AWS CSA Notes '22: Part 3 of 8 - Security

on

3 Security

3.1 AWS Identity and Access Management (IAM)

AWS IAM allows you to perform the following:

  • Manage IAM users and access
  • Manage federated users and their permissions
  • Manage IAM roles and their permissions
Tips:
  • AWS IAM follows the Principle of Least Privilege, where cloud users receive the minimum set of permissions and access rights needed to perform their tasks.
  • In IAM:
    • A user is a primary entity representing a person or service, such as a platform or application that interacts with the environment.
    • A group is a collection of users that share common policies and permissions.
    • A role is a generic identity that has permissions to make AWS service requests.
    • Policies are objects that define the permissions attached and granted to users, groups, roles, and AWS resources.
  • IAM supports MFA.

3.2 AWS Encryption Services

You need to understand the following encryption techniques:

  • Server-side encryption with Amazon S3-managed keys (SSE-S3):
    • AES is responsible for end-to-end control of the encryption and decryption, including master key generation and management.
    • Amazon encrypts every object with a unique object/data key.
    • A master key - frequently rotated to protect against compromise - then encrypts the object/data key again.
    • SSE-S3 uses AES-256 encryption to encrypt at rest.
  • Server-side encryption with AWS KMS (SSE-KMS):
    • SSE-KMS has added benefits over SSE-S3.
    • You can either use the unique, default Customer Master Key (CMK) generated by AWS, or create and manage the encryption keys yourself.
    • Creating you own CMK provides greater control and flexibility.
  • Server-side encryption with customer-provided keys (SSE-C):
    • AWS S3 manages the encryption/decryption while the client manages the encryption keys.
    • The client must send the encryption keys together with the object to be encrypted via a request.
Amazon SQS (Simple Queue Service) integrates with AWS KMS to manage customer master keys. Once enabled, SQS uses AES-256 to encrypt each message.

Other AWS services:
  • Amazon Web Application Firewall (WAF) and AWS shield
    • AWS WAF helps protect APIs and web applications against common web attacks.
    • Can integrate WAF with CloudFront.
      • CloudFront custom error pages
      • CloudFront geo-restriction
      • CloudFront for applications running on an HTTP server.

Further reading: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-workloads-on-aws.pdf


Glossary:
  • AES-256 = 256-bit Advanced Encryption Standard
  • AZ = Availability Zone
  • KMS = Key Management Service {AWS Key Management Service}
  • MFS = Multi-Factor Authentication

Comments

Post a Comment