Chapter 17 - Security Flashcards
DDoS
Distributed Denial of Service attack
- Basically attempts to make your website or application unavailable to your end users.
- Common DDoS attacks include layer 4 attacks such as SYN floods or NTP amplification attacks.
- Common Layer 7 attacks which include things like floods of GET or POST requests.
CloudTrail
Gives you after the fact incident investigation.
- You get near real-time intrusion detection,
- You get industry and regulatory compliance.
- Always just remember that CloudTrail is basically a CCTV for your AWS account.
- This is going to log all API calls that are made to your AWS account.
- And it’s going to store these logs in S3.
Shield
Protects against Layer 3 and Layer 4 attacks only
- Basically you just have to remember what Shield is at a high level.
- And it’s used to protect against DDoS attacks.
- And if you see a scenario question that’s talking about DDoS mitigation or protecting against Layer 3 and Layer 4 attacks I want you to think of AWS Shield.
- You get Shield for free
- Shield Advanced - That costs $3,000 a month, but it will give you a dedicated 24/7 DDoS response team.
*
AWS WAF
And at its most basic level it allows 3 different behaviors.
It’s going to allow all requests except the ones you specify.
Or you can block all requests except the ones you specify.
Or it can count the requests that match the properties that you specify.
Operates at Layer 7 and in the exam, like I said, you’re going to get scenario-based questions asking how to block Layer 7 attacks.
So at Layer 7, you want to use a WAF.
Layer 4 you’re going to use Shield.
Always think of a WAF whenever you hear the term Layer 7.
WAF can block Layer 7 DDoS attacks as well as things like SQL injections and cross-site scripting.
And if you need to block access to specific countries or IP addresses, you can also achieve this using AWS WAF.
GuardDuty
- It uses AI to learn what normal behavior looks like in your account to alert you of any abnormal or malicious behavior.
- And it updates a database of known malicious domains using external feeds from third parties.
- And it also monitors your CloudTrail logs VPC Flow logs, and DNS logs.
Macie
- Basically it’s using AI to analyze your data in S3 and help you identify personally identifiable information, personal health information, as well as financial data.
- And it’s great for HIPAA and GDPR compliance as well as preventing identity theft.
- You can set up alerts with Macie and these can be sent to Amazon EventBridge and then integrated with your event management systems.
- So if you see any a scenario-based question where it’s talking about analyzing S3 using AI or preventing the leak of personally identifiable information. I want you to automatically think of Macie.
Inspector
- It’s used to perform a vulnerability scans on both EC2 instances and your VPCs.
- On EC2 instances, it’s called host assessments.
- And on your VPCs it’s called network assessments.
- And you can run these assessments once or alternatively you can run them weekly.
*
KMS
Is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
- You can start the service by requesting creation of a customer master key.
- And you control the lifecycle of customer master keys
- As well as those who can use or manage it.
- There’s 3 ways to generate a customer master key:
- AWS creates the customer master key for you.
- The key material for a CMK is generated within a hardware security module that’s managed by AWS KMS
- You can also import key material from your own key management infrastructure and associate it with a customer master key.
Now there’s 3 ways to control permissions within KMS.
- You can use the key policy and controlling access this way means the full scope of access to the CMK is defined in a single document.
- You can use IAM policies in combination with the key policy.
And controlling access this way enables you to manage all the permissions for your IAM identities in identity access management. - And then you can also use grants in combination with the key policy. And controlling access this way enables you to allow access to the CMK in the key policy, as well as allowing other users to delegate their access to others.
KMS versus CloudHSM
KMS
- Basically you’re using a shared tenancy of underlying AWS hardware.
- You do get automatic key rotation and you get automatic key generation.
CloudHSM
- It’s a dedicated physical hardware device that’s dedicated to you.
- You get full control of the underlying hardware,
- You have full control of users, groups, and keys.
- But there is no automatic key rotation.
Secrets Manager
Secrets Manager can be used to securely store your application secrets, your database credentials, your API keys, SSH keys, passwords, et cetera.
Applications use the Secrets Manager’s API.
Rotating credentials is super easy, but just be careful because when enabled, Secrets Manager will rotate these credentials immediately
You need to make sure all your application instances are configured to use Secrets Manager before enabling credential rotation.
Now you will get scenario based questions where it’s going to test if you should use Parameter Store or Secrets Manager.
- If you’re trying to minimize costs you always choose Parameter Store.
- If you need more than 10,000 parameters, key rotations or the ability to generate passwords using CloudFormation, then you want Secrets Manager.
Presigned URLs
If you see a scenario question where you need to share private files in your S3 bucket think of presigned URLs.
Advanced IAM policies
- So remember if something is not explicitly allowed then it’s going to be implicitly denied.
- An explicit deny always trumps everything else.
- It’s always greater than everything else.
- Only attached policies have an effect.
- So if you have multiple policies but you haven’t attached them to any groups for example, then of course they’re not going to have an effect.
- And you can have multiple policies attached to a group and AWS joins all of these.
- if there’s any kind of conflict, like an explicit deny on one policy and then an allow on the other policy,
remember that explicit deny will always beat that allow. - In the exam, you’re going to get scenario-based questions around SSL certificates and what services you
should use to integrate SSL certificates with. So just remember the supported services. So things like Elastic Load Balancer, CloudFront, and API Gateway.
Benefits of Certificate Manager
- It is a free service that saves time and money.
- You can automatically renew your SSL certificates
- And rotate the old certificates with new certificates so long as it’s with the supported AWS services.