Encryption Flashcards
Symetric Encryption for data in transit
Symmetric encryption can be used for encryption in transit, but it requires careful key management to ensure security. One common approach is to use symmetric encryption to encrypt the data itself and then use asymmetric encryption to securely exchange the symmetric key.
Config rules
Custom rules use Lambda to evaluate whatever rule you have coded.
It also integrates with Events Bridge , SNS and SSM(to remediate compute configurations)
Roles in AWS organization
New accounts created into an organization comes with a new role(which can be role switched into), invited accounts have to be issued a role manually
AWS Organization New account
when you create a new account within aws organization, the only way to access the new account is by switching role into that account.
You can role-swith into an invited account, however, you would have to first create the role manually
Since management account can’t be restricted by SCP, its best practice not to use the management account for normal activities.
Contro; Tower Initialized
By default, control tower management account comes-built-in with Three components and TWO OUs:
Contol Tower
SSo
AWS Organization:
- SanBox/Custom OU
- Security/Foundational
Control Tower Account Factory
Automated Account Provisioning
* . cloud admins or end users (with appropriate permissions)
* Guardrails - automatically added
* Account admin given to a named user (IAM Identity Center)
* Account & network standard configuration
AWS RAM
it’s very practical to share resources within a subnet with other Principlas in separate account, either via individual or organizatio account.
Shared Services are read only
CFN-Signal
This is an agent inside an instance
Notes on AWS RAM
- VPCs can be created which provide shared infrastructure services to other AWS accounts
- VPC Owners create and manage the VPC & Subnets and can share to participants
- VPC Owners cannot delete or modify resources created by participant VPCs
- Some resources can be shared with ANY account, some only with AWS ORG accounts
- Participants can provision services into the shared subnets, read and reference network objects but not modify or delete them
Inline vs Managed Policy
One Policy to many Users
In-line Policy - each user to a unique set of permissions. eg, for special or exceptional access or denies.
IAM ROLES LIMITS
IAM Roles does not have limit. It can be used by millions of identities in and outside of aws.
Roles are temporary
IAM ROLES USE CASE
- Emergency
- Lambda functions, where number of functions can not be determined
- > = 500 identities needed
none aws identity(SAML 2.0, Facebook, Google, etc) - Privilege escalation
Service Linked Role
eg, Lambda, or Cloudwatch role for EC2
IAM PassRole
grants a user the ability to use or issue a service linked role
AWS: To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user’s IAM user, role, or group.
IAM Trust policy
Not every random identity can use a created IAM role, Trust policy specifies identities that can assume the Role.
AWS: The trust policy defines which principals can assume the role, and under which conditions. A trust policy is a specific type of resource-based policy for IAM roles.
STS
STS generates temporary credentials which can access AWS Resources until expiration. They authorise access based on the permissions policy.
After analysing the permissions Policy and trust policy, credentials are returned to the identity requesting them. Another sts:AssumeRole* is required when the credentials expire
Ec2Metadata
IAM Role credentials are always stored in the metadata of the instance for any application on the instance to access. As long as the credentials are in the instance metadata, they are always automatically renewed before they expire, hence they are always up to date:
***iam/security-credentials/role-name
Risk of storing sensitive data on Instance metadata
All CLI tools within an instance have access to stored instance credentials in metadata
IAM POLICY Variable
“Version”: “2012-10-17”,
“Statement”: [{
“Action”: [“iam:AccessKey”],
“Effect”: “Allow”,
“Resource”: [“arn: aws: iam: : account-id:user/${aws: username} “]
the ${aws:username} is replaced by the active user using the role
Instance profile
If you create an iam role using the console, an instance profile is created, but using CLF, you would have to create them separately.
IAM Role with External ID
Randomly generated ID issued along with an IAM Role as an extra layer of security over an IAM role, which can be assumed by anyone with the ARN
