Bucket Policies
ACLs
Access Evaluation: IAM -> Bucket -> ACL
IAM
IAM Policies
STS
Identitiy Federation
Assume Role
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
AssumeRole
15min - 1 hour
Cognito
AWS Organisations
IAM Credential Report
AD Federation
ADFS
SAML 2.0
AssumeRoleWithSAML
Steps
?
Policy Types
SCPs
Permission Boundries
Scoped-down polcies (i.e STS)
Resource Policies
Endpoint Policies
Key Policy (KMS)
Ports
1024-65535 - Ephemeral
22 - SSH
3389 - RDP
80 - HTTP
443 - HTTPS
3306 - MySQL
23 - Telnet
5500 - VNC
1433 - MS SQL
1521 - Oracle
5432 - PostgreSQL
25 - SMTP
587, 2587 SMTP (SES)
Compliance
Artifact
AWS Security Services Portfolio
Cognito
Detective :star:
GuardDuty
Inspector
Macie
Artifact
Certificate Manager (ACM)
CloudHSM
Directory Service
Firewall Manager :star:
IAM
KMS
Resource Access Manager (RAM) :star:
Secrets Manager
Security Hub
Shield
SSO
WAF