Course: AWS Cloud Practitioner Essentials - 6. Security
July 26th, 2022
Shared responsibility model
Compliance
Identity and Access Management (IAM)
user
policy
group
role
AWS Organization
Application Security
Web Application Firewall (WAF)
Shield - DDoS
Inspector - automated security assessment
Key Management Service (KMS) - cryptographic keys (not secrets, not certificates)
GuardDuty - intelligent threat detection
Shared Responsibility Model
Compliance
compliance: prove
https://aws.amazon.com/compliance/
using a compliant service is not sufficient to mkae a customer compliant
Identity and Access Management (IAM)
manage access to AWS services and resources
AWS account root user
any use of root, is so rare, that it should be investigated as a security event
IAM Users
identity representing person / application
best practice: create users for each person, don't share accounts with other ppl
IAM Policies
document that grants or denies permissions
best practice: principle of least privilige
IAM groups
collection of users
best practice: use groups
users can be in multiple groups
access conflicts
deny always wins
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
IAM roles
identity you can assume to gain temporary access to permissions
you can only have one role at a time
roles vs groups
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html
roles (requires technical effort)
single sign on
federated identity
simple starting point: groups
stops scaling
technical effort
single sign on
federated identity
AWS Organization
create & manage AWS accounts & groups of AWS accounts
Application Security
Web Application Firewall (WAF)
(cf network firewall on OSI layer 3-4, but on OSI layer 7 application)
Shield - DDoS
not optional, aways on
optional: Shield advanced
Inspector
Key Management Service (KMS)
NOT certificate
GuardDuty - intelligent threat detection
This post was referenced in: