2022-02-21 Chapter 17 - Security

security-001; {{c1::AWS CloudTrail}} increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. It tracks which users and accounts called AWS, the source IP address from which the calls were made, when the calls occurred, request parameters and responses.

security-002; AWS CloudTrail stores logs in {{c1::S3}}.

security-003; A layer {{c1::4}} DDoS attack is often referred to as a SYN flood. A SYN flood uses the built in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and then removing the SYN-ACKs returned by the server.

security-004; An {{c1::amplification}} or {{c1::reflection}} attack involves an attacker may send a third-party server a request using a spoofed IP address. That server then responds to that spoofed IP address with a greater payload than the initial request.

security-005; A Layer {{c1::7}} attack can involve a web server receiving a flood of HTTP GET/POST requests.

security-006; {{c1::AWS Shield}} offers free DDOS protection for all customers on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53. It protects against SYN/UDP floods, reflection attacks and other Layer 3/4 attacks.

security-007; AWS Shield Advanced offers enhanced DDoS protection against larger and more sophisticated attacks. It includes 24/7 access to the {{c1::AWS DDoS Response Team (DRT)}} to help manage and mitigate application-layer DDoS attacks.

security-008; AWS Shield Advanced costs {{c1::$3,000}} per month but protects your AWS bill against higher costs resulting from a DDoS attack.

security-009; {{c1::AWS Web Application Firewall (WAF)}} that lets you monitor HTTP(S) requests forwarded to CloudFront or an Application Load Balancer. It allows you to configure conditions such as allowed IP addresses or query string parameters.

security-010; AWS WAF works at Layer {{c1::7}}.

security-011; AWS WAF can be configured to follow three different behaviours: 1) {{c1::allow}} all requests except a {{c1::block}}list 2) {{c1::block}} all requests except an {{c1::allow}} list 3) count requests that {{c1::match specified properties}}. Conditions can be defined using IP addresses, countries, request headers, SQL injection signatures, XSS signatures, regex matches.

security-012; {{c1::AWS GuardDuty}} is a threat detection service that uses machine learning to continuously monitor for malicious behaviour such as unusual API calls, attempts to disable CloudTrail logging, compromised instances, recon activities, port scanning or failed logins.

security-013; AWS GuardDuty monitors {{c1::CloudTrail}} logs, {{c1::VPC Flow}} Logs and {{c1::DNS}} logs.

security-014; AWS GuardDuty updates a database of known {{c1::malicious domains}} using external feeds from third parties.

security-015; AWS GuardDuty needs {{c1::7}}-{{c1::14}} days to set a baseline.

security-016; Findings from AWS GuardDuty appear in the GuardDuty dashboard. CloudWatch Events can be used to trigger a {{c1::Lambda function}} to address a threat.

security-017; AWS GuardDuty offers {{c1::30 days}} free then is priced based on volume of logs.

security-018; {{c1::AWS Macie}} uses machine learning and pattern matching to discover personally identifiable information (PII) stored in S3 buckets. It can also alert you about insecurely configured buckets.

security-019; AWS Macie is useful for {{c1::HIPAA}} and {{c1::GDPR}} compliance.

security-020; AWS Macie comes with alerts which can be integrated with {{c1::EventBridge}} or {{c1::Step Functions}} to automate remediation functions.

security-021; {{c1::AWS Inspector}} is an automated security assessment service that helps improve security and compliance of applications deployed on AWS.

security-022; After performing an assessment, Amazon Inspector produces a {{c1::findings report}}.

security-023; Amazon Inspector can perform a {{c1::network assessment}} (VPCs) which does not require an agent and a {{c1::host assessment}} (EC2 instances) which does require an agent.

security-024; {{c1::AWS Key Management Service (KMS)}} is a managed service that makes it easy for you to create and control encryption keys.

security-025; {{c1::Customer master key (CMK)}} is a logical representation of a master key. You create one when you start using KMS. There are three ways to generate a {{c1::CMK}}: 1) AWS can do it for you using key material generated within HSMs managed by AWS KMS 2) You can import key material from your own key management infrastructure 3) You can have the key material generated and used in a AWS CloudHSM cluster.

security-026; AWS KMS can automatically {{c1::rotate customer keys}} every year provided that original keys were generated in AWS KMS HSMs.

security-027; The primary way to manage access to your AWS KMS CMKs is with {{c1::key policies}}. You can also use IAM policies in combination with the {{c1::key policy}}, and use grants in combination with the {{c1::key policy}}.

security-028; KMS uses {{c1::shared}} tenancy and offers automatic key rotation. CloudHSM uses {{c1::dedicated tenancy}} and does not offer automatic key rotation.

security-029; {{c1::AWS Secrets Manager}} is a service that securely stores, encrypts and rotates your database credentials, API keys and other secrets as key-value pairs.

security-030; If you enable rotation in Secrets Manager, it immediately {{c1::rotates credentials once}} to test the configuration. Be mindful of this when switching it on!

security-031; Secrets Manager does have a small {{c1::associated cost}}.

security-032; {{c1::Parameter Store}} is a capability of AWS Systems Manager that provides functionality similar to Secrets Manager. However, it's free, it limits users to 10,000 parameters and does not offer key rotation.

security-033; All objects in S3 are {{c1::private}} by default. It's possible to temporarily share objects with others using a {{c1::presigned URL}}, which uses the owner's security credentials to provide time-limited access to the object.

security-034; When creating a presigned URL, you must provide security credentials, a bucket name and object key, the HTTP method, expiration date and time. Anyone who receives the presigned URL can then {{c1::access the object}}.

security-035; {{c1::Presigned cookies}} can be used to provide access to multiple restricted files in S3.

security-036; Amazon resource names (ARNs) follow consistent formats. Multiple directly sequential colons imply {{c1::omitted values}}.

security-037; An {{c1::IAM}} p{{c1::olicy}} d{{c1::ocument}} is structured as list of statements and each statement corresponds to AWS API request.

security-038; An effect in an IAM policy document is either {{c1::Allow}} or {{c1::Deny}}.

security-039; {{c1::Permission boundaries}} are used to delegate administration to other users and prevent privilege escalation or unnecessarily broad permissions. They control maximum permissions an IAM policy can grant.

security-040; If something is not explicitly allowed by an IAM policy, then it is implicitly {{c1::denied}}.

security-041; If something is explicitly denied in an IAM policy, this {{c1::overrides}} other conflicting policies.

security-042; AWS {{c1::joins}} all applicable policies attached to a single object.

security-043; {{c1::AWS Certificate Manager}} allows you to create manage and deploy public and proviate SSL certificates. It integrates with other AWS services like ELB, CloudFront and API Gateway. {{c1::AWS Certificate Manager}} provisions certificates for free and handles automatical renewals and deployment of certificates.


You'll only receive email when they publish something new.

More from 15989
All posts