Course: AWS Cloud Practitioner Essentials - 6. Security
July 26th, 2022
Shared responsibility model
Compliance
Identity and Access Management (IAM)
user
policy
group
role
AWS Organization
Application Security
Web Application Firewall (WAF)
Shield - DDoS
Inspector - automated security assessment
Key Management Service (KMS) - cryptographic keys (not secrets, not certificates)
GuardDuty - intelligent threat detection
Shared Responsibility Model
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/e9f8d410-1510-4ba3-98d2-3269c847d702/9e028417b5ab621c7dea4ce0294ffc5d/default-filename.jpg)
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/ae6c1d1a-97be-4589-b158-d9aacc6da1e2/8a7c9d6264c1ae840445f9c38e408973/default-filename.jpg)
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/bccc8f7b-0c36-491c-a6db-e8f87fdd09bd/6f4c7c3225522c1d26df73946106119b/default-filename.jpg)
Compliance
compliance: prove
https://aws.amazon.com/compliance/
using a compliant service is not sufficient to mkae a customer compliant
Identity and Access Management (IAM)
manage access to AWS services and resources
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/792e3bf4-919e-47f9-abf7-bcd3c51c5296/5a2632cac4e00ddaefd846e45f26fbe1/default-filename.jpg)
AWS account root user
any use of root, is so rare, that it should be investigated as a security event
IAM Users
identity representing person / application
best practice: create users for each person, don't share accounts with other ppl
IAM Policies
document that grants or denies permissions
best practice: principle of least privilige
IAM groups
collection of users
best practice: use groups
users can be in multiple groups
access conflicts
deny always wins
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
IAM roles
identity you can assume to gain temporary access to permissions
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/f03c1513-6d60-4237-8331-c46d11258ee9/1d13f9017c50b51ed7394090d727f841/default-filename.jpg)
you can only have one role at a time
roles vs groups
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html
roles (requires technical effort)
single sign on
federated identity
simple starting point: groups
stops scaling
technical effort
single sign on
federated identity
AWS Organization
create & manage AWS accounts & groups of AWS accounts
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/b2848b03-06d5-431e-860c-175646a7f5c3/9f2657ed4b9a655ffeb866233eb514b8/default-filename.jpg)
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/d43228d2-a799-4bf6-88d4-935dfba8fc87/89213919c5a71f623ba0bf3dba49429f/default-filename.jpg)
Application Security
Web Application Firewall (WAF)
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/292cc6b0-da58-4dcb-9b2e-8bdb36d8ce79/001058c21eebf1dd57f7f6bb2bd41c10/default-filename.jpg)
(cf network firewall on OSI layer 3-4, but on OSI layer 7 application)
Shield - DDoS
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/4544e148-9b0f-476d-bc72-636048672d7b/e167f6bd3e457b0ebaa8bca117ec6004/default-filename.jpg)
not optional, aways on
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/48a25273-274b-4ab1-893f-d9d3d5bfe1d7/39daf9bb87079fedc61fa4d118681735/default-filename.jpg)
optional: Shield advanced
Inspector
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/b8b8f4cd-25cd-41a0-957c-0ec981684e8e/1681666d25842cae7763d16632cbb47b/default-filename.jpg)
Key Management Service (KMS)
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/de793283-91f3-4101-a5f5-bd31e7cac31b/bcb67111488719ff01b2e08acdf698fc/default-filename.jpg)
NOT certificate
GuardDuty - intelligent threat detection
![no description for image available](http://images.ctfassets.net/p2rtto0i6kcn/1369b892-c63f-409f-b6d5-01b66c84605b/74aed41ff5a57e72f50af30e09a18bc5/default-filename.jpg)
This post was referenced in: