Please enable JavaScript.
Coggle requires JavaScript to display documents.
AWS Module 6 - Coggle Diagram
AWS Module 6
Additional Security services
Encryption: Securing a message or data in a way that only authorized parties can access it
DynamoDB has encryption in rest. Also, It can be do it with KMS.
Encryption in transit. Secure Sockets Server (SSL) to encrypt Data and certificates to validate and authorize a client.
Amazon Inspector
It helps to improve security and compliance. Automated security assessment against to infra.
Network config reachbility piece
Amazon Agent
can be installed on EC2.
Security assessment service
Amazon GuardDuty
It analyzes continuous streams of metadata generated by your account. Found on AWS CloudTrail events, Amazon VPC Flow Logs, DNS Logs.
It uses integrate threat intelligence, such as known malicious IP Adresses
Anomaly detection
Machine learning to identify threats more accurately
It is a service that provides intelligent threat detection for your AWS infra and resources.
AWS Key Management Service (AWS KMS)
Enables you yo perform encryption operations through the use of cryptographic keys.
AWS WAF - Web Application Firewall
That lets you monitor network requests that come into your web applications
It works together with Amazon CloudFront and Application Load Balancer
Block or allow traffic by using web access control list (ACL) to protect your AWS resources.
Amazon Macie
It is a data security service that uses machine learning and pattern matching to discover and help protect sensitive data.
Compliance
USA - General Data Protection Regulation (GDPR)
EUA - Health Insurance Portability and Accountability Act (HIPAA)
AWS Compliance Programas has a lot of program to do it
Data is of customer to manage and can use encryption to protect it
AWS offers documentation of compliance
AWS Artifact you can request prove of security and compliance
AWS Artifact Agreements and AWS Artifact Reports
AWS Compliance information about compliance and documentation like AWS Risk and AWS Whitepaper.
Compliance
make sure compliance requirements
data AWS not share data other regions
AWS Artifact
AWS Security and compliance reports for audit
AWS Compliance
documents of security
AWS Organizations
Consolidated billing
bulk discountings
Hierarchical groupings of accounts
Centralized management
AWS service and API actions access control. Service control policies (SCPS)
control permissions
Organizational units
group accounts into organizational units (OUs)
Distributed denial-of-service attacks (DDoS)
Bad author tries to overwhelm the capacity of your app
Security groups
control traffic inbound and outbound in AWS network level
protect agains UDP floods and reflection attacks
Elastic load balancer
protect against slowloris attack
handle http traffic wait for entire message to process
AWS Shield with AWS WAF
WAF firewall filter requests
machine learning capabilities
AWS Shield against DDoS attack
AWS Shield Standard
no cost and protects the most common types of DDoS attacks
AWS Shield Advanced
paid service that provides detailed attack diagnostics
ability to detect and mitigate sophisticated DDoS attacks.
It integrates other services: Amazon CloudFront, Amazon Route53, ELB. Can integrate wtih AWS WAF by writing custom rules to mitigate complex DDoS attacks.
DDoS - Distributed denial-of-service
shutdown application system for overhelming operations
Types of attacks
UDP Flood
Security group solve this
HTTP Level Attacks
Slowloris attack
Elastic load balancer - ELB solve this
AWS Shield with AWS WAF
web firewall
Additional security services
Encryptions
Securing message or data
Encryption at rest
data is idle
dynamodb has encryption at rest and integration with AWS kms
AWS Key management Service (KMS)
encryption in transit
Amazon Redshift
Security Socket Layer (SSL) encryption to certify
Amazon Inspector
help to increase security in AWS
Network
Amazon GuardDuty
analyzes metadata
AWS Shared Responsability Model
Customer
Responsible for security IN the cloud
Customer Data
Network traffic protection
Server-side data encryption
Client-side data encryption
Operating system, network and firewall configuration
Platform, applications, identity and access management
AWS
Responsible for security OF the cloud
AWS Foundation Services
Storage
Database
Networking
AWS Global Infrastructure
Compute
Regions
Edge locations
Availability Zones
Example: AWS notify you for patching OS and you are responsible to patching OS in your Operating systems on EC2
User permissions and access
AWS Identity and Access Management (IAM)
Enables you yo manage access to AWS services and resources securely
AWS account root user
Begin with it
best practice, create a IAM user and give it permissions to create other users
only access the root user for a limited number of tasks
such as changing your AWS Support plan
IAM users
Represents the person or application that interacts with AWS services and resources.
best practice: each IAM user to have a unique set of security credentials.
IAM policies
Allows or denies permissions to AWS services and resources
Best practice: Follow the security principle of least privilege when granting permissions.
IAM roles
It is an identity that you can assume to gain temporary access to permissions.
When someone assumes an IAM role, assume permissions fo the new role and abandon the previous one.
Best practice: It is ideal for situations to be granted temporarily
IAM groups
collection of IAM Users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
MFA - Multi-factor authentication