Section 24: AWS Security & Encryption Flashcards
What is AWS KMS(Key Management Service)
- It manage your keys which is used to access your data.
KMS - Customer Master Key(CMK) Types
1) Symmetric(AES-256 keys)
- First offering of KMs, single encryption key used to decrypt and encrypt.
- AWS services that are integrated with KSM use symmetric CMK’s
- You never get access to the Key unencrypted
2)Asymmetric(RSA & ECC key pairs)
- Public(Encrypt) and private(decrypt) pair
- Used for Encryption/Decryption or Sign/Verify operations
- Use case: encryption outside of AWS by users who can not call KSM API
SSM Parameter Store
P270
- Secure storage for configuration and secrets
AWS Secret manager
- Newer service, meant for storing secrets
- Capability to force rotation of secrets every X days
- Automate generation of secrets on rotation
- Integration with Amazon RDS(MySsql, PostgreSQL,Auroro)
- Secret are encrypted uisng KSM
AWS Shield
- AWS Shield Standard is for free.
- Its a service which protect you agains DDOS attack.
AWS WAF (Web Application Firewall)
- Protects your web application from common web exploits(Layer 7)
- Deploy on Allication LoadBlaancer, API Gateway, CloudFront
- Define Web ACL(Web Access Control List)
- Rules can include:IP Address, HTTP headers
- Protects from common attack - SQL Injection and Cross Site Scripting
- Size contraints, geo match
- Rate based rules for DDos protection
What is Amazon GuardDuty?
- Intelligent Threat discovery to Protect AWS accounts.
- Uses Machine Learning algorithms,anomaly detection, 3rd party data
- Can protect against CryptoCurrenct attacks
What is Amazon Inspector?
- Automated Security assessments for EC2 intsances and Containers pushed to Amazon ECR
What is Amazon Macie?
It is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
