AWS Security
Steps to create a public subnet with internet access
* Attach an IGW to your VPC.
VPC Components
* Subnets
Steps for using a NAT Gateway
*. Configure a route table associated with the private subnet to direct internet-bound traffic to the NAT gateway.
What is an IAM Managed Policy?
- A Managed Policy is an IAM policy which is created and administered by AWS.
What is an IAM Inline Policy?
- An Inline Policy is an IAM Policy which is actually embedded within the user, group or role to which it applies. There is a strict 1:1 relationship between the entity and the policy.
What are the two primary features of Cognito that a developer might use?
- Cognito User Pools: Sign-up/Sign-in/Auth
What is Cognito Push Synchronization?
- Cognito tracks the association between user identity and the various devices they sign-in from
Cognito Exam Tips
- Cognito uses User Pools to manage user sign-up and sign-in or via Web Identity Providers
What are examples of different Identity Providers (IdP)?
What are the three different types of IAM policies?
- Managed Policies
Congito User Pools Summary:
- Managed User Directory
What is Cognito User Pool federation?
- Provides built-in integrations with identity providers like Facebook, Google, Amazon or corporate AD through SAML 2.0
Cognito Identity Pools Summary:
- Provides temporary AWS credentials for accessing resources on behalf of users
What are AWS Cognito Use Cases?
- Recommended approach for WIF using social media accounts like Facebook
What are the primary features of Cognito User Pools?
- Serverless Authentication: Add user sign-up and sign-in easily to your mobile and web apps without worrying about server infrastructure.
What are Cognito User Pools?
- User Pools are managed user directories.
What are some of the Cognito User Pool Flows?
- User Sign-up and Sign-In
What is the general process flow for using Cognito Identity Pools?
- User authenticates against a User Pool
SQS vs SNS for encryption at rest
-Amazon Amazon Simple Queue Service (SQS) encrypts data at rest
S3 - Data at Rest Protection
-bucket level permissions
NACLs vs. Security Groups
1 subnet = 1 NACL but a NACL can be associated with multiple subnets
KMS - Customer Master Key Ingredients
1. Alias
Policy Conditions
1. Allows access to resource only at certain times of day
Envelope encryption
1. CMK encrypts/decrypts second key (Data key)
Hardened Security Appliance (HSA)
1. Cloud___, dedicated appliance Amazan provisions for your VPC in their datacenter
KMS - Ingredients to create a key
1. Create CMK with no key material
reduce container attack surface area on Container
1. Create immutable containers
IAM - What do you do if the Root user changes/the Root user is reset?
1. Delete Root key in Security Credentials section
Inline Policies
1. Embedded in user, group role or resources
Types of Polices
1. Identity Based
DDoS - Mitigation
1. Minimize attack surface areas - whitelist IP addresses with a Bastion server
Authentication
1. Signing via up-to-date SDKs
Resource Based Policies
1. Specify WHO can do WHAT action on resource
Steps for Creating Endpoints
1. Specify the VPC.
Access Key Options
1. Temp credentials from Security Token Service (STS)
AWS Artifact - General
1. WHAT IS AWS ARTIFACT?
Security Group Points to know for the exam
1. You can have up to 500 Security groups for each VPC.
access keys vs key pairs
1. an access key includes an access key ID and a secret access key. These are used to digitally sign programmatic requests that you make to AWS
IAM -Default expiration for roles
12 hours
Amazon S3 Standard Storage Durability and Availability
99.9999999% durability and 99.99% availability.
A "Resource" is component of a JSON policy. can you explain what a Resource is?
A "Resource" lists the resources on which the actions can occur.
Refresher: What is the scope for a VPC?
A *VPC spans all the Availability Zones in the region*.
Buckets
A Container (web folder) for objects stored in Amazon S3.
What is Resource-based Policy? can you explain?
A Resource-Based policy is a policy that is attached to a resource such as a bucket.
When you create a user, what does IAM create in order to identify the user?
A friendly name for the user (i.e Bob) and an Amazon Resource Name (ARN).
Internet Gateways (IGW)
A horizontally scaled , redundant and highly available VPC component that allows communication between instances in your VPC and the internet. Provides a target in your VPC route tables for internet-routable traffic, and performs NAT for instances that have been assigned public IP's.
Access Control List
A list of permissions or rules for acessing an object or network resource.
Peering
A network connection between two VPCs that enables instances in either VPC to communicate as if they are on the same network. Can be created between your own VPCs or ones from another account within a single region.
What is a policy?
A policy is an entity when attached to an identity or resource, defines their permissions.
What is a Principal? Can you give 3 examples?
A principal is an entity that can take an action on an AWS resource. A user, Role and Federated user are examples of a principal.
Endpoints
A private connection between your VPC and another AWS service without requiring access over the internet or through a NAT instance, VPN, or AWS Direct Connect. You can create multiple ones for a single service, and you can use route tables to enforce different access policies from different subnets to the same service.
How does a resource-based policy defer from a user-based policy?
A resource-based policy contains slightly different information than a user-based policy. In a resource based policy you specify what actions are permitted and what resource is affected. However, you also explicitly list who is allowed access to the resource. In a user based policy, the who is established by whom ever the policy is attached to.
AWS Security Group (Hypervisor Level) (Stateful)
A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When we decide whether to allow traffic to reach an instance, we evaluate all the rules from all the security groups that are associated with the instance.
Can you describe what a service role for EC2 is and does?
A service role for EC2 is a service role that is assigned to EC2 when it's launched. This role automatically provides credentials for the EC2 instance to use on behalf of its applications.
What is a Service Role?
A service role is a role that a service assumes to perform actions in your account on your behalf. When you set up the role, you must include all the permissions required for the service to access the AWS resources that it needs. Service
Can you describe what an AWS Service-linked role is?
A service-linked role is a unique type of service role that is automatically created and deleted by a service to call other AWS services on your behalf.
Objects - Metadata
A set of name/value pairs that describe the object.
What is a trust policy?
A trust policy is a JSON document in which you define what actions and resource the role can use.
What is a trust policy?
A trust policy is a resource based policy that is attached to a role to define which principal can assume the role.
When a user is already signed into your corporate network and is federated into AWS, what happens to their corporate identity once they have been federated into AWS?
A user who is already logged in replaces his or her own corporate identity with a temporary identity in your AWS account.
What is a User-based policy? Can you explain?
A user-based policy is attached to a user or group and specifies the actions that are permitted and the resources (Ec2 instances etc..) that the user is allowed to access.
Elastic Network Interfaces (ENIs)
A virtual network interface that can be attached to an instance in a VPC. Associated with a subnet upon creation. They can have only one public IP, and multiple private IP's. If there are multiple private IP's, one is primary. One created independently of an instance persists regardless of the lifetime of any instance to which it's attached; if an instance that it's attached to fails, the IP may be preserved by attaching it to a replacement instance.
Security Group
A virtual stateful firewall that controls inbound and outbound traffic to resources and EC2 instances. All instances must be launched into one. If not specified, the instance will be launched in the default one for the VPC.
Querying AWS CloudTrail Logs
AWS CloudTrail is a service that records AWS API calls and events for AWS accounts.
What is the AWS recommended approach for Web Identity Federation?
AWS Cognito is recommended
What is AWS Cognito?
AWS Cognito provide Web Identity Federation with the following features:
KMS Logging Enable
AWS KMS is integrated with CloudTrail. To audit the usage of your keys in AWS KMS, you
Instances and NAT Gateways
AWS provides them to allow instances deployed in private subnets to gain internet access. NAT Gateways provide better availability and higher bandwidth.
Subnets
AWS reserves the first four IP's and the last IP of every subnet for internal networking purposes.
Cognito - IDP
Accessing AWS Services Using an Identity Pool After Sign-in
AWS Incident Response and Forensics
Acquiring an EC2 Instance --
What is a security group?
Act as a *firewall for associated Amazon EC2 instances*, *controlling both inbound and outbound traffic* at the *instance level*.
What is a Network Access Control List (NACL)?
Act as a *firewall for associated subnets*, *controlling both inbound and outbound traffic* at the *subnet level*.
What is an Action? Can you give an example of actions?
Actions are defined by a service, and are things that you can do to a resource. CreateUser and DeleteUser are examples of actions.
When a principal tries to use the AWS Management Console, the AWS API or the AWS CLI, that principal sends requests to AWS. What are the components of this request?
Actions the principal want to perform, Resources upon which the actions are performed, Principal information, including the environment from which the request was made.
Network Access Control Lists (ACLs)
Acts as a stateless firewall on a subnet level. It's a numbered list of rules that AWS evaluates in order, starting with lowest numbered rule, to determine if traffic is allowed in or out of any subnet associated with the network ACL. VPCs are created with a modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic. Custom network ACLs are initially configured with 'deny all' inbound and outbound traffic until you create rules that allow otherwise. Overall, every subnet must be associated with a network ACL.
MFA Delete
Adds another layer of data protection on top of bucket versioning. Requires additional authentication in order to permanently delete an object version or change the versioning state of a bucket. In addition to normal credentials, it requires an authentication code generated by a hardware or Virtual Multi-Factor Authentication device.
API endpoints
All AWS services provide secure customer access points. AWS recommends use of SSL/TLS.
Multipart Upload
Allows you to upload large objects as a set of parts, the ability to pause and resume, and upload objects where the size is initially unknown. Parts can be uploaded independently in arbitrary order, with retransmission if needed. Should be used for objects larger than 100 Mb, and must be used for objects larger than 5 Gb.
Best way to isolate EC2 instance after possible breach for further investigation?
Always have a SG ready to go that don't have any inbound or outbound access, in order to be ready to apply whenever needed. (and remove other SGs)
What is a silent push notification?
Amazon Cognito uses the Amazon Simple Notification Service (SNS) to send silent push notifications to devices. A silent push notification is a push message that is received by your application on a user's device that will not be seen by the user.
DynamoDB - Security Tip
Amazon DynamoDB offers fully managed encryption at rest. DynamoDB encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data. With encryption at rest, customers can build security-sensitive applications that meet strict encryption compliance and regulatory requirements.
Amazon Elastic MapReduce (EMR)
Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB.
Archives
Amazon Glacier data is stored here. Can contain up to 40 Tb of data, and you can have an unlimited number of archives. Each one is assigned a unique ID created by AWS (no custom ID) at time of creation. They are automatically encrypted, and immutable, meaning they cannot be modified after creation.
KMS and Redshift
Amazon Redshift uses a four-tier, key-based architecture for encryption. The architecture consists of data encryption keys, a database key, a cluster key, and a master key.
Encryption - In Flight
Amazon S3 Secure Sockets Layer (SSL) API endpoints. Ensures that all data sent to and from S3 is encrypted while in transit using the HTTPS protocol.
An "Action" is component of a JSON policy. can you explain what an Action is?
An "Action" lists the actions that are allowed or denied by the policy.
An "Effect" is component of a JSON policy. can you explain what an Effect is?
An "Effect" states whether a policy allows or denies access.
What is an Amazon Resource name (ARN) used to identify?
An ARN is used to uniquely identify the user across all of AWS. Their are more than 1 Bob in all of AWS.
What is an AWS managed policy?
An AWS managed policy is created and managed by AWS. If you are new to using policies it is recommended to start by using AWS managed policies. You cannot change the permissions defined in AWS managed policies.
What are the similarities and differences between an IAM Role and an IAM User?
An IAM Role is similar to an IAM User, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have long term credentials (password or access keys) associated with it. Instead, when a user assumes a role, temporary security credentials are created dynamically and provided to the user.
Can you list the identities that can use a role?
An IAM user in the same AWS account as the role, an IAM user in a different AWS account as the role, a web services offered by AWS such as EC2 and an external user authenticated by an external identity (IdP) service that is compatible with SAML 2.0.
What is an Access Key comprised of and when do you use an access key?
An access key is a combination of an access key ID and a secret key. An access key is used to make programmatic calls to AWS when using the API in program code or at command prompt when using the AWS CLI or the Powershell tools.
Amazon S3 Data Consistency
An eventually consistent system. Because data is automatically replicated across multiple servers and locations within a region, changes in your data may take some time to propagate to all locations.
What is an identity-based policy? What can you do with an identity based policy and what are the two different types of identity based policies?
An identity based policy is a policy that you can attach to a principal (identity), such as an IAM user, role, or group. An identity based policy controls what actions that identity can perform, on which resources and under what conditions. The two different types of identity based policies are AWS Managed Policies and Inline Policies.
What is an inline policy?
An inline policy is created by you and embedded directly into a single user, group or role.
Cross-Region Replication
Asynchronously replicate all new objects in the source bucket in one region to a target bucket in another region. After it is set up, any changes to data in the source bucket triggers a new replication to the destination bucket. Versioning must be turned on for both source and destination buckets, and you must use an IAM policy to give S3 permission to replicate objects on your behalf.
Amazon S3 Object Lifecycle Management
Automated Storage Tiering
DHCP Option Sets
Automatically created for your VPC and sets two options:
You have noticed latency when using AWS STS API calls. What can you do to reduce this latency?
By default, AWS STS is a global service with a single endpoint at https://sts..amazonaws.com. However, you can choose to make AW STS API calls to endpoints in a geographical supported region closer to you or your customer.
KMS and AWS CloudTrail
By default, the log files delivered by CloudTrail to your S3 bucket are encrypted using server-side encryption with Amazon S3-managed encryption keys (SSE-S3). But you can choose instead to use server-side encryption with AWS KMS-managed keys (SSE-KMS).
Secret access key
Calls to create and delete Amazon VPCs, change routing, security group, and network ACL parameters, and perform other functions are all signed by this key.
Event Notifications
Can be sent in response to actions taken on objects uploaded or stored in S3. Enables you to run workflows, send alerts, or perform other actions in response to changes in your objects stored in S3. You can set up triggers to perform actions like transcoding, processing, and synchronizing S3 objects with other data stores. Set up at bucket level.
Choosing Between Signed URLs and Signed Cookies
CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content. If you want to serve private content through CloudFront and you're trying to decide whether to use signed URLs or signed cookies, consider the following.
How does Cognito Identity help me control permissions and access AWS services securely?
Cognito Identity assigns your users a set of temporary, limited privilege credentials to access your AWS resources so you do not have to use your AWS account credentials. The permissions for each user are controlled through AWS IAM roles that you create. You can define rules to choose the IAM role for each user, or if you are using groups in a Cognito user pool, you can assign IAM roles based on groups. Cognito Identity also allows you to define a separate IAM role with limited permissions for guest users who are not authenticated. In addition, you can use the unique identifier that Cognito generates for your users to control access to specific resources. For example you can create a policy for an S3 bucket that only allows each user access to their own folder within the bucket.
You can access AWS in different ways depending on the user credentials used. What are those ways?
Console password, Access key, SSH Key for AWS CodeCommit, and server certificates.
Vaults
Containers for archives. Each AWS account can have up to 1,000. Access is controlled through IAM policies or vault access policies.
S3 - Allow Vendor to Provide Objects to Customer's Bucket
Create IAM policy that can be assumed by the customer
Amazon S3 Lifecycle Policies
Data can be automatically migrated to the most appropriate storage class, without modifying your application code.
AWS CloudHSM
Dedicated hardware security module in the AWS cloud:
What does setting up delegation involve?
Delegation involves setting up a trust between the account that owns the resource (trusting account) and the account that contains the users that need access to the resources (trusted account).
Can you describe what delegation means?
Delegation is granting permissions to someone to allow access to resources you control.
Access Keys are used for
Digitally signed requests to AWS APIs(using the AWS SDK, CLI, or REST/Query APIs)
KMS and DynamoDB
DynamoDB integrates with AWS Key Management Service (AWS KMS) to support an optional encryption at rest server-side encryption feature.
AWS Credentials
Each AWS account or IAM user is a unique identity and has unique long-term credentials.
elastic network interface (ENI)
Each Amazon EC2 instance has a default network interface that is assigned a private IP address on your Amazon VPC network. You can create and attach an additional network interface, known as an _________ _________ __________, to any Amazon EC2 instance in your Amazon VPC for a total of two network interfaces per instance.
Vaults Locks
Easily deploy and enforce compliance controls for individual vaults with these policies. Specify controls like:
What are the components of a JSON policy documents?
Effect, Action, Resource and Condition. (EARC)
Client-Side Encryption
Encrypting data on the client before sending it to S3. Two options for using data encryption keys:
Objects
Entities or files stored in Amazon S3 Buckets.
Object URL
Every S3 object can be addressed by these using the web services endpoint, the bucket name, and object key.
Keys
Every object stored in an S3 bucket is identified by a unique identifier.
DDoS - Application - Layer 7 attacks
Examples are a flood of GET requests or the Slowloris, where the attacker sends partial HTTP request that never completes
What are Flow logs?
Flow Logs *capture information about the IP traffic going to and from network interfaces in your VPC*.
How does Web Identity Federation work?
Following successful authentication with Facebook, Google or another Web ID provider service, the user receives an authentication code from the Web ID provider which they can then trade for a temporary AWS security credential. With the AWS credential, the User can assume an IAM role.
S3 - Forcing Use of Cloudfront
Forcing S3 to Use CloudFront:
SSE-S3 (AWS-Managed Keys)
Fully integrated "Check-Box-Style" encryption solution.
SSE-KMS (AWS KMS Keys)
Fully integrated. Amazon handles your key management and protection for S3, but you manage the keys.
Amazon S3 Storage Classes
General Purpose
IAM - manage user access to console
Global and granular permissions
Versioning
Helps protect data against accidental or malicious deletion by keeping multiple versions of each object in the bucket, identified by a unique version ID.
Granting Cross-Account Access
Here are two ways in AWS to grant cross-account access to a resource:
S3 Storage Class - Standard
High durability, high availability, low latency, and high performance object storage for general purpose use. Well suited for short or long-term storage of frequently accessed data because of low first-byte latency and high throughput.
S3 Storage Class - Standard-Infrequent Access (Standard-IA)
High durability, high availability, low latency, and high performance object storage, but designed for long-lived, less frequently accessed data.
Amazon Elastic Container Service (Amazon ECS)
Highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.
Firewall Options
Host-Based Firewall (OS level)
Elastic IP Addresses (EIPs)
I pool of public IPs in each region available for you to associate to resources within your VPC. They allow you to maintain a set of IP's that remain fixed while underlying infrastructure may change over time.
IAM - Policies Overview
IAM applies to every single service - users, groups, and roles.
password policy
IAM can be used to set a password policy that requires at least one lowercase letter and at least one non-alphanumeric character
IAM Group
IAM groups are collections of IAM users in one AWS account. You can create IAM groups on a functional, organizational, or geographic basis, or by project, or on any other basis where IAM users need to access similar AWS resources to do their jobs. You can provide each IAM group with permissions to access AWS resources by assigning one or more IAM policies. All policies assigned to an IAM group are inherited by the IAM users who are members of the group.
What do IAM users represent? What can you create for each IAM user?
IAM users represent both humans and applications. You can create an individual key for each user so that they can make programmatic request to work with resources in your account.
What is IAM
Identity and Access Management is a web service that helps you securely control access to AWS resources.
What is an Identity Pool?
Identity pools are the containers that Cognito Identity uses to keep your apps' federated identities organized. Identity Pool associates federated identities from social identity providers with a unique user specific identifier. Identity Pools do not store any user profiles. An identity pool can be associated with one or many apps. If you use two different identity pools for two apps then the same end user will have a different unique identifier in each Identity Pool.
How do you grant permissions in IAM?
In IAM, permissions are granted through policies that are created and then attached to users, groups or roles.
KMS Policy Encryption concept
In addition to limiting permission to the AWS KMS APIs, AWS KMS also gives you the ability to add an additional layer of authentication for your KMS API calls utilizing encryption context.
You can organise IAM users into IAM groups and attach a policy to a group? In cases where a group has multiple policies attached to them that grant different policies, which policy is implemented?
In that case, the groups permissions are calculated based on the combination of policies.
Cognito with IAM
In the process of creating an identity pool, you'll be prompted to update the IAM roles that your users assume. IAM roles work like this: When a user logs in to your app, Amazon Cognito generates temporary AWS credentials for the user. These temporary credentials are associated with a specific IAM role. The IAM role lets you define a set of permissions to access your AWS resources.
Traffic Defaults
Inbound is blocked by default.
AWS Trusted Advisor vs. Inspector
Inspector:
Amazon Athena
Interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.
How can I provide cross-account access to objects that are in Amazon S3 buckets?
Issue
What does any actions or resources that are not explicitly allowed are denied by default mean?
It means that unless an action is clearly allowed, then it is allowed by default.
Route Tables
Logical construct that has a set of rules (routes) that are applied to the subnet and used to determine where traffic is directed. These routes are what permit instances within different subnets within a VPC to communicate with each other. It can be modified.
S3 Storage Class - Reduce Redundancy Storage (RRS)
Lower durability (4 nines)
Amazon Kinesis
Makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.
encryption for amazon RDS is available for which platforms:
MySQL, Oracle, and Microsoft SQL
Representational State Transfer (REST) Interface
Native interface for Amazon S3. Uses standard HTTP or HTTPS requests to create and delete buckets, list keys, and read and write objects. Maps standard HTTP methods (verbs) to familiar CRUD (Create, Read, Update, Delete) operations.
Virtual Private Cloud
Networking layer for EC2. Allows you to build your own virtual network within AWS. You control IP range; creating your own subnets; configuring your own route tables, gateways, & security settings.
Can a subnet span availability zones?
No, Each subnet must reside entirely within one Availability Zone and cannot span zones.
Do federated users have permanent identities in your AW account?Can you explain?
No, federated users do not have permanent identities in your AWS account. To assign permissions to federated users, you have to create a role and define permissions for the role. When the user signs into AWS, the user is associated with the role and is granted the permissions that are defined in the role.
When using public identity providers, does Amazon Cognito Identity store users' credentials?
No, your app communicates directly with the supported public identity provider (Amazon, Facebook, Twitter, Digits, Google, or an Open ID Connect-compliant provider) to authenticate users. Cognito Identity does not receive or store user credentials. Cognito Identity uses the token from the identity provider to obtain a unique identifier for the user and then hashes it using a one-way hash so that the same user can be recognized again in the future without storing the actual user identifier.
Can you use service roles to grant access to service sin other accounts?
No. Service roles provide access only within your account and cannot be used to grant access to services in other accounts.
Is data saved directly to the Amazon Cognito sync store?
No. The optional AWS Mobile SDK saves your data to an SQLite database on the local device, this way the data is always accessible to your app. The data is pushed to the Amazon Cognito sync store by calling the synchronize() method and, if push synchronization is enabled, all other devices linked to an identity are notified of the data change in the sync store via Amazon SNS.
Pre-Signed URLs
Objects by default are private. Owners can share them by creating these, using their own security credentials to grant time-limited permission to download the objects.
S3 - Connections
Occur over HTTPS.
Objects - Data
Opaque to Amazon S3. It is treated simply as a stream of bytes. Amazon doesn't know or care what type of data you are storing, and the service doesn't act differently for text data versus binary data.
Amazon Glacier
Optimized for data archiving and long-term backup at extremely low cost. Suitable for rarely accessed data, and for which a retrieval time of 3-5 hours is Ok. Stores an unlimited amount of virtually any kind of data, in any format.
DDoS - What kind of attacks?
Packet floods, reflection and amplification, or large botnets:
AWS Hardware Isolation
Physical Interface -> firewall (directs traffic to particular customer) -> customer security group -> virtual interface -> Hypervisor -> Customer instances
What format are policies stored in?
Policies are stored as JSON documents attached to principals as identity based policies or to resources as resource-based policies.
S3 - Access Control Lists
Predates IAM
Cognito
Provides:
AWS Key Management Service (KMS)
Public key = front door lock
Protecting data at rest on amazon RDS
RDS uses same secure infrastructure, but you can implement protection at the application layer using encryption for all sensitive DB fields
Access Control - Course-Grained permissions
Read, Write, or Full Control, at the object or bucket level.
KMS Regional or Global?
Regional, if you created a key in one region it will only be in that one region
S3 - Cross-Region Replication (CRR)
Replicates from one region to another:
What is a resource based policy?
Resource based policies are JSON documents that you attach to a resource such as an Amazon S3 bucket.
Can you list the 5 IAM identities that are available in AWS?
Root Account User, IAM User, IAM Groups, IAM Roles and Temporary Credentials.
What is the name if the email address and password that you provided when first creating your AWS account?
Root User Account
Route53 (DNS)
Route53 (DNS)
What are server certificates used for in the context of IAM?
SSL/TLS certificates can be used to authenticate with some AWS services.
KMS and AWS Secrets Manager
Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret with a unique data encryption key that is protected by an AWS KMS customer master key (CMK). This integration protects your secrets under encryption keys that never leave AWS KMS unencrypted. It also enables you to set custom permissions on the master key and audit the operations that generate, encrypt, and decrypt the data keys that protect your secrets
S3 Storage Class - Amazon Glacier
Secure, durable, and extremely low-cost cloud storage for data that doesn't require real-time access. Retrieval times of several hours is suitable. You can retrieve up to 5% free each month.
Amazon Simple Storage Service (S3)
Secure, durable, highly-scalable cloud storage. Object storage, store and retrieve any amount of data from anywhere on the web.
Logging
Server Access Logs. When enabled, you must choose where the logs will be stored. Can be stored in same or different bucket. Best practice is to specify a prefix such as logs/ or yourbucketname/logs/ so they can be easily identified. Once enabled, they are delivered on a best-effort basis with a slight delay.
AWS CodeDeploy
Service that automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid downtime during application deployment, and handles the complexity of updating your applications. You can use AWS CodeDeploy to automate software deployments, eliminating the need for error-prone manual operations, and the service scales with your infrastructure so you can easily deploy to one instance or thousands. This service helps make processes repeatable.
Amazon Elasticsearch
Service, is a fully managed service that makes it easy for you to deploy, secure, operate, and scale Elasticsearch to search, analyze, and visualize data in real-time. With Amazon Elasticsearch Service you get easy-to-use APIs and real-time analytics capabilities to power use-cases such as log analytics, full-text search, application monitoring, and clickstream analytics, with enterprise-grade availability, scalability, and security. The service offers integrations with open-source tools like Kibana and Logstash for data ingestion and visualization. It also integrates seamlessly with other AWS services such as Amazon Virtual Private Cloud (VPC), AWS Key Management Service (KMS), Amazon Kinesis Data Firehose, AWS Lambda, AWS Identity and Access Management Service (IAM), Amazon Cognito, and Amazon CloudWatch, so you can go from data to actionable insights quickly and securely.
Encryption - At Rest
Several variations of Server-Side Encryption (SSE). * Data is encrypted at the object level as it writes it
KMS - 6 Elements for Policy
Sid - (Optional) The Sid is a statement identifier, an arbitrary string you can use to identify the statement.
Cognito - User Pool
Support for groups in Amazon Cognito user pools enables you to create and manage groups, add users to groups, and remove users from groups. Use groups to create collections of users to manage their permissions or to represent different types of users. You can assign an AWS Identity and Access Management (IAM) role to a group to define the permissions for members of a group.
What are temporary roles primarily used with? Whats the benefit of using temporary credentials?
Temporary credentials are primarily used with IAM roles. A benefit of using temporary credentials is that they expire automatically after a set period of time. You can control over the duration that the credentials are valid.
What . are temporary security credentials generated by?
Temporary security credentials are generated by AWS STS.
Temporary security credentials work almost identically to the long term access key credentials that your IAM users can use with 2 major differences. What are those differences?
Temporary security credentials are short-term. They are configured to last for anywhere from a a few minutes to several hours. After the credentials expire, AWS no longer recognises the or allows any kind of access from API requests made with them. Second, Temporary security credentials are not stored with the suer but are generated dynamically and provided to the user when requested.
Which scenarios are temporary credentials useful in?
Temporary security credentials are useful in scenarios that involve identity federation, delegation, cross-account access and IAM roles.
ALB vs ELB
The Classic ELB operates at Layer 4. Layer 4 represents the transport layer, and is controlled by the protocol being used to transmit the request. For web applications, this will most commonly be the TCP/IP protocol, although UDP may also be used. A network device, of which the Classic ELB is an example, reads the protocol and port of the incoming request, and then routes it to one or more backend servers.
Amazon S3 Operations
The S3 API is intentionally simple:
KMS - CMK Deletion
The key material and all metadata associated with the CMK and is irreversible. After a CMK is deleted, you can no longer decrypt the data that was encrypted under that CMK, which means that data becomes unrecoverable. You should delete a CMK only when you are sure that you don't need to use it anymore. If you are not sure, consider disabling the CMK instead of deleting it. You can reenable a disabled CMK if you need to use it again later, but you cannot recover a deleted CMK.
What are Cognito Identity Pools?
The main purpose of an Identity Pool is to take a user and obtain AWS credentials that map to an IAM Role so they can access a back-end AWS service using the token.
Customer Gateway (CGW)
The physical device or software application on the customer's side of the VPN connection.
KMS CMKs - Managing accesses to CMKs
The primary way to manage access to your AWS KMS CMKs is with policies. Policies are documents that describe who has access to what. Policies attached to an IAM identity are called identity-based policies (or IAM polices), and policies attached to other kinds of resources are called resource-based policies. In AWS KMS, you must attach resource-based policies to your customer master keys (CMKs). These are called key policies. All KMS CMKs have a key policy.
Access Control - Bucket Policies
The recommended access control mechanism for Amazon S3.
Virtual Private Gateway (VPGs)
The virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks.
When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. What is this identity called?
This identity is called the AWS root user.
To authenticate from the API or CLI, what must you do?
To authenticate from the API or CLI you must provide your access key and secret key.
You would like to create a bookmark for your accounts unique sign-in page in your web browser. What should you do? What shouldn't you do?
To create a bookmark for your accounts unique sing-in page in your web browser, you should manually enter your accounts sing in URL in the bookmark entry. Don't use your web browsers "bookmark this page" feature.
KMS and Elastic Block Store (EBS)
To create an encrypted Amazon EBS volume, select the appropriate box in the Amazon EBS section of the Amazon EC2 console. You can use a custom customer master key (CMK) by choosing one from the list that appears below the encryption box. If you do not specify a custom CMK, Amazon EBS uses the AWS-managed CMK for Amazon EBS in your account. If there is no AWS-managed CMK for Amazon EBS in your account, Amazon EBS creates one,
To delegate permissions to access a resource, how many policies do you need to create and attach?
To delegate permissions to access a resource, you create an IAM role that has two policies attached. The permissions policy grants the user of the role the needed permissions to carry out the intended tasks on the resource. The trust policy specifies which trusted accounts are allowed to grant its users permissions to assume the role.
KMS policy with MFA
To provide an additional layer of security over specific actions, you can implement an
What do routing tables do?
Traffic from an Internet gateway is routed to the appropriate subnet using the routes in the routing table
S3 - Secure Bucket Using Pre-Signed URLS
Typically done with SDKs like Python:
AWS Compliance Solutions Guide
Understand shared responsibility model
S3 - Forcing Encryption
Use bucket policy
IAM JSON Policy Elements: NotPrincipal
Use the NotPrincipal element to specify an exception to a list of principals. For example, you can deny access to all principals except the one named in the NotPrincipal element. The syntax for specifying NotPrincipal is the same as for specifying IAM JSON Policy Elements: Principal.
IAM JSON Policy Elements: Principal
Use the Principal element to specify the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource. You use the Principal element in the trust policies for IAM roles and in resource-based policies—that is, in policies that you embed directly in a resource. For example, you can embed such policies in an Amazon S3 bucket, an Amazon Glacier vault, an Amazon SNS topic, an Amazon SQS queue, or an AWS KMS customer master key (CMK).
How do users browse to the AWS Management Console to access their AWS account?
Users sign n to the AWS Management Console for your AWS account using the account ID or alias, or from a special URL that includes your accountID.
EC2 instances
Uses the Xen hypervisor which has instance isolation; mandatory default firewall set to deny-all.
What is the primary way to grant cross-account access?
Using Role for cross-account access is the primary way to grant access to resources on different accounts.
What are the 4 ways that you can work with IAM?
Using the AWS management Console, AWS command Line Tools, AWS SDK's, IAM HTTPS API.
VPGs, CGWs, and VPN points to understand for the exam
VPG is the AWS end of the tunnel
AWS WAF
Web Application Firewall (WAF):
What is Web Identity Federation (WIF)?
Web identity federation lets you give your users access to AWS resources after they have successfully authenticated with a web-based identity provider like Amazon, Facebook or Google.
When should you create an IAM role instead of an IAM User?
When creating an application that runs on EC2 and that application makes requests to AWS (don't embed the IAM user credentials in the application. Instead create an IAM role and attach it to the instance. You should also create an IAM role when users in your company are authenticated in their corporate network and want to be able to use AWS without having to sign in again-that is, you want to allow users to federate into AWS.
When should you create an IAM User instead of a Role?
When other people need access to your AWS account and they are not using any identity mechanism (e.g no active directory) and you want to use the command line interface to work with AWS.
What happens when you launch an instance in a VPC regarding security groups?
When you launch an instance in a VPC, you can *associate one or more security groups* that you've created.
KMS and Amazon EMR (elastic map reduce)
When you use an Amazon EMR cluster, you can configure the cluster to encrypt data at rest before saving it to a persistent storage location. You can encrypt data at rest on the EMR File System (EMRFS), on the storage volumes of cluster nodes, or both. To encrypt data at rest, you can use a customer master key (CMK) in AWS KMS.
DR (AWS)
Will assist with DynamoDB, RDS, Redshift, EMR, WorkSpaces
KMS and AWS Systems Manager Parameter Store
With AWS Systems Manager Parameter Store, you can create Secure String parameters, which are parameters that have a plaintext parameter name and an encrypted parameter value. Parameter Store uses AWS KMS to encrypt and decrypt the parameter values of Secure String parameters
Can you add more than one subnet in an Availability Zone?
Yes, but a subnet can be in only one Availability zone.
Can Amazon EC2 instances within a VPC communicate with Amazon S3?
Yes. There are multiple options for your resources within a VPC to communicate with Amazon S3. You can use VPC Endpoint for S3, which makes sure all traffic remains within Amazon's network and enables you to apply additional access policies to your Amazon S3 traffic. You can use an Internet gateway to enable Internet access from your VPC and instances in the VPC can communicate with Amazon S3. You can also make all traffic to Amazon S3 traverse the Direct Connect or VPN connection, egress from your datacenter, and then re-enter the public AWS network.
Before an IAM user, application or service can switch to a role that you created, what must you do?
You . must grant permissions to switch to the role.
Imagine that you are creating a mobile app that accesses AWS resources, such as a game that runs on a mobile device and stores player and score information using S3 and DynamoDB. When you write such an app, you''ll make requests to AWS services that must be signed with an AWS access key. What are you strongly not recommended to do in this instance and instead, what is recommended you do?
You are strongly recommended to not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even if you encrypt the store. Instead, build your app so that it requests temporary AWS security credentials dynamically when needed.
How can you change permissions for an IAM User?
You can change the permissions for an IAM user in your AWS account by changing its group memberships or by attaching an detaching a policy.
KMS and Amazon Relational Database Service (Amazon RDS)
You can choose to encrypt the data stored on your Amazon RDS DB instance under a customer master key (CMK) in AWS KMS
KMS Connecting Privately (instead of over the internet)
You can connect directly to AWS KMS through a private endpoint in your VPC instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.
Imagine that you have EC2 instances that are critical to your organisation. Instead of directly granting your users permission to terminate those instances what can you do? and what are the benefits of your proposal?
You can create a role with MFA protection that has delete privileges and allow admins to switch tot he role when they need to terminate a critical instance. This adds multiple layers of protection for critical instances.
KMS encrypt Cloudwatch log data
You can encrypt the log data in CloudWatch Logs using an AWS Key Management Service (AWS KMS) customer master key (CMK). Encryption is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.
If your users already have a way to be authenticated in to your AWS account by signing into your corporate network, what can you do for your users in order to provide them access to AWS?
You can federate those user identities into AWS.
Where can you find the sign-in URL for your AWS account?
You can find the sign-in URL for your AWS account on the IAM console dashboard, under the Support section.
KMS and Amazon Simple Storage Service (Amazon S3)
You can protect data at rest in Amazon S3 by using three different modes of server-side encryption: SSE-S3, SSE-C, or SSE-KMS.
With IAM policies, you can specify which API's a user is allowed to call. In some cases, you might want additional security. What can you add to improve security for sensitive AWS API calls?
You can require a user to be authenticated with MFA before the user allowed to perform the sensitive API call.
How can you sign in to you AWS account as a root user?
You can sign into you AWS as a root user by signing in using the email address and password that you used to create the account.
What type of access methods can can you switch roles in?
You can switch roles using the AWS management console, CLI, Windows Powershell and HTTP AWS access methods.
KMS and Amazon Simple Email Service (Amazon SES)
You can use Amazon Simple Email Service (Amazon SES) to receive email, and (optionally) to encrypt the received email messages before storing them in an Amazon Simple Storage Service (Amazon S3) bucket that you choose. When you configure Amazon SES to encrypt email messages, you must choose the KMS customer master key (CMK) under which Amazon SES encrypts the messages. You can choose the default CMK in your account for Amazon SES with the alias aws/ses, or you can choose a custom CMK that you created separately in AWS KMS
What can you use the AWS Security Token Service (STS) for?
You can use STS to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
A third party requires access to your organisations AWS resources. What can you do to assign access to them?
You can use roles to delegate access to them.
You would like to view password and access key usage information for your user in order to find and disable unused passwords and access keys. What can you do?
You can use the console to download a credential report with information about when each user last used their console password.
KMS CMK association with Cloud Watch Log group
You cannot associate a CMK with a log group using the CloudWatch console. You must do this via the CLI
KMS - Key Rotation
You cannot enable automatic key rotation for a CMK with imported key material. However, you can manually rotate a CMK with imported key material.
When you first create your root user credentials, what kind of access do you have?
You have complete unrestricted access to all resources in your AWS account, including access to your billing information and the ability to change your password.
SSE-C (Customer-Provided Keys)
You maintain your own encryption keys but don't want to manage or implement your own client-side encryption library.
As a principal, what must you do before you can send a request to AWS?
You must be authenticated.
What must you create to assign permissions to a user, group or resource?
You must create a JSON policy which is a document which that defines permissions.
To authenticate from the console, what must you do?
You must sign in using your username and password.
VPN Connections
You must specify type of routing will be using when the VPN is created.
What do you need to do before you can make programatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows Powershell, the AWS SDKs or direct HTTP calls using the APIs?
You need your own access key to make programmatic calls.
Security Audit - When should you perform it?
You should audit your security configuration in the following situations:
What do you use IAM to control?
You use IAM to control who is authenticated (signed in) and authorised (has permissions) to use resources.
You would like the URL for your sing-in page to contain your company name instead of your AWS account ID. What do you need to create?
You will need to create an alias for your AWS account ID.
How does the login flow work with public identity providers?
Your mobile app authenticates with an Identity Provider (IdP) using the provider's SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token or the SAML assertion returned from the IdP is passed by your app to Cognito Identity, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials.
Access Key ID
a public string distributed by aws to uniquely identify each AWS user; alphanumeric token associated with a single secret access key
public internet
all communication across regions
EC2 Role
allows an application running on an Amazon Elastic Compute Cloud (Amazon EC2) instance to access Amazon Simple Storage Service (Amazon S3) without storing an access key on the instance
Amazon Glacier - vault lock
allows you to easily deploy and enforce compliance controls for individual Amazon Glacier vaults with a vault lock policy. You can specify controls such as "write once read many" (WORM) in a vault lock policy and lock the policy from future edits. Once locked, the policy can no longer be changed.
EC2 - EBS Data Encryption
both Amazon Elastic Block Store (EBS) and EBS snapshots can be encrypted on the ec2 instance with AES-256, encryption only available on more powerful instance types M3, C3, R3, G2 etc. due to encryption performance requirements.
AWS Directory Service for Microsoft Active Directory
can use AWS Microsoft AD to create secure Windows trusts between your on-premises Microsoft Active Directory domains and your AWS Microsoft AD domain in the AWS Cloud. Using trusts, you can set up SSO to the AWS Management Console and the AWS Command Line Interface (CLI), as well as your Windows-based workloads such as Amazon EC2 for Windows Server, Amazon RDS for SQL Server, and Amazon WorkSpaces.
bool MultiFactorAuth condition
condition check for MultiFactorAuthPresent in the Deny statement should not be a {"Bool":{"aws:MultiFactorAuthPresent":false}} because that key is not present and cannot be evaluated when MFA is not used.
IAM - API
enables you to rotate the access keys of your AWS account as well as for IAM user accounts
amazon machine image (AMI)
encrypted image stored in s3
AWS X-Ray
helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application's underlying components. You can use X-Ray to analyze both applications in development and in production, from simple three-tier applications to complex microservices applications consisting of thousands of services.
AWS Glacier (Conditions)
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonglacier.html
Amazon QuickSight
is a fast, cloud-powered BI service that makes it easy to build visualizations, perform ad-hoc analysis, and quickly get business insights from your data. Using our cloud-based service you can easily connect to your data, perform
Amazon Macie
is a service powered by machine learning that can automatically discover and classify your data stored in Amazon S3. But Macie doesn't stop there, once your data has been classified by Macie, it assigns each data item a business value, and then continuously monitors the data in order to detect any suspicious activity based upon access patterns. Key features of the Macie service include:
AWS GuardDuty
is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
Lambda@Edge
lets you run Lambda functions to customize content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events, without provisioning or managing servers. You can use Lambda functions to change CloudFront requests and responses at the following points:
SSO
log in once but access multiple systems.
AWS Organizations
offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.
Server Side Encryption
ou have three mutually exclusive options depending on how you choose to manage the encryption keys:
Amazon Glacier - storage security
server-side encryption using AES-256
AWS MFA
supports the use of hardware tokens and virtual MFA devices.
Federated users
users, systems, or applications that are not currently authorized to access your AWS services but can get temporary access using the AWS Security Token Service STS APIs.
EC2 Isolation by AWS
via Xen hypervisor,
Cognito Events: Sync Triggers
will allow you to run an AWS Lambda function in response to important events in Amazon Cognito. The first event that we're launching is the Sync Trigger event, which runs each time a dataset is synchronized. By using this feature you can evaluate and manipulate data before it is stored in the cloud and synchronized back to the user's devices.
Logging with AWS
● AWS Cloudtrail - API Calls (create SNS alerts if logs not created)
KMS Highlights
● AWS-managed KMS keys can be rotated every 365 days. You must use a Lambda
CloudTrail - Reading Logs
● All API calls logged in CT under Management Tools
Load Balancers and Custom VPCs
● Application Load Balancers - Layer 7 - HTTP and HTTPS (ALB)
AWS Systems Manager Patch Manager
● Automates the process of patching managed instances with security-related updates.
NATs vs. Bastions
● Bastion is hardened and is only used to access public subnet to get into private subnet.
VPC Flow Logs
● Captures IP traffic going to / from VPC - created in CloudWatch Logs and created as a
CloudTrail
● CloudTrail logs are encrypted at rest by default when stored in S3 buckets with SSE
KMS - Imported Keys
● Create keys in AWS and then import "key material", AWS then wraps the key material
AWS Hypervisors
● Creates virtual machines called Guest OSs
AWS Shield
● DDoS mitigation + the Advanced Shield at $3,000/month provides insurance on attacks
EC2 Dedicated Instance vs. Dedicated Hosts
● Dedicated Instances (DI) are physically isolated from other AWS accounts (that could
EC2 - What Happens if we delete the key pair in the console?
● Deleting in the console does not affect terminal SSH access to the EC2 instance or in
Keys on Github (leaked)
● Developers sometimes accidentally leak their AWS private keys as variables in their code when uploading to a Github repo.
Lambda - Access to Resources such as DynamoDB Procedure
● Each Lambda function has an IAM role (execution role) associated with it.
NAT Gateways
● Eliminates the cons of NAT Instances
CloudTrail - Setup
● Enabled by default for 7 days
Compliance in AWS
● Frameworks supported - PCS DSS, ISO 27001, HIPPAA in addition to many others
KMS in the Wild
● KMS keys can be used for services like Redshift, EC2, EBS, and RDS
AWS Marketplace
● Located in EC2
NAT Instance
● Located in EC2 community AMIs
KMS
● Makes it easy to create and control the encryption keys used to encrypt data
AWS Systems Manager: Run Command
● Manage EC2 fleets at scale for patches, image updates, database connections,
CloudWatch 101
● Monitoring service for AWS cloud resources and the applications you run on AWS
S3 - Bucket Policies
● Policy is attached at the user level
CloudTrail - Protecting Logs
● Protect buckets with IAM roles and S3 bucket policies and MFA delete on objects
VPC Endpoint
● Provides internal method to send objects to S3 without having to go via public
Penetration Testing
● Request permission to do Pen testing
AWS Config
● Resource inventory and point-in-time configuration history & notifications.
AWS Certificate Manager
● SSL/TLS certificates
EC2 - Hacked
● Stop the instance immediately
VPC - DHCP Options Sets
● The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing
EC2 and Key Pairs
● Two options:
AWS Systems Manager: Parameter Store
● Under EC2 - Systems Services Manager - Shared Resources - Parameter Store
API Gateways
● Used with Lambda functions
IAM - Key Terms
● Users - people
VPC Lab Notes
● VPC that you create from scratch will not automatically have subnets. You must add
Virtual Private Cloud (VPC) - Introduction
● Virtual data center in the cloud with AWS super security