From the course: AWS Certified Developer - Associate (DVA-C02) Cert Prep
AWS security services - Amazon Web Services (AWS) Tutorial
From the course: AWS Certified Developer - Associate (DVA-C02) Cert Prep
AWS security services
- [Instructor] There are a lot of available security services in AWS to help you secure your cloud infrastructure and encrypt your data in transit or at rest. Whether you need protection against common web vulnerabilities, managing your encryption keys, generating SSL certificates, setting up your custom key stores, and many more, you can easily manage your application or database passwords using these services and ensure that your sensitive data is always safe. AWS can also prevent distributed denial of service attacks, or DDOS, that can overwhelm or even shut down your mission-critical applications. A DDOS attack usually exploits the protocols that are within the OSI layer three and layer four, such as the IP, UDP, and TCP. So for example, a hacker can command a fleet of botnets to initiate half open TCP connections to a server by only sending synchronized packets, or SYN, without sending the acknowledgement packets, which is also known as ACK. This compromises the three-way handshake process of the TCP connection and floods your website with illegitimate requests. In this lecture, we'll discuss AWS WAF, AWS Firewall Manager, AWS Shield, Amazon GuardDuty, AWS CloudHSM, AWS Key Management Service, AWS Secrets Manager, AWS Certificate Manager, Amazon Macie, Amazon Inspector, and Amazon Detective. The AWS Web Application Firewall Service, or AWS WAF, is basically just a web application firewall in AWS, just as its name implies. It protects your web applications from common web exploits that could affect the application availability, compromise security, or consume excessive resources. You can use AWS WAF to create custom rules that blocks common attack patterns, such as SQL injection and cross site scripting attacks. You can integrate AWS WAF with Amazon CloudFront, Application Load Balancer and Amazon API Gateway. With its IP Match condition feature, you can block malicious requests from a recurring set of IP addresses. AWS WAF can also protect your application from illegitimate requests sent by illegitimate external systems through its rate limiting rule. When these attacks occur, a rate-based rule can reduce the impact on the legitimate users of your websites. This can be achieved by creating a rate-based web access control list, or web ACL, and attaching it to a CloudFront distribution to help minimize the effects of a DDOS attack. This service is also suitable if your application is only authorized to be accessed from one specific country only. AWS WAF provides a geo match condition that blocks specific countries from accessing your site or to only allow access from certain countries that you define. AWS Firewall Manager is a security management service, specifically designed for your AWS WAF rules. It makes it easy for you to centrally configure and manage your WAF rules across your accounts and applications. Using the Firewall Manager, you can easily roll out your custom rules for Application Load Balancers, API gateways, and Amazon CloudFront distributions across accounts in AWS organization. AWS Shield is a managed DDOS protection service that safeguards applications running on AWS. This provides detection and automatic mitigations that minimize application downtime and latency. It can mitigate different types of flood attacks, such as UDP reflection, SYN flood, DNS Query flood, and HTTP flood attacks. AWS Shield protects your applications that use Amazon EC2, Elastic Load Balancers, CloudFront distributions, AWS Cloud Accelerators, and Route 53 edge locations. There are two types in the service, standard and advanced. The AWS Shield Standard tier is already built into your AWS services by default, with no extra charge. While the Advanced Tier is a paid version, which provides access to real-time DDOS attack notification and DDOS Response Team. Amazon GuardDuty is a managed threat detection service that helps you identify malicious or unauthorized activities in your AWS accounts and workloads. It monitors for activities such as unusual API calls, cryptocurrency mining, or potentially unauthorized deployments that integrates a possible account compromise. GuardDuty also detects potentially compromised EC2 instances. This service produces security reports called Findings that represents a potential security issue detected within your network. GuardDuty can send notification using CloudWatch Events when any change takes place in these security findings. Once again, this service is just used for threat detection, and it's not capable of doing any resource changes by itself, like rate-limiting protection or DDOS attack mitigation. Let's now discuss the two AWS services that you can use for your key management infrastructure. They are AWS CloudHSM, and AWS Key Management Service. AWS CloudHSM is a fully managed, cloud-based hardware security module, or HSM. Obviously, the word HSM in CloudHSM means Hardware Security Module, which enables you to easily generate and use your own encryption keys. These encryption keys can be in 128 bit or 256 bit that are used to encrypt your custom data or other encryption keys. And HSM is just a physical hardware device that performs cryptographic operations and securely stores cryptographic key material. This key material is basically a random Base64 or hexadecimal string in a binary format that is used by your encryption key. In CloudHSM, the cluster can be accessed or managed using CloudHSM clients, which is installed and hosted in your Amazon EC2 instances. The CloudHSM cluster is deployed in your Amazon VPC. Your clients can communicate with your HSM cluster using the Elastic Network Interfaces, or ENIs, of your HSMs. Since all of these resources are in your Amazon VPC and under your exclusive control, the CloudHSM cluster only has one sole tenant, which is you. This is what single tenant access means in CloudHSM. This service can be used to offload the SSL processing of your web servers, enabling Transparent Data Encryption, or TDE, for your Oracle databases and protecting the private keys for an issuing Certificate Authority, or CA. You can also integrate CloudHSM and AWS KMS to create a custom key store. AWS Key Management Service, or KMS, is a managed service that works almost like CloudHSM. Under the hood, KMS also uses hardware security modules that makes it easier for you to create and control your encryption keys. But unlike CloudHSM, this service has multi-tenant access, which means that you share the HSM with other tenants or AWS customers. Moreover, you cannot launch an HSM to your Amazon VPC or EC2 instances that you own. The HSM is fully managed by the Amazon Web Services Team themselves. AWS KMS can be integrated with other AWS services to help you protect the data you store with these services. For example, encrypting volumes or snapshots in Amazon EBS is powered by AWS KMS, as well as server-side encryption in Amazon S3, and database encryption in Amazon RDS. AWS KMS uses envelope encryption, which is a practice of encrypting your plain text data with a data key, and then encrypting that data key using another key called the Master Key. The primary resources in KMS are called Customer Master Key, or CMK. A CMK is basically a representation of the master key that encrypts your data key. With AWS KMS, you can store your CMKs and automatically rotate them to meet your encryption requirements. You can also create a custom key store in AWS KMS with CloudHSM. This custom key store provides complete control over your encryption key lifecycle management and allows you to remove the key material of your encryption keys. This is the same key material that we discussed earlier. You can also audit key usage independently of AWS CloudTrail and KMS itself using this custom key store. AWS Secrets Manager helps to protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve your secrets throughout their lifecycle. Basically, a secret can be a database password, API key, authentication tokens, or other sensitive data. This eliminates the need to hardcode sensitive information in plain text for a Lambda function or custom applications. Secrets Manager offers secret rotation with built in integration for Amazon RDS, Amazon Redshift, Amazon DocumentDB, and other services. In addition, Secrets Manager enables you to control access to secrets using fine-grained permissions and centrally audit your secrets. Just keep in mind that this service does not use HSM, so you should not store your encryption keys or key materials here. Amazon Macie is a fully managed security service that automatically recognizes and classify sensitive data or intellectual property on AWS. It uses machine learning to automatically discover, classify, and protect sensitive data stored in your Amazon S3 bucket and other AWS services. Amazon Macie recognizes Personally Identifiable Information, or PII, such as names, social security numbers, driver's license numbers, bank account numbers, password numbers, and email addresses. It provides you with dashboards and alerts that gives you a visibility of how sensitive data is being accessed or moved. AWS Certificate Manager is a service that allows you to create and manage SSL certificates. It lets you easily provision, manage, and deploy public and private Secure Sockets Layer and Transport Layer Security certificates for use with AWS services and your internal connected resources. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally. Public and private certificates provisioned through the AWS Certificate Manager are free, which you can use with certain AWS services. Amazon Inspector is an automated security assessment service that allows you to improve the security and compliance of your applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon inspector produces a detailed list of security findings prioritized by level of security. It provides an automated security assessment report that will identify the unintended network access to your Amazon EC2 instances and vulnerabilities in those instances. These findings can be reviewed directly or as part of your detailed assessment reports, which are available via the Amazon Inspector console or via its API. Amazon Detective is a service primarily used for security investigations and analysis. It makes it easy for you to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources. What it basically does is to collect logs from AWS CloudTrail, Amazon VPC Flow Logs, Amazon GuardDuty findings, and other AWS services, then uses machine learning to analyze and conduct security investigations.
Contents
-
-
-
-
AWS security services12m 56s
-
(Locked)
AWS Identity Services4m 32s
-
(Locked)
AWS audit and compliance services3m 22s
-
(Locked)
IAM overview8m 13s
-
(Locked)
IAM identities9m
-
(Locked)
IAM policy types7m 42s
-
(Locked)
IAM policy basics9m 14s
-
(Locked)
IAM policy evaluation logic9m 8s
-
(Locked)
Amazon Cognito user pool2m 47s
-
Amazon Cognito identity pool3m 30s
-
(Locked)
AWS Secrets Manager overview3m 53s
-
(Locked)
AWS Systems Manager Parameter Store overview3m 46s
-
(Locked)
AWS Systems Manager Parameter Store vs. AWS Secrets Manager3m 54s
-
(Locked)
Amazon S3 encryption6m 59s
-
(Locked)
Amazon S3 bucket policy5m 5s
-
(Locked)
AWS Key Management Service (AWS KMS) overview6m 58s
-
(Locked)
AWS KMS API commands2m 39s
-
(Locked)
Hands-on lab: Encryption and Decryption using AWS KMS CLI7m 30s
-
(Locked)
Amazon API Gateway authorizer3m 42s
-
(Locked)
Amazon CloudFront security features11m 35s
-
(Locked)
AWS CloudTrail overview3m 13s
-
(Locked)
Cross-origin resource sharing (CORS)6m 14s
-
-
-