Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security & Encryption - Coggle Diagram
Security & Encryption
-
AWS KMS
-
-
-
-
-
-
-
KMS Key Policies
Control access to KMS keys, “similar” to S3 bucket policies
-
-
Custom KMS Key Policy
Define users, roles that can access the KMS key
-
-
-
-
Key Rotation
Automatic key rotation: 1 Year
Manuel key rotation: 90,180 Days
SSM Parameter Store
-
it is a way to centralize all these parameters within your AWS accounts,
-
-
-
-
-
-
-
-
-
-
-
AWS Secrets Manager
Newer service, meant for storing secrets
Integration with Amazon RDS (MySQL, PostgreSQL, Aurora), RedShift
-
-
-
-
-
-
helps you protect secrets needed to access your applications, services, and IT resources.
-
AWS Shield
Standard
protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/4 layer attacks
-
-
Advanced
-
-
-
-
If your organization has multiple AWS accounts, then
you can use Consolidated Billing for Cost Save
CloudHSM
-
-
-
-
-
-
-
CloudHSM is an encryption service, // [not a secrets store. ]
-
GuardDuty
>>>>
• CloudTrail Logs: unusual API calls, unauthorized deployments
• VPC Flow Logs: unusual internal traffic, unusual IP address
-
Continuously monitor and protect your AWS accounts, workloads, and data stored in Amazon S3.
Uses Machine Learning algorithms, anomaly detection
-
-
-
Amazon Inspector
-
-
-
>>>>
EC2
Only for EC2 not for AMI, RDS etc...
-
-
MACIE
-
-
-
-
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data on Amazon S3.
-
-
Security Groups
-
-
-
-
-
By default, security groups allow all outbound traffic and deny all inbound traffic
-
-
-
Reference by IP, IP addresses in CIDR block notation or by security group
If your application is not accessible (time out), then it’s a SG issue