Module 6: Security --- part 2

學習目標

  • Shared responsibility model 優點
  • Multi-factor authentication (MFA)
  • AWS Identity and Access Management (IAM) security levels 優點
  • AWS Organizations 優點
  • Security policies
  • Compliance with AWS 優點
  • Additional AWS security services

AWS Organizations

A central location to manage multiple AWS accounts. 

AWS Organizations automatically creates a root, which is the parent container for all the accounts in your organization. 

任務

  • Consolidate and manage multiple AWS accounts within a central location.
  • Set permissions for accounts by configuring service control policies (SCPs).

優點

  • Centralized management
  • Consolidated billing
  • Hierarchical groupings of accounts
    • Organizational Units (OUs)
  • AWS service and API actions access control


Service control policies (SCPs)

SCPs enable you to centrally control permissions for the accounts in your organization. An SCP is not the best choice for granting temporary permissions to an individual employee.

SCPs enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.


Organizational Units (OUs)

When you apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy.


考古題

Q: You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to? (Select TWO.)

A: An individual member account, An organizational unit (OU)

  • In AWS Organizations, you can apply service control policies (SCPs) to the organization rootan individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.
  • You can apply IAM policies to IAM users, groups, or roles. 
  • You cannot apply an IAM policy to the AWS account root user.

Compliance

  • General Data Protection Regulation (GDPR)
  • Health Insurance Portability and Accountability Act (HIPAA)

AWS Artifact

A service that provides on-demand access to AWS security and compliance reports and select online agreements


AWS Artifact consists of 2 main sections: 
  1. AWS Artifact Agreements (Review, accept, and manage agreements with AWS)
  2. AWS Artifact Reports (Access AWS compliance reports on-demand)
AWS Artifact provides access to AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports.
AWS Compliance Programs

AWS Customer Compliance Center

You can read customer compliance stories to discover how companies in regulated industries have solved various compliance, governance, and audit challenges. 


Denial-of-Service (DoS) Attacks

A deliberate attempt to make a website or application unavailable to users.

e.g. An attacker might flood a website or application with excessive network traffic until the targeted website or application becomes overloaded and is no longer able to respond.


Distributed Denial-of-Service (DDoS) Attacks

In a DDoS attack, multiple sources are used to start an attack that aims to make a website or application unavailable. This can come from a group of attackers, or even a single attacker (use bots). 

  • e.g. 
    • UDP flood -> solution: Security Groups
    • HTTP level attacks
    • Slowloris attack -> solution: Elastic Load Balancer (ELB)

To help minimize the effect of DoS and DDoS attacks on your applications, you can use AWS Shield.


AWS Shield

A service that protects applications against DDoS attacks

AWS Shield provides 2 levels of protection: 

  1. AWS Shield Standard (automatically protects all AWS customers at no cost)
  2. AWS Shield Advanced (a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks)
    • Integrates with Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing
    • Integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks

Additional Security Services

Encryption

Securing a message or data in a way that only authorized parties can access it.

  • Encryption at rest (protecting data while it is stored)
    • e.g. DynamoDB table, AWS KMS
  • Encryption in transit (protecting data while it is being sent and received)
    • e.g. Secure Sockets Layer (SSL), AWS SQS / S3 / RDS ...

AWS Key Management Service (AWS KMS)

You can use AWS KMS to create, manage, and use cryptographic keys. A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data. 

  • You can specify which IAM users and roles are able to manage keys
  • You can temporarily disable keys so that they are no longer in use by anyone. 
  • Your keys never leave AWS KMS, and you are always in control of them.


AWS WAF

A web application firewall that lets you monitor network requests that come into your web applications. 

  • AWS WAF works together with Amazon CloudFront and an Application Load Balancer.

Amazon Inspector

起因與目的:

The developers want to make sure that they are designing the application in accordance with security best practices. To perform automated security assessments, they decide to use Amazon Inspector.

簡介:

Amazon Inspector helps to improve the security and compliance of applications by running automated security assessments. It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions.

The service consists of 3 parts:

  1. Network configuration reachability piece
  2. Amazon agent, which can be installed an EC2 instances
  3. Security assessment service
    • Provide security findings prioritized by severity level, including detailed descriptions of each security issue and recommendations for remediation (補救措施).


Amazon GuardDuty

A service that provides intelligent (ML) threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.

You do not have to deploy or manage any additional security software.

  • GuardDuty then continuously analyzes data from multiple AWS sources, including AWS CloudTrail events, Amazon VPC Flow Logs and DNS logs
  • If GuardDuty detects any threats, you can review detailed findings about them from the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.


AWS Security Hub

Automate AWS security checks and centralize security alerts.


總結

The top priority of AWS is security.


留言

張貼留言

這個網誌中的熱門文章

Module 2: Compute in the Cloud --- part 1

圖片
學習目標 Amazon EC2 簡介 & 優點 Amazon EC2 Instance Types Amazon EC2 Pricing(各種計費選項) Amazon EC2 Auto Scaling 優點 Elastic Load Balancing 優點 & 使用範例 Amazon Simple Notification Service (Amazon SNS) vs. Amazon Simple Queue Service (Amazon SQS) 其他 AWS compute options
Read more »

Module 2: Compute in the Cloud --- part 2

圖片
學習目標 Amazon EC2 簡介 & 優點 Amazon EC2 Instance Types Amazon EC2 Pricing(各種計費選項) Amazon EC2 Auto Scaling 優點 Elastic Load Balancing 優點 & 使用範例 Amazon Simple Notification Service (Amazon SNS) vs. Amazon Simple Queue Service (Amazon SQS) 其他 AWS compute options
Read more »

考前加強:雲端重要概念

雲端架構重要概念 AWS Well-Architected Framework AWS global infrastructure Regions and Availability Zones 6 Strategies for Migrating Applications to the Cloud AWS shared responsibility model 術語 帳單 AWS Cost Explorer   Create custom reports to analyze their AWS cost and usage data AWS Budgets  Set custom alerts that will notify individuals when a service usage exceeds (or is forecasted to exceed) the amount that has been budgeted AWS Pricing Calculator 技術支援 Whitepaper: An Overview of the AWS Cloud Adoption Framework Operations  principles for operating in the cloud by using agile best practices recovering IT workloads to meet the requirements of business stakeholders Business helps moves a business from a model that separates business and IT strategies into a business model that integrates IT strategy. People helps Human Resources (HR) employees prepare their teams for cloud adoption by updating organizational processes and staff skills to include cloud-based competencies. Governanc...
Read more »