Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security - Domain 2 - Coggle Diagram
Security - Domain 2
Security
Design as security
Think about security: integration security reviews, pentest testing, code anlysis, verification automatic remediation to security risks, and measuring, monitoring, and improving through lessons learned during the whole build and deployment.
Security of your app
Dive deeping to managing identities, for your applications across regions, edge locations, Availability zones, an local zones too.
ensure secure access to your aws resources, determine the appropriate policies.
understand how iam provides controlr for authentication and authorization
4 resources in ECS. Do you use an IAM group, IAM roles, or service-linked roles?
Implement RBAC an ABAC models, implement AWS directory services and federation for users, manage permissions
Implement Encryption by using AWS Services
S3 encryption
Ensure to use SSE-s3, they have encryption at rest and transit.
The encryption is object level and not the bucket.
Two methods client-side encryption and server-side encryption. Both use encryption in transit.
Dive deeper customer provided keys, server-side encryption with Amazon s3 managed keys, KMS. Use bucket policy, add condition to the policy to only upload objects including the x-amz-server-side-encryption header.
Encrypt EBS volumes. Use kms key.
Encrypt RDS database instances
Can you enable encryption after created?
Can you unable encryption after enabled?
Can you create a encrypted snapshot of an uncrypted database instance?
what kms key do you use to encrypt your read replicas that are in the same Region as your database instance?
how do you copy an encrypted snapshot from one AWS Region to another?
Use KMS for encryption
KMS can createad, can be imported, cannot be exported.
KMS can generated larger key with CMKs.
CloudHSM can support symetric and asymetric encryption
AWS Systems Manager Parameter Store versions for tracking configs and secrets
AWS Secrets Manager designed to store secrets and can generated secrets automated way.
AWS Certificate Manager (ACM) Secure credentials, use certificates. Enterprise customers
AWS Private CA building a public key infrastructure PKI inside the AWS Cloud and intended for private use within an organization.
Key pair consisting of a public key and private key is another set of security credentials that you use to prove your identity when connecting to ec2 instance.
Manage sensitive data in application code
General data security patterns with clear mapping to security controls
How to classify data
How your data is stored
Who has access to your data
How to apply two categories of security cotnrols and categories
Think security in data perspective
Data classification
Preventive
IAM
Infrastructure security
Data protection
Detective
Respond
Configuration drift
Considere to use secret manager and kms for cryption
Amazon Sagemaker to classify data
Passing sensitive data
Pass sensitive information passing in variable environment.
CloudFormation you can retrieve secrets
AWS Lambda AWS Parameters or AWS Lambda secrets
Interface VPC to privately access Secret manager
Configure parameter store with secret manager
Dive deeper in AWS security services.
IAM, AWS Organizations, AWS Glue, Amazon Neptune, CloudTrail, System Manager, AWS GuardDuty, AWS Config, AWS WAF.