AWS: Difference between revisions
(No difference)
|
Latest revision as of 18:15, 14 May 2025
Prowler
aws iam generate-credential-report aws iam get-account-summary aws iam list-users aws iam get-account-password-policy aws ec2 describe-instances aws ec2 describe-security-groups aws kms get-key-rotation-status
Lambda
https://e2cjv7xt5j.execute-api.eu-north-1.amazonaws.com/hello-nodejs
exports.handler = async (event) => {
const response = {
statusCode: 200,
headers: {"content-type": "text/html"},
body: "<html><head><style>#main { position:absolute;top:50%;left:0;margin-top:-50px;right:0;text-align: center;font-family: Lato;color: green;font-size: 40px; }</style></head><body><div id=main>Hello, World! ... brought to you by NodeJS on AWS Lambda</div></body></html>",
return response;
};
AWS Security Speciality
https://www.youtube.com/watch?v=zSUUBAxjIbk (AWS KMS)
https://portal.tutorialsdojo.com/courses/aws-certified-security-specialty-practice-exams-scs-c02/
https://quizlet.com/899484178/flashcards
AWS Organization
AWS Account
IAM
Root or IAM User
Role
AWS service
AWS account
IAM Identity Center
Web identity (web idp)
SAML2
Custom trust policy
external id
KMS
EC2
VPC, SG Security Groups, Launch Template, ASG Application Scaling Group
ALB, ELB
S3 Public access is granted to buckets and objects
- access control lists (ACLs)
- bucket policies
- access point policies
- SSE-S3 (default) Server-side encryption with Amazon S3 managed keys
- SSE-KMS Server-side encryption with AWS Key Management Service keys
- DSSE-KMS Dual-layer server-side encryption with AWS Key Management Service keys
Additional resources
learn.cantrill.io
tutorialsdojo.com
The exam
Number of questions: 65 Time: 170 minutes Cost: 277 Euro
Incidents Response Guide https://docs.aws.amazon.com/security-ir/latest/userguide/security-incident-response-guide.html Access, Scaling, Elasticity, Automation
Incident playbook https://github.com/aws-samples/aws-customer-playbook-framework/tree/main/docs https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/mitigation-techniques.html
Domain 1 Threat Detection and Incident Response (14% of scored content)
Domain 2 Security Logging and Monitoring (18% of scored content)
Domain 3 Infrastructure Security (20% of scored content)
Domain 4 Identity and Access Management (16% of scored content)
Domain 5 Data Protection (18% of scored content)
Domain 6 Management and Security Governance (14% of scored content)
Domain 1: Threat Detection and Incident Response
Lesson 1: Introduction to Threat Detection and Incident Response
Lesson 2: Design and implement an incident response plan
Lesson 3: Detect security threats and anomalies by using AWS Services
Lesson 4: Respond to compromised resources and workloads
Domain 2: Security Logging and Monitoring
Lesson 1: Introduction to Security Logging and Monitoring
Lesson 2: Design and implement monitoring and alerting to address security events
Lesson 3: Troubleshoot security monitoring and alerting
Lesson 4: Design and implement a logging solution
Lesson 5: Troubleshoot logging solutions
Lesson 6: Design a log analysis solution
Domain 3: Infrastructure Security
Lesson 1: Introduction to Infrastructure Security
Lesson 2: Design and implement security controls for edge services
Lesson 3: Design and implement network security controls
Lesson 4: Design and implement security controls for compute workloads
Lesson 5: Troubleshoot network security
Domain 4: Identity and Access Management
Lesson 1: Introduction to Identity and Access Management
Lesson 2: Design, implement, and troubleshoot authentication for AWS resources
Lesson 3: Design, implement, and troubleshoot authorization for AWS resources
Domain 5: Data Protection
Lesson 1: Introduction to Data Protection
Lesson 2: Design and implement controls that provide confidentiality and integrity for data in transit
Lesson 3: Design and implement controls that provide confidentiality and integrity for data at rest
Lesson 4: Design and implement controls to manage the lifecycle of data at rest
Lesson 5: Design and implement controls to protect credentials, secrets, and cryptographic key materials
Domain 6: Management and Security Governance
Lesson 1: Introduction to Management and Security Governance
Lesson 2: Develop a strategy to centrally deploy and manage AWS accounts
Lesson 3: Implement a secure and consistent deployment strategy for cloud resources
Lesson 4: Evaluate the compliance of AWS resources
Lesson 5: Identify security gaps through architectural reviews and cost analysis
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/governance.html https://docs.aws.amazon.com/wellarchitected/latest/framework/security.html
AWS Well-architected Framework, pillars:
Operational excellence - Security
Implement a strong identity foundation
Maintain traceability
Apply security at all layers
Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates.
Protect data in transit and at rest
Keep people away from data
Prepare for security events
Reliability
Performance efficiency
Cost optimization
Sustainability
Best Practices
AWS account management and separation SEC01-BP01 Separate workloads using accounts SEC01-BP02 Secure account root user and properties Operating your workloads securely SEC01-BP03 Identify and validate control objectives SEC01-BP04 Stay up to date with security threats and recommendations SEC01-BP05 Reduce security management scope SEC01-BP06 Automate deployment of standard security controls SEC01-BP07 Identify threats and prioritize mitigations using a threat model SEC01-BP08 Evaluate and implement new security services and features regularly Identity management SEC02-BP01 Use strong sign-in mechanisms SEC02-BP02 Use temporary credentials SEC02-BP03 Store and use secrets securely SEC02-BP04 Rely on a centralized identity provider SEC02-BP05 Audit and rotate credentials periodically SEC02-BP06 Employ user groups and attributes Permissions management SEC03-BP01 Define access requirements SEC03-BP02 Grant least privilege access SEC03-BP03 Establish emergency access process SEC03-BP04 Reduce permissions continuously SEC03-BP05 Define permission guardrails for your organization SEC03-BP06 Manage access based on lifecycle SEC03-BP07 Analyze public and cross-account access SEC03-BP08 Share resources securely within your organization SEC03-BP09 Share resources securely with a third party Detection SEC04-BP01 Configure service and application logging SEC04-BP02 Capture logs, findings, and metrics in standardized locations SEC04-BP03 Correlate and enrich security alerts SEC04-BP04 Initiate remediation for non-compliant resources Protecting networks SEC05-BP01 Create network layers SEC05-BP02 Control traffic flow within your network layers SEC05-BP03 Implement inspection-based protection SEC05-BP04 Automate network protection Protecting compute SEC06-BP01 Perform vulnerability management SEC06-BP02 Provision compute from hardened images SEC06-BP03 Reduce manual management and interactive access SEC06-BP04 Validate software integrity SEC06-BP05 Automate compute protection Data classification SEC07-BP01 Understand your data classification scheme SEC07-BP02 Apply data protection controls based on data sensitivity SEC07-BP03 Automate identification and classification SEC07-BP04 Define scalable data lifecycle management Protecting data at rest SEC08-BP01 Implement secure key management SEC08-BP02 Enforce encryption at rest SEC08-BP03 Automate data at rest protection SEC08-BP04 Enforce access control Protecting data in transit SEC09-BP01 Implement secure key and certificate management SEC09-BP02 Enforce encryption in transit SEC09-BP03 Authenticate network communications Incident response - Preparation SEC10-BP01 Identify key personnel and external resources SEC10-BP02 Develop incident management plans SEC10-BP03 Prepare forensic capabilities SEC10-BP04 Develop and test security incident response playbooks SEC10-BP05 Pre-provision access SEC10-BP06 Pre-deploy tools SEC10-BP07 Run simulations Post-incident activity SEC10-BP08 Establish a framework for learning from incidents Application security SEC11-BP01 Train for application security SEC11-BP02 Automate testing throughout the development and release lifecycle SEC11-BP03 Perform regular penetration testing SEC11-BP04 Conduct code reviews SEC11-BP05 Centralize services for packages and dependencies SEC11-BP06 Deploy software programmatically SEC11-BP07 Regularly assess security properties of the pipelines SEC11-BP08 Build a program that embeds security ownership in workload teams
Identity and Access Management
AWS Config and AWS Organizations Multi-account, multi-region data aggregation in AWS Config enables you to aggregate AWS Config data from multiple accounts and AWS Regions into a single account AWS Organizations Service control policies https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html https://docs.aws.amazon.com/images/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png AWS Config provides resource inventory, configuration history, and change notifications. IAM access policy types AWS managed Customer managed Inline Policy: Effect, Action, Resource, Condition, Principle IAM Access Analyzer AWS STS with Active Directory (AD) Federation Identity broke Identity store Identities STS:AssumeRole === Detective Controls === AWS Security Hub (ASFF Finding Format) AWS Foundational Security Best Practices CIS AWS Foundations Benchmark Insights Findings AWS CloudTrail Enable in all regions Enable log file validation Encrypted logs Integrate with CloudWatch logs Centralize logs from all accounts Create additional trails as needed AWS CloudWatch metrics built-in / custom collect and process log files detect events and responds with notification, or automated response actions AWS GuardDuty Unusual API calls (by IP address) Attempts to disable AWS CloudTrail Unauthorized deployments Compromised instances Port scanning and failed logins on EC2 instances Monitors CloudTrail logs, VPC Flow Logs, and DNS Logs Centralize detection across multiple AWS accounts AWS Inspector Check for ports reachable from outside the VPC CIS benchmarks Vulnerable software (CVE) Security best practices === Data Protection === AWS Macie discovers sensitive data using machine learning and pattern matching, provides visibility into data security risks AWS KMS symmetric/asymmetic aws managed, roteates yearly CMK customer managed key, can ber rotated yearly (but is not by default) CMK customer managed imported key, must be rotated manually client-side, service side and S3 encryption AWS CloudHSM Key Hardware module AWS ACM Certificate Manager === Incident Response === AWS Detective Dashboard - Roles and users API calls - EC2 instance with most traffic volume - container clusters with most pods - Newly observed geolocations Security Investigation Investigate and Respond Triage AWS Event Bridge - Serverless eventdriven applications Again AWS Security Hub AWS Backup / AWS Elastic Disaster Recovery === Infrastructure Protection === AWS Systems Manager Incident Manager Session Manager AWS Systems Manager Automation (runbook) AWS Systems Manager Incident Manager / runbook workflow AWS Trusted Advisor Optimization suggestions AWS VPC VPC components, such as NAT gateways, IP Address Manager, traffic mirroring, Reachability Analyzer, and Network Access Analyzer. AWS VPC Flow logs AWS VPC Subnet Network interface AWS EC2 with EBS AMI images Launch Templates Autoscaling Group Security Group applied to a resource stateful, rule will automatically apply to reverse direction By default, it denies all ingress traffic and allows all egress traffic Can whitelist other SG's (that attach to other services) NACL applied to subnets in VPC stateless - incoming and outgoing need to be defined first rule to match Amazon CloudFront distribution Amazon API Gateway REST API AWS ALB Application Load Balancer AWS Shield: DDOS Protection AWS Shield protects against SUN/UDP floods, reflection attacks, and other layers 3/4 attacks. AWS Shield Advanced provides enhanced protections for your applications running on ELB, CloudFront, WAF, ASG, Cloudwatch, and R53 SRT Shield Response Team API Gateway Throttling (default 10000 req/sec) API caching (default 300 TTL) Web ACL, Bot control, Application Integration, IP sets, Regexp pattern sets, Rule groups, Addon protection https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html AWS WAF Global threat dashboard Increase protection from web attacks web traffic visibility security with managed rules cross-site scripting, IP, Geographic, Size, SQL Injection, String match, Regex match AWS Firewall Manager Monitor webrequests to CloudFront distributions or an Application Load Balancer. security policies, resource sets, application lists, protocol lists AWS AppSync GraphQL API Amazon Cognito user pool AWS App Runner service AWS Verified Access instance Centralize Logs, CloudTrail to cloudWatch logs AWS Config managed rul with EventBridge to CloudWatch Logs, subscription filter in OpenSearch Service GuardDuty analyze CloudTrail events with EventBridge to CloudWatch Logs Security Hub using EventBridge to CloudWatch Logs Detective with Amazon Athena + Subscription filter in OpenSearch Service AWS Directory Service AWS Cloudformation https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-CFN.html === Compliance === AWS Artifact provides on-demand downloads of AWS security and compliance documents. AWS Audit Manager
