AWS security services - Amazon Web Services (AWS) Tutorial

- [Instructor] There are a lot of available security services in AWS to help you secure your cloud infrastructure and encrypt your data in transit or at rest. Whether you need protection against common web vulnerabilities, managing your encryption keys, generating SSL certificates, setting up your custom key stores, and many more, you can easily manage your application or database passwords using these services and ensure that your sensitive data is always safe. AWS can also prevent distributed denial of service attacks, or DDOS, that can overwhelm or even shut down your mission-critical applications. A DDOS attack usually exploits the protocols that are within the OSI layer three and layer four, such as the IP, UDP, and TCP. So for example, a hacker can command a fleet of botnets to initiate half open TCP connections to a server by only sending synchronized packets, or SYN, without sending the acknowledgement packets, which is also known as ACK. This compromises the three-way handshake process of the TCP connection and floods your website with illegitimate requests. In this lecture, we'll discuss AWS WAF, AWS Firewall Manager, AWS Shield, Amazon GuardDuty, AWS CloudHSM, AWS Key Management Service, AWS Secrets Manager, AWS Certificate Manager, Amazon Macie, Amazon Inspector, and Amazon Detective. The AWS Web Application Firewall Service, or AWS WAF, is basically just a web application firewall in AWS, just as its name implies. It protects your web applications from common web exploits that could affect the application availability, compromise security, or consume excessive resources. You can use AWS WAF to create custom rules that blocks common attack patterns, such as SQL injection and cross site scripting attacks. You can integrate AWS WAF with Amazon CloudFront, Application Load Balancer and Amazon API Gateway. With its IP Match condition feature, you can block malicious requests from a recurring set of IP addresses. AWS WAF can also protect your application from illegitimate requests sent by illegitimate external systems through its rate limiting rule. When these attacks occur, a rate-based rule can reduce the impact on the legitimate users of your websites. This can be achieved by creating a rate-based web access control list, or web ACL, and attaching it to a CloudFront distribution to help minimize the effects of a DDOS attack. This service is also suitable if your application is only authorized to be accessed from one specific country only. AWS WAF provides a geo match condition that blocks specific countries from accessing your site or to only allow access from certain countries that you define. AWS Firewall Manager is a security management service, specifically designed for your AWS WAF rules. It makes it easy for you to centrally configure and manage your WAF rules across your accounts and applications. Using the Firewall Manager, you can easily roll out your custom rules for Application Load Balancers, API gateways, and Amazon CloudFront distributions across accounts in AWS organization. AWS Shield is a managed DDOS protection service that safeguards applications running on AWS. This provides detection and automatic mitigations that minimize application downtime and latency. It can mitigate different types of flood attacks, such as UDP reflection, SYN flood, DNS Query flood, and HTTP flood attacks. AWS Shield protects your applications that use Amazon EC2, Elastic Load Balancers, CloudFront distributions, AWS Cloud Accelerators, and Route 53 edge locations. There are two types in the service, standard and advanced. The AWS Shield Standard tier is already built into your AWS services by default, with no extra charge. While the Advanced Tier is a paid version, which provides access to real-time DDOS attack notification and DDOS Response Team. Amazon GuardDuty is a managed threat detection service that helps you identify malicious or unauthorized activities in your AWS accounts and workloads. It monitors for activities such as unusual API calls, cryptocurrency mining, or potentially unauthorized deployments that integrates a possible account compromise. GuardDuty also detects potentially compromised EC2 instances. This service produces security reports called Findings that represents a potential security issue detected within your network. GuardDuty can send notification using CloudWatch Events when any change takes place in these security findings. Once again, this service is just used for threat detection, and it's not capable of doing any resource changes by itself, like rate-limiting protection or DDOS attack mitigation. Let's now discuss the two AWS services that you can use for your key management infrastructure. They are AWS CloudHSM, and AWS Key Management Service. AWS CloudHSM is a fully managed, cloud-based hardware security module, or HSM. Obviously, the word HSM in CloudHSM means Hardware Security Module, which enables you to easily generate and use your own encryption keys. These encryption keys can be in 128 bit or 256 bit that are used to encrypt your custom data or other encryption keys. And HSM is just a physical hardware device that performs cryptographic operations and securely stores cryptographic key material. This key material is basically a random Base64 or hexadecimal string in a binary format that is used by your encryption key. In CloudHSM, the cluster can be accessed or managed using CloudHSM clients, which is installed and hosted in your Amazon EC2 instances. The CloudHSM cluster is deployed in your Amazon VPC. Your clients can communicate with your HSM cluster using the Elastic Network Interfaces, or ENIs, of your HSMs. Since all of these resources are in your Amazon VPC and under your exclusive control, the CloudHSM cluster only has one sole tenant, which is you. This is what single tenant access means in CloudHSM. This service can be used to offload the SSL processing of your web servers, enabling Transparent Data Encryption, or TDE, for your Oracle databases and protecting the private keys for an issuing Certificate Authority, or CA. You can also integrate CloudHSM and AWS KMS to create a custom key store. AWS Key Management Service, or KMS, is a managed service that works almost like CloudHSM. Under the hood, KMS also uses hardware security modules that makes it easier for you to create and control your encryption keys. But unlike CloudHSM, this service has multi-tenant access, which means that you share the HSM with other tenants or AWS customers. Moreover, you cannot launch an HSM to your Amazon VPC or EC2 instances that you own. The HSM is fully managed by the Amazon Web Services Team themselves. AWS KMS can be integrated with other AWS services to help you protect the data you store with these services. For example, encrypting volumes or snapshots in Amazon EBS is powered by AWS KMS, as well as server-side encryption in Amazon S3, and database encryption in Amazon RDS. AWS KMS uses envelope encryption, which is a practice of encrypting your plain text data with a data key, and then encrypting that data key using another key called the Master Key. The primary resources in KMS are called Customer Master Key, or CMK. A CMK is basically a representation of the master key that encrypts your data key. With AWS KMS, you can store your CMKs and automatically rotate them to meet your encryption requirements. You can also create a custom key store in AWS KMS with CloudHSM. This custom key store provides complete control over your encryption key lifecycle management and allows you to remove the key material of your encryption keys. This is the same key material that we discussed earlier. You can also audit key usage independently of AWS CloudTrail and KMS itself using this custom key store. AWS Secrets Manager helps to protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve your secrets throughout their lifecycle. Basically, a secret can be a database password, API key, authentication tokens, or other sensitive data. This eliminates the need to hardcode sensitive information in plain text for a Lambda function or custom applications. Secrets Manager offers secret rotation with built in integration for Amazon RDS, Amazon Redshift, Amazon DocumentDB, and other services. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and centrally audit your secrets. Just keep in mind that this service does not use HSM, so you should not store your encryption keys or key materials here. Amazon Macie is a fully managed security service that automatically recognizes and classify sensitive data or intellectual property on AWS. It uses machine learning to automatically discover, classify, and protect sensitive data stored in your Amazon S3 bucket and other AWS services. Amazon Macie recognizes Personally Identifiable Information, or PII, such as names, social security numbers, driver's license numbers, bank account numbers, password numbers, and email addresses. It provides you with dashboards and alerts that gives you a visibility of how sensitive data is being accessed or moved. AWS Certificate Manager is a service that allows you to create and manage SSL certificates. It lets you easily provision, manage, and deploy public and private Secure Sockets Layer and Transport Layer Security certificates for use with AWS services and your internal connected resources. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally. Public and private certificates provisioned through the AWS Certificate Manager are free, which you can use with certain AWS services. Amazon Inspector is an automated security assessment service that allows you to improve the security and compliance of your applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon inspector produces a detailed list of security findings prioritized by level of security. It provides an automated security assessment report that will identify the unintended network access to your Amazon EC2 instances and vulnerabilities in those instances. These findings can be reviewed directly or as part of your detailed assessment reports, which are available via the Amazon Inspector console or via its API. Amazon Detective is a service primarily used for security investigations and analysis. It makes it easy for you to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources. What it basically does is to collect logs from AWS CloudTrail, Amazon VPC Flow Logs, Amazon GuardDuty findings, and other AWS services, then uses machine learning to analyze and conduct security investigations.