Amazon Macie
Macie is a fully managed service that continuously monitors S3 data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.
Macie works by uses Machine Learning to Analyze your CloudTrail logs
Macie has a variety of alerts
Anonymized Access
Location Anomaly
Config Compliance
Open Permissions
Credential Loss
Privilege Escalation
Data Compliance
Ransomware
File Hosting
Service Disruption
Identity Enumeration
Suspicious Access
Information Loss
Macie's will identify your most at-risk users which could lead to a compromise
AWS Virtual Private Network (VPN)
- AWS VPN lets you establish a secure and private tunnel from your network or device to the AWS global network
AWS Site-to-Site VPN
- securely connect on-premises network or branch office site to VPC
AWS Client VPN
- securely connect users to AWS or on-premises networks
What is IPSec?
- Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs
AWS WAF
AWS Web Application Firewall (WAF) protect your web applications from common web exploits
Write your own rules to ALLOW or DENY traffic based on the contents of an HTTP requests
Use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace
WAF can be attached to either CloudFront or an Application Load Balancer
Protect web applications from attacks covered in the OWASP Top 10 most dangerous attacks
Injection
Broken Authentication
Sensitive data exposure
XML External Entities (XXE)
Broken Access control
Security misconfigurations
Cross Site Scripting (XSS)
Insecure Deserialization
Using Components with known vulnerabilities
Insufficient logging and monitoring
Hardware Security Module (HSM)
A Hard Security Module (HSM): It is a piece of hardware designed to store encryption keys.
HSM hold the key to memory and never writes them into the disk
Federal Information Processing Standard (FIPS) US and Canadian government standards that specify the security requirements for cryptographic modules that protect sensitive information.
HSMs that are multi-tenant are FIPS 140-2 Level 2 Compliant (multiple customers virtually isolated on an HSM) HSM's that are single-tenant are FIPS 140-2 Level 3 Compliant (single customer on a dedicated HSM)
AWS Key Management Service
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
KMS is a multi-tenant HSM ( hardware security module )
Many AWS services are integrated to use KMS to encrypt your data with a simple checkbox
Envelope Encryptio
When you encrypt your data, your data is protected, but you have to protect your encryption key.
When you encrypt your data key with a master key as an additional layer of security.
CloudHSM
CloudHSM is a single-tenant HSM as a service that automates hardware provisioning, software patching, high availability and backups
AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 validated hardware.
Built on Open HSM industry standards to integrate with:
PKCS#11
Java Cryptogrpahy Extensions (JCE)
Microsoft CryptoNG (CNG) libraries
You can also transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of AWS.
Configure AWS KMS to use AWS CloudHSM cluster as a custom key store rather than the default KMS key store.
AWS Config
AWS Config is a governance tool for Compliance as Code (CoC).
You can create rules that will check to see if resources are configured the way you expect them to be.
If a resource drifts from the expected configuration you are notified or AWS Config can auto-remediate (correct) the configuration back to the expected state
AWS AppConfig
AWS App Config is used to automat the process of deploying application configuration variable changes to your web-application(s).
You can write a validator to ensure the changed variable will not break your web-app
You can monitor deployments and automate integrations to catch errors or rollback.
SNS and SQS Connect Apps via Messages
SNS (Simple Notification Services)
Pass Along Messages eg. PubSub
Send notifications to subscribers of topics via multiple protocol. eg, HTTP, Email, SQS, SMS
SNS is generally used for sending plain text emails which is triggered via other AWS Services. The best example of this is billing alarms.
Can retry sending in case of failure for HTTPS
Really good for webhooks, simple internal emails, triggering lambda functions
SQS( Simple Queue Services )
Queue Up Messages, Guaranteed Delivery
Places messages into a queue. Applications pull queue using AWS SDK
Can retain a message for up to 14 days
Can send them in sequential order or in parallel
Can ensure only one message is sent
Can ensure messages are delivered at least once
Really good for delayed tasks, queueing up emails
SNS vs SES vs PinPoint vs Workmail
They All Send Emails
SNS( Simple Notification Service) | Simple Email Services | Amazon PinPoint | Amazon Workmail |
Practical and Internal Emails | Transactional Emails | Promotional Emails | Email web Clients |
Send notifications to subscribers of topics via multiple protocol, eg, HTTP, Email, SQS, SMS | Emails that should be triggered based on in- app actions: Signup, Reset Password, Invoices. | Emails for marketing | |
Similar to Gmail and Outlook. Create company emails, read, write and send emails from a Web Client within AWS Management Console | |||
SNS is generally used for sending plain text emails which is triggered via other AWS Services. The best example of this is billing alarms. | A cloud based email service, eg. SendGrid | Create email campaigns | |
Most exam questions are going to be talking about SNS because lots of services can trigger SNS for notifications. | |||
SES sends html emails, SNS cannot. | Segment your contacts | ||
You Need to Know what are Topics and Subscriptions regarding SNS | SES can receives inbound emails | Create customer journeys via emails | |
SES can create Email Templates | |||
A/B emailing testing | |||
Custom domain name email | |||
Monitor your email reputation |
Amazon Inspector vs AWS Trusted Advisor
- Both are security tools and they both perform audits
Amazon Inspector | Trusted Advisor |
Audits a single EC2 Instance that you are selected | Trusted advisor does not generate out a PDF reports |
Generates a reports from a long security checks e.g 699 checks | Gives you a holistic view of recommendations across multiple services and best practices |
e.g- You have open ports on these security groups | |
You should enable MFA on your root account when using trusted advisor |
Connect Names Services
They all have "Connect" in the name but they are not related or similar in functionality
Direct Connect
A Dedicated Fiber Optics Connection from your DataCenter to AWS
Intended for large enterprises with their own datacenter and they need an insanely fast and private connection directly AWS.
If you need a secure connection you need apply a AWS VPN connection on-top of Direct Connect
Amazon Connect
Call Center as a Service
Get a toll free number, accept inbound and outbound calls, setup automated phone systems.
Interactive Voice System (IVS)
Media Connect
New Version of Elastic Transcoder, Converts Videos to Different Video Types
You have 1000 of videos you and you need to transcode them into different videos format, maybe you need to apply watermarks, or insert introduction video in front of every video
Elastic Transcoder vs MediaConvert
Both services transcodes videos
Elastic Transcoder The Old Way | AWS Elemental Mediacovert The New Way |
Elastic Transcoder was the original transcoding service. It may have programmatic APIs or workflows not available in MediaConvert. | |
Mediacovert is a more robust transcoding service that can perform various operations during transcoding | |
It’s exists due to legacy customers still using the platform | |
Transcodes videos to streaming formats | |
Transcodes videos to streaming formats | Overlays videos to streaming formats |
Insert video llinks | |
extracts caption data | |
Robust UI |
AWS Artifact vs Amazon Inspector
AWS Artifact | Amazon Inspector |
Why should an enterprise trust AWS? | How do we know this EC2 instance is Secure? Prove It? |
Generates a security report that's based on global compliance frameworks such as: |
- Service Organization Control (SOC)
- Payment Card Industry (PCI) | Runs a script that analyzes your EC2 instance, then generates a PDF report telling you which security checks passed. |
| | Audit tool for security of EC2 instances |
| | |
ELB - ALB vs NLB vs GWLB vs CLB
Elastic Load Balancer (ELB) has 4 different types of possible load balancer
Application Load Balancer (ALB) | Network Load Balancer (NLB) | Gateway Load Balancer (GWLB) | Classic Load Balancer (CLB) |
Layer 7-HTTP/S Routing Rules | Layer 3 and 4-TCP and UDP | When you need to deploy a fleet of third-party virtual appliances that support GENEVE | Layer 3,4 and 7 |
Routing Rules: |
-create rules to change routing based on information found in a HTTP/S request
Can attach an AWS WAF | Where extreme performance is required for TCP and TLS traffic | | Intended for applications that were built within the EC2-Classic network |
| Can attach an AWS WAF | Capable of handling millions of requests per second while maintaining ultra-low latencies | | Doesn't use Target Groups |
| | Optimized for sudden and volatile traffic patterns
while using a single static IP address per Availability Zone | | Retires on Aug 15, 2022 |