AWS Certified Security Speciality Exam Notes

VPC

NAT

Gateway

Instance

Disable Source/Destination Checking

Security

Security Groups

NACLs

Bottleneck - single EC2 in single AZ

Must be in public subnet

Behind a SG

Scale to 10Gbps

More secure

Rules in increments of 100

Custom NACLs default to deny

Steteless - need to create both in and out-bound rules

Stateful - only inbound rules

Only 1 NACL per subnet association

Flow Logs

Scope

VPC

Subnet

Network Interface

Destinations

Log Group

S3

Does not capture

Amazon DNS

Windows License Activation

Traffic to 169.254.169.254

Traffic to the default router .1

DHCP traffic

Remote Management

Bastions

Session Manager

Session logs -> CloudWatch / S3

No ports to open

Powershell / Bash interactive sessions

Connection Logs -> CloudTrail

Endpoints

Interface

Gateway

DynamoDB

S3

Transit Gateway

Security

KMS

Key Rotation

Key Pairs

KMS with EBS

WAF

Shield

Grants

ViaService

Cross-Account Access

Logging & Monitoring

CloudTrail

CloudWatch

AWS Config

Inspector

Trusted Advisor

Cloud HSM

S3

S3 Bucket Policies

IAM

IAM Policies

S3 ACLs

Conflicting Policies

Forcing Encryption

CloudFront Integration

Cross-region Replication

CloudFront - Custom SSL Certs

S3 Pre-signed URLs

STS

Identitiy Federation

Cognito

Glacier Vault Lock

AWS Organisations

IAM Credential Report

Assume Role

AssumeRoleWithSAML

AssumeRoleWithWebIdentity

AssumeRole

Ports

1024-65535 - Ephemeral

22 - SSH

3389 - RDP

80 - HTTP

443 - HTTPS

3306 - MySQL

AWS Certificate Manager (ACM) ⭐

AWS System Manager ⭐

Parameter Store

Run Command

Session Manager

Types

Private CA

Public Cert

Auto-renews

Can't Export

Works With

Athena ⭐

Macie ⭐

GuardDuty ⭐

Secrets Manager ⭐

Subnet Reserved Addresses

.0 Network Address

.1 VPC Router

.2 DNS

.3 reserved future use

.255 Broadcast not supported so reserved

Passed to CloudFormation/Lambda/etc...

Can store passwords (secrets manager better?)

Value can be encrypted with KMS

Compliance

Artifact

Automate common admin tasks

Needs SSM agent

Works with on-prem & EC2

Use case: update security patches at scale

Interactive query service for data in S3

Use case: analyse CloudTrail Logs

Detects PII in S3 data

Uses machine learning to classify data

Classify data by

Content Type (eg JSON)

File ext

Theme (Amex, VISA)

RegEx

Can also analyse CloudTrail logs for sus activity

Monitors AWS infra for malicious behaviour

Monitors for

Failed logins

Port scanning

CloudTrail Logs

VPC Flow Logs

DNS Logs

Centralised threat detection

Automated response using CloudWatch Events + Lambda

Needs 7-14 days to baseline

Findings appear in GuardDuty dashboard + CloudWatch events

Security Hub ⭐

Stores (database) credentials, API/SSH keys

Auto rotates credentials (RDS etc...)

Secrets in key-value pair

Integrates with RDS

MySQL

PostreSQL

Aurora

Supports non-RDS using Lambda functions

When enabled it immediately rotates the creds ⚠

Uses Lambda function to rotate credentials

Secret deletion period 7-30 days

Central hub for security alerts

Automated checks

PCI-DSS

CIS

Ongoing account security audits

Integrations

GuardDuty ❗

Macie ❗

Inspector ❗

IAM Access Analyzer

Firewall Manager

3rd Party Tools

CloudWatch / CloudWatch Events

Requires AWS Config for CIS checks

AD Federation

ADFS

SAML 2.0

AssumeRoleWithSAML

Steps

?

23 - Telnet

5500 - VNC

1433 - MS SQL

1521 - Oracle

5432 - PostgreSQL

~/.ssh/authorised_keys

25 - SMTP

587, 2587 SMTP (SES)

Captures

Source address

Destination address

Source port

Destination port

Protocol

Number packets

Encryption Options

SSE-S3

SSE-KMS

SSE-C

ELB

CloudFront

API Gateway

ElasticBeanstalk

Supports

ALB

CloudFront

API Gateway

AppSync

Policy Types

SCPs

Permission Boundries

Scoped-down polcies (i.e STS)

Resource Policies

Endpoint Policies

Key Policy (KMS)

Protecting data at rest

Permissions

Versioning

Replication

Backup

Encryption

15min - 1 hour

Access Control

IAM

Bucket Policies

ACLs

Key Policy

IAM Policy (ext acc)

VPC Flow Logs

AWS Security Services Portfolio

Cognito

Detective ⭐

GuardDuty

Inspector

Macie

Artifact

Certificate Manager (ACM)

CloudHSM

Directory Service

Firewall Manager ⭐

IAM

KMS

Resource Access Manager (RAM) ⭐

Secrets Manager

Security Hub

Shield

SSO

WAF

Access Evaluation: IAM -> Bucket -> ACL

Amazon Detective

Collates logs for investigations

Log Sources

VPC Flow Logs

CloudTrail

GuardDuty Findings

Resource Access Manager (RAM) ⭐

Share resources between accounts in Orgs

Share

Transit Gateways

Subnets

License Manager

R53 Resolver Rules

Create resources centrally

Firewall Manager ⭐

Uses Orgs

Roll out to child accounts

WAFs

WAF Rules

Shield

Manage SGs

Deploy Network Firewalls

Deploy R53 DNS Firewall