Notes from the course: AWS Opsworks AWS Codedeploy Automation - repeatable processes. AWS Trusted Advisor Warn you about security hole possibilities IAM STUFF IAM policy is global for users, groups and roles. Three different types of IAM policies: AWS Managed Policies Customer Managed Policies Inline Policies Explicit deny trumps allow Default deny- least-privledge Resource: arn:aws:s3:::yourbucketnamehere Aws:SecureTransport: false for https. Cross region replication is always done with ssl · One destination, one source. · Versioning needs to be enabled. · Must have read and read_ACP permissions. · IAM role must have permissions to replicate objects in destination bucket for cross region cross account · Ownership can be changed for destination. · Can replicate encrypted objects with options using keys. · Will not replicate deletes. Cloudfront custom SSL must be registered in us-east-1 region in northern virginia Presigned use sdk or cli, default is 1 hr for s3 presigned urls. STS - 1. app calls identity broker, ldap validation or whatever, broker uses getfederationtoken using iam creds, STS confirms permissions and grants access, identity broker gives access to app, Cognito allows signup and signin Access for guest users Acts as identtiy broker Syncs user data for multiple devices Recommended for mobile apps Cognito user pools are directories that can be signed into directly or via federation. (sign up or sign in) Successful auth via user pools generates number of json web tokens Identity pools creates unique identities, which you can obtain temporary aws creds. (permissions) Jwt tokens can be exchanged w/ identity pool. WORM - write once read many SCP only denies not allow access. IAM credential report - permission : GenerateCredentialReport, GetCredentialReport perms needed Cloudtrail Near-real time intrusion detection - up to 15 mins Can be aggregated across accounts and regions. Enabled default by 7 days. VCD airfare equivalency statement. Driving vs airfare. Rent one. Some employees use their own rv - staying one of these camps. Find out from an auditor how that gets expensed. Rent an rv - only vehicle rvs are compact thru full sized cars. Waiver cause I need to have a wavier signed by myself manager and VP of finance for sector. Paid and reimbursed, BCD travel for airfare equivalency statement. Cost $200 round trip, $800 to drive and rent. Waivers to do that. Cloudtrail will only log api level stuff. Not ssh logins to terminals, etc. For log file integrity validation use Cloudtrail sha-256 hashing or with RSA. Use digest files, use SNS to validate the logs. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS config is region by region but allows for aggregation AWS config needs read access to resources and write access to s3, Alert for when root user logs in: turn on cloudtrail - cloudwatch logs integration, create metric filter, create alarm. CloudHSM - crypto officer can provision users, crypto user can only interact with stuff. Use clouldtrail to log api calls. Allows for symmetric and asymmetric keys, unlike kms which only does symmetric. FIPS-140-2 and EAL-4 Compliant - hsm. Inspector vs Trusted Advisor - inspector is an assessment service, finds vulnerabilities via agents. Compares against CIS and other benchmarks. Trusted advisor - optimizing your aws environment. Security (basic checks), Cost opitimization, fault tolerance, performance. KMS KMS is region based CMK has alias, creation date, description, key state, key material, cannot be exported Own keymaterial - can delete key materials without 7-30 day wait Resilient to aws failures if import own key material Imported key material - available and durability is different, Secure key generation is up to you, No automatic rotation, ciphertexts are not portable between cmks AWS managed keys rotates every 3 years - cannot delete keys. CMK default disabled for rotation, but u can enable it every year. Keys can be deleted for CMK. CMK with imported key material - no auto rotation. Need to manually update Applications to use new cmk. Dedicated instances may share with your own hardware, otherwise it will make sure it will not be shared. Dedicated host - phsycial dedication, contorl over host. Same host deployment. Good for server licenses that tie to the host, and good for compliance. Choose HVM over PV when possible PV is isolated by layers, guest OS sits on layer 1, apps layer 3. AWS admins have access to hypervisors. AWS staff do not have access to ec2s. All memory and ram is scrubbed between guests. KMS grants cannot be used for deny, only allows. Use key policies for explicit deny Grants are temporary for granular permissions. KMS Policy Conditions allow you to specific conditions, must be true for polciy to take effect KMSViaservice allows based on service origination, like S3. services specified must be integrated with KMS, like S3, EBS, RDS, systems manager, and lambda. For KMS cross account, you need to enable cross account access, enable access in key policy for kms owner, and access in iam policy for external account too. ECS and EKS Fargate is serverless. You can also run on managed ec2 clusters. ECS - deep integration with other aws services. IAM, VPC, route 53, used internally by lex and amazon.com EKS - certified kubernetes conformant - open source tooling Don’t store secrets in containers - use secrets manager IAM roles instead of user creds Don’t run contaniers with root One service per container Use trusted images only - use image scanning - elastic container service can do that for you Use ECS Interface instead of sending vpc traffic via internet VPC One IGW per VPC NAT instance vs NAT Gateway NAT Instance - need to disable source dst checks. NAT Instance must be on public subnet Route out of the private subnet to NAT instance Depends on instance size, traffic Behind security group High availablility with multiple subnets, scripts to automate failover. NATE Gateway - scale up to 10gbps No need to patch Not associated with security groups Managed by amazon Automatically assigned public ip address Update route tables No need to disable source/dest checks More secure than nat instances NACL Comes with default NACL - that allows all out and inbound Custom NACLS each custom denies all inbound and outbound until you add rules Subnet must be associated with only one NACL NACL can be attached to multiple subnets Evaluated in order, NACL, before subnet group rules NACLs are stateless, and have separate outbound and inbound rules. ALBs Need to be in two availability zones. VPC Flow logs - not all traffic is monitored - dns server, amazon windows license actiation, metadata serverm dhcp traffic, reserved ip address traffic Session manager allows you to do browser based cli, powershell, sdk and bash for windows and linux Session manager works on prem as well, auditable, centralized access control Student notes Anthea - s3 scanning, like for s3 Macie - looks for sensitive data stored in s3. Finds PII. Does dashboards, reportings, and alerts, works with data stored in S3, analyzes cloudtrail logs, great for PCI-DSS and preventing ID theft.Can classify your data by type, theme, extension, regex. Guardduty - uses machine learning to find malicious behavior like unusal api calls, disabling cloudtrail logging, unauthorized deployments, compromised instances, recon by would be attackers, port scanning, failed logins. Receivesfeeds from third parties with domains/ip addresses that may be malicious, minotors cloudtrial vpc and dns logs. Alerts appear in guardduty console and in cloudwatch events. Can centralize threat detection across multiple AWS accounts. Automated response using cloudwatch events and lambda. Takes 7-14 days to set baseline in account. Secrets manager is mostly for database ceds, api/ssh keys and rotates secrets, have to pay for it. Once you enable rotation it will immediately rotate once to test config. Parameter store is for passwords, database strings, licence codes, parameter values, config data. Allows user defined parameters, can be encrypted or cleartext. No additional charge, integrated with AWS systems manager. SimpleEmailService (SES) - cloud based email service. Supports sending or receiving emails, marketing trxn emails, and email notifications from apps. Standard SMTP intefrface, can be used via API and SDK. Must be via encrypted TLS. Security group needs to allow port 25 (default), will throttle the limit, but can avoid timeouts using port 587 or 2587. Security Hub - central hub for security alerts. Has automated checks for PCI-DSS and CIS. Ongoing Security Audit for accounts. Integrates with Guarduty, Macie, Inspector, IAM Access Analyzer (Scans policies attached to aws resources - external access),Firewall manager, 3rd party tools, cloudwatch events +lambda. Network Packet Inspection - deep packet inspection, checks for non-compliant protocols, viruses, spam, intrusions. Can block reroute or log. IDS/IPS combined with a traditional firewall. AWS provides VPC flow logs, AWS WAF, Iptables/Windows Firewalls which are not network packet inspection. Alert Logic, Trend Micro, and McAfee will help with NPI. ADFS - ad federated services, sso and id broker service SAML2.0 - enables SSO for aws accounts. Open source. AD Fed with AWS - Corporate user accesses ADFS portal sign in and provides ad username and pw. ADFS authenticates the user against AD. AD returns users info including groups. ADFS sends saml token to browser which sends token to aws sign-in endpoint. AWS sign-in endpoint makes an STS assumerolewithsaml request and STS returns temp creds. User is autenticated and can access aws console. AWS Artficat - central repo for compliance info. LAMBDA: Execution role - permissions of lambda function Function policy defines the services that can evolve lambda.