{"id":925,"date":"2019-07-02T10:43:18","date_gmt":"2019-07-02T10:43:18","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=925"},"modified":"2020-05-02T07:16:15","modified_gmt":"2020-05-02T07:16:15","slug":"aws-cloud-security","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-cloud-practitioner\/aws-cloud-security\/","title":{"rendered":"Define AWS Cloud Security and Compliance Concepts"},"content":{"rendered":"\n
Cloud security at AWS is the highest priority. AWS cloud\nallows customers to scale and innovate, while maintaining a secure environment.\n<\/p>\n\n\n\n
AWS Cloud Security and Compliance covers following aspects\nof AWS Security<\/p>\n\n\n\n
Infrastructure Security<\/li>
Infrastructure Resilience<\/li>
Data Encryption<\/li>
Monitoring and Logging<\/li>
Identity and Access Control<\/li>
Compliance Assurance Programs<\/li>
Security Support<\/li>
Standards and Best Practices <\/li><\/ul>\n\n\n\n
Infrastructure Security<\/h2>\n\n\n\n
Network firewalls built into Amazon VPC.<\/li>
TLS encryption in transit across all services.<\/li>
Private or dedicated connections into your data\ncentre <\/li><\/ul>\n\n\n\n
Accessing the Internet<\/strong> by VPC<\/strong><\/p>\n\n\n\n
Default VPC includes an internet gateway, and\neach default subnet is a public subnet. <\/li>
Each instance that you launch into a default\nsubnet has a private IPv4 address and a public IPv4 address. <\/li>
These instances can communicate with the\ninternet through the internet gateway. <\/li>
An internet gateway connect to the internet\nthrough the Amazon EC2 network edge.<\/li><\/ul>\n\n\n\n
<\/figure><\/div>\n\n\n\n
By default, each instance launched into a\nnondefault subnet has a private IPv4 address, but no public IPv4 address,\nunless assigned or modify the subnet’s public IP address attribute. <\/li>
These instances can communicate with each other,\nbut can’t access the internet.<\/li>
Can enable internet access for an a nondefault\nsubnet by attaching an internet gateway to its VPC and associating an Elastic\nIP address with the instance.<\/li>
Amazon VPC provides a web-based user interface,\nthe Amazon VPC console. <\/li>
Access the Amazon VPC console by signing into\nthe AWS Management Console and choosing VPC.<\/li><\/ul>\n\n\n\n
Infrastructure Resilience<\/h2>\n\n\n\n
Technologies built from the ground up for\nresilience in the face of DDoS attacks.<\/li>
Services can be used in combination to\nautomatically scale for traffic load.<\/li>
Autoscaling, CloudFront, Route 53 can be used to\nprevent DDoS. <\/li><\/ul>\n\n\n\n
AWS Shield <\/h2>\n\n\n\n
It is a managed DDoS protection service <\/li>
Available in two tiers: Standard and Advanced. <\/li>
AWS Shield Standard applies always-on detection\nand inline mitigation techniques like deterministic packet filtering and\npriority-based traffic shaping. It is included automatically and transparently\nto Elastic Load Balancing load balancers, Amazon CloudFront distributions, and\nAmazon Route 53 resources at no additional cost. <\/li>
AWS Shield Advanced includes access to near\nreal-time metrics and reports, for extensive visibility into infrastructure\nlayer and application layer DDoS attacks. <\/li><\/ul>\n\n\n\n
AWS WAF<\/h2>\n\n\n\n
It is a web application firewall to protect web\napplications from common web exploits. <\/li>
It defines customizable web security rules to\ncontrol which traffic accesses web applications. <\/li>
Rules use conditions to target specific requests\nand trigger an action, <\/li>
It helps you to identify and block common DDoS\nrequest patterns and effectively mitigate a DDoS attack. <\/li><\/ul>\n\n\n\n
Amazon Route 53<\/h2>\n\n\n\n
It is a highly available and scalable DNS\nservice <\/li>
Designed to route end users to infrastructure\nrunning inside or outside of AWS.<\/li>
It can manage traffic globally through a variety\nof routing types, and provides out-of-the-box shuffle sharding and Anycast\nrouting capabilities to protect domain names from DNS-based DDoS attacks.<\/li><\/ul>\n\n\n\n
Amazon CloudFront<\/h2>\n\n\n\n
Distributes traffic across multiple edge\nlocations <\/li>
Filters requests to ensure that only valid\nHTTP(S) requests will be forwarded to backend hosts. <\/li>
Supports geoblocking, to prevent requests from\nparticular geographic locations.<\/li><\/ul>\n\n\n\n
Elastic Load Balancing <\/h2>\n\n\n\n
Distributes incoming application traffic across\nmultiple targets like , such as Amazon Elastic Compute Cloud (Amazon EC2)\ninstances, containers, and IP addresses, and multiple Availability Zones, to minimizes\noverloading a single resource. <\/li>
Elastic Load Balancing, like CloudFront, only\nsupports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not\nable to reach EC2 instances. <\/li>
It is a single point of management <\/li>
It can serve as a line of defense between the\ninternet and private EC2 instances. <\/li>
It includes the Application Load Balancer, for\nload balancing of HTTP and HTTPS traffic and also directly supports AWS WAF.<\/li><\/ul>\n\n\n\n
VPCs and Security Groups <\/h2>\n\n\n\n
Security groups or origin access identity (OAI), require\nattackers to make requests through AWS WAF and CloudFront instead from the\nwebsite origin and minimizes the attack surface of <\/p>\n\n\n\n
backend load balancers<\/li>
EC2 instances<\/li>
Amazon Simple Storage Service (Amazon S3)\nbuckets <\/li><\/ul>\n\n\n\n
Amazon Virtual Private Cloud (Amazon VPC) allows to configure\n<\/p>\n\n\n\n
subnet routes<\/li>
public IP addresses<\/li>
security groups<\/li>
network access control lists <\/li><\/ul>\n\n\n\n
<\/figure><\/div>\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nAbove,\nuses Route 53, AWS WAF, CloudFront, and Elastic Load Balancing to control and\ndistribute traffic. \n\n\n\n<\/p>\n\n\n\n
Data Encryption<\/h2>\n\n\n\n
Encryption at rest available in EBS, S3,\nGlacier, RDS (Oracle and SQL Server) and Redshift.<\/li>
Key management through AWS KMS – you can choose\nwhether to control the keys or let AWS.<\/li>
Server side encryption of message queues in SQS.<\/li>
Dedicated hardware-based cryptographic key\nstorage using AWS CloudHSM, allowing you to satisfy compliance requirements.<\/li>
APIs to integrate AWS security into any\napplications you create. <\/li><\/ul>\n\n\n\n
Server-Side Encryption<\/strong><\/p>\n\n\n\n
It is data encryption at rest<\/li>
Like, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. <\/li>
You need to authenticate your request and you have access permissions <\/li><\/ul>\n\n\n\n
3 mutually exclusive options depending on how you choose to\nmanage the encryption keys:<\/p>\n\n\n\n
Use Server-Side Encryption with Amazon\nS3-Managed Keys (SSE-S3) \u2013 Each object is encrypted with a unique key. As an\nadditional safeguard, it encrypts the key itself with a master key that it\nregularly rotates. Amazon S3 server-side encryption uses one of the strongest\nblock ciphers available, 256-bit Advanced Encryption Standard (AES-256), to\nencrypt your data. <\/li>
Use Server-Side Encryption with AWS KMS-Managed\nKeys (SSE-KMS) \u2013 Similar to SSE-S3, but with some additional benefits along\nwith some additional charges for using this service. There are separate\npermissions for the use of an envelope key (that is, a key that protects your\ndata’s encryption key) that provides added protection against unauthorized\naccess of your objects in Amazon S3. SSE-KMS also provides you with an audit\ntrail of when your key was used and by whom. Additionally, you have the option\nto create and manage encryption keys yourself, or use a default key that is\nunique to you, the service you’re using, and the Region you’re working in. <\/li>
Use Server-Side Encryption with\nCustomer-Provided Keys (SSE-C) \u2013 You manage the encryption keys and Amazon S3\nmanages the encryption, as it writes to disks, and decryption, when you access\nyour objects. <\/li><\/ul>\n\n\n\n
Client-side encryption is the act of encrypting data before\nsending it to Amazon S3. To enable client-side encryption, you have the\nfollowing options:<\/p>\n\n\n\n
Use an AWS KMS-managed customer master key.<\/li>
Use a client-side master key.<\/li><\/ul>\n\n\n\n
The following AWS SDKs support client-side encryption:<\/p>\n\n\n\n
AWS SDK for .NET<\/li>
AWS SDK for Go<\/li>
AWS SDK for Java<\/li>
AWS SDK for PHP<\/li>
AWS SDK for Ruby<\/li>
AWS SDK for C++<\/li><\/ul>\n\n\n\n
Sample Implementation<\/strong><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
In above diagram:<\/p>\n\n\n\n
The administrator encrypts a secret password by\nusing KMS. The encrypted password is stored in a file.<\/li>
The administrator puts the file containing the\nencrypted password in an S3 bucket.<\/li>
At instance boot time, the instance copies the\nencrypted file to an internal disk.<\/li>
The EC2 instance then decrypts the file using\nKMS and retrieves the plaintext password. The password is used to configure the\nLinux encrypted file system with LUKS. All data written to the encrypted file\nsystem is encrypted by using an AES-256 encryption algorithm when stored on\ndisk.<\/li><\/ol>\n\n\n\n
Standards and Best Practices<\/h2>\n\n\n\n
A security assessment service, Amazon Inspector,\nthat automatically assesses applications for vulnerabilities or deviations from\nbest practices, including impacted networks, OS, and attached storage <\/li>
Deployment tools to manage the creation and\ndecommissioning of AWS resources according to organization standards<\/li>
Inventory and configuration management tools,\nincluding AWS Config, that identify AWS resources and then track and manage\nchanges to those resources over time<\/li>
Template definition and management tools,\nincluding AWS CloudFormation to create standard, preconfigured environments <\/li><\/ul>\n\n\n\n
Amazon Inspector<\/strong><\/p>\n\n\n\n
It is an automated security assessment service <\/li>
Improve the security and compliance of applications\ndeployed on AWS. <\/li>
Automatically assesses applications for\nexposure, vulnerabilities, and deviations from best practices. After\nassessment, it produces a detailed list of security findings prioritized by\nlevel of severity. <\/li><\/ul>\n\n\n\n
AWS Config <\/strong><\/p>\n\n\n\n
It provides a detailed view of the resources\nassociated with your AWS account, <\/li>
It includes
how resources are configured<\/li><\/ul>
how they are related to one another<\/li><\/ul>
how the\nconfigurations and their relationships have changed over time<\/li><\/ul><\/li>
It continuously monitors and records your AWS\nresource configurations <\/li>
You can automate the evaluation of recorded\nconfigurations against desired configurations. <\/li><\/ul>\n\n\n\n
<\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Monitoring and Logging<\/h2>\n\n\n\n
Deep visibility into API calls through AWS\nCloudTrail, including who, what, who, and from where calls were made<\/li>
Log aggregation options, streamlining\ninvestigations and compliance reporting<\/li>
Alert notifications through Amazon CloudWatch\nwhen specific events occur or thresholds are exceeded <\/li><\/ul>\n\n\n\n
AWS CloudTrail<\/strong><\/p>\n\n\n\n
It helps you enable governance, compliance, and\noperational and risk auditing. <\/li>
Actions taken by a user, role, or an AWS service\nare recorded as events in CloudTrail. <\/li>
Events include actions taken in the AWS\nManagement Console, AWS Command Line Interface, and AWS SDKs and APIs.<\/li>
CloudTrail is enabled on your AWS account when\nyou create it. <\/li><\/ul>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Identity and Access Control<\/h2>\n\n\n\n
AWS Identity and Access Management (IAM) lets\nyou define individual user accounts with permissions across AWS resources<\/li>
AWS Multi-Factor Authentication for privileged\naccounts, including options for hardware-based authenticators<\/li>
AWS Directory Service allows you to integrate\nand federate with corporate directories to reduce administrative overhead and\nimprove end-user experience <\/li><\/ul>\n\n\n\n
With MFA, when a user signs in to an AWS\nwebsite, they will be prompted for
their user name and password (the first\nfactor\u2014what they know)<\/li><\/ul>
an authentication response from their AWS MFA\ndevice (the second factor\u2014what they have)<\/li><\/ul><\/li>
Multiple factors provide increased security for\nAWS account settings and resources. <\/li>
Enable MFA for AWS account and for individual\nIAM users created under account. <\/li>
MFA can be also be used to control access to AWS\nservice APIs.<\/li><\/ul>\n\n\n\n
Supported MFA mechanism other than, regular sign-in\ncredentials, are<\/p>\n\n\n\n
Virtual MFA devices. A software app that runs on\na phone or other mobile device and emulates a physical device. The device\ngenerates a six-digit numeric code based upon a time-synchronized one-time\npassword algorithm. The user must type a valid code from the device on a second\nwebpage during sign-in. Each virtual MFA device assigned to a user must be\nunique. A user cannot type a code from another user’s virtual MFA device to\nauthenticate. <\/li>
U2F security key. A device that you plug into a\nUSB port on your computer. U2F is an open authentication standard hosted by the\nFIDO Alliance. When you enable a U2F security key, you sign in by entering your\ncredentials and then tapping the device instead of manually entering a code. <\/li>
Hardware MFA device. A hardware device that\ngenerates a six-digit numeric code based upon a time-synchronized one-time\npassword algorithm. The user must type a valid code from the device on a second\nwebpage during sign-in. Each MFA device assigned to a user must be unique. A\nuser cannot type a code from another user’s device to be authenticated. <\/li>
SMS text message-based MFA. A type of MFA in\nwhich the IAM user settings include the phone number of the user’s\nSMS-compatible mobile device. When the user signs in, AWS sends a six-digit\nnumeric code by SMS text message to the user’s mobile device. The user is\nrequired to type that code on a second webpage during sign-in. Note that\nSMS-based MFA is available only for IAM users. You cannot use this type of MFA\nwith the AWS account root user.<\/li><\/ul>\n\n\n\n
Security Support<\/h2>\n\n\n\n
Real-time insight through AWS Trusted Advisor<\/li>
Proactive support and advocacy with a Technical\nAccount Manager (TAM) <\/li><\/ul>\n\n\n\n
Compliance Assurance Programs<\/h2>\n\n\n\n
From certifications, regulations to frameworks, AWS has you\ncovered. Some of those included are:<\/p>\n\n\n\n
![\"define](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/07\/define-aws-cloud-security-and-compliance-concepts-476x400.png\")
<\/figure><\/div>\n\n\n\n![\"define](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/07\/define-aws-cloud-security-and-compliance-concepts-01-750x271.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/07\/define-aws-cloud-security-and-compliance-concepts-02-399x400.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/07\/define-aws-cloud-security-and-compliance-concepts-03-750x353.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/07\/define-aws-cloud-security-and-compliance-concepts-04-750x191.png\")
<\/figure><\/div>\n\n\n\n