AWS Solution Architect Professional  Certification Prep.

AWS Solution Architect Professional Certification Prep.

Covered AWS Security services

This article provides high-level information on how to prepare for AWS SAP-C02. In this, I have incorporated my daily routine, which I am following to crack this certification.

17-Aug-24

  1. AWS CloudTrail -

    1. History of events/API calls

    2. Audit logs to track AWS account activities

    3. A trail can be applied to all regions/single region

    4. Can push logs into CloudWatch or S3, default log retention

    5. Event types - management events (read/write events), data events, CloudTrail insight events

    6. You can use Athena to analyze logs

    7. An organizational trail can be created from the management account to monitor all member accounts

    8. CloudTrail may take 15 minutes to deliver events. You can use EventBridge, which is the fastest reactive way, and log delivery to S3; events are delivered every 5 minutes.

    9. Meditation by Sadhguru - 10 mins

  2. KMS (Key Management Service) -

    1. Key Types -

      1. Symmetric - AES:256, AWS services that are integrated with KMS use this key. You never get access to the unencrypted KMS key.

      2. Asymmetric - RSA and ECC key pairs, public and private key pair. Use case: encryption outside of AWS for those who can't call the KMS API.

    2. Types of KMS keys -

      NOTE - Don't get confused with the above types, as the above ones are key types/methods generally with/without AWS, and these are types of AWS KMS keys:

      1. Customer-managed keys

      2. AWS-managed keys

      3. AWS-owned keys

    3. Cloud HSM (hardware security module) - custom key store, integrate KMS with HSM, cluster in 2 AZ for multi-AZ, direct control over HSM. You can use it when you want to have dedicated hardware for cryptographic operations. Supports both symmetric and asymmetric encryption. Redshift supports database encryption and key management. Good option to use with SSE-C, CRUD (create, update, delete) permission from IAM, no free tier, and MFA support, FIPS 140-2 level 3, AWS admin -> manages the appliance however you control the key.

  3. KMS key external - BYOK (bring your own key), supports both symmetric and asymmetric keys, own and manage by yourself, can't be used with HSM, manually rotate your key.

  4. KMS multi-region key - same key/key ID in multiple regions, the concept of primary+replicas, only one primary key at a time (can promote replicas into their own primary).

  5. we can encrypt max 4KB of data with CMK. To encrypt the data of more than 4kb, we can use the data key.

  6. Meditation by Sadhguru - 10 mins

18Aug24

  1. SSM Parameter Store - 2 types: Standard and Advanced

    1. Secure storage for configuration and secrets, version tracking

    2. Serverless, scalable, durable

    3. Security through IAM

    4. Integration with CloudFormation

    5. You can also fetch secrets from Secret Manager through Parameter Store

  2. AWS Secrets Manager

    1. Used to store secrets

    2. Capability of rotating the secrets (using Lambda)

    3. Natively supports AWS RDS, Redshift, DocumentDB

    4. Supports other DBs and services (using custom Lambda function)

    5. Control access to secrets using resource-based policy

    6. Sharing across accounts - share KMS key, and modify resource-based policy

  3. RDS security

    1. KMS - encryption at rest for storage

    2. TDE (transparent data encryption) for Oracle and SQL Server

    3. SSL encryption for in-flight operations

    4. IAM authentication for MySQL, PostgreSQL, and MariaDB

    5. Authorization still happens in RDS, not in IAM

    6. Can copy unencrypted RDS snapshots to encrypted

    7. CloudTrail cannot be used to track queries within RDS

  4. SSL/TLS

    1. Asymmetric encryption is expensive.

    2. SNI - multiple SSL certs on the server to serve multiple websites.

    3. Only works for ALB, NLB, and CloudFront.

    4. Man-in-the-middle attack - use HTTPS, use a DNS with DNSSEC.

    5. Route 53 supports DNSSEC.

  5. Isha kriya by Sadhguru 10 mins

20Aug24

  1. ACM - 2 types - public, private

    1. integrations - Load balancers, CloudFront distributions, API Gateway

    2. renewal process - automatically done if generated by ACM, otherwise manual process

    3. regional service, so multiple certs for each ALB across the region; no need to do this for CloudFront as it is a global service

    4. How does SSL work on EC2? - retrieve on EC2 boot from SSM Parameter Store; better to set up Cloud HSM for SSL offloading, which will save some CPU of EC2

  2. S3 security - types of encryption

    1. SSE-S3, SSE-KMS, SSE-C, Client-side encryption

    2. Glacier - data is encrypted with AES-256

    3. Encryption in transit - SSL/TLS, HTTPS is mandatory for SSE-C

    4. Events in S3 bucket - S3 access logs, S3 event notifications, Trusted Advisor, EventBridge

    5. IAM policy, resource-based policy, ACLs

    6. S3 bucket policy condition -

      1. Source IP -> public IP or elastic IP

      2. VPC Source IP -> private IP (through VPC endpoint)

      3. Source VPC -> for all VPC endpoints, VPC endpoint (source VPCE) -> for one or a few VPC endpoints

      4. PFB the link to find more policies:

        https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

    7. S3 pre-signed URLs -

      1. Can generate using SDK and CLI

      2. The default timeout is 1 hour

      3. URLs are signed with your IAM credentials, so whoever tries to access the URL inherits access to that IAM user

    8. VPC gateway endpoints for S3

    9. Object lock (WORM - write once read many) - S3 object lock, Glacier vault lock

    10. Isha kriya by Sadhguru - 10 mins

21Aug24

  1. S3 Access points -

    1. An additional policy layer before S3 will be helpful to redirect a principal to the exact bucket location. For example, access point A allows access to S3 folder A, access point B allows access to S3 folder B, and so on.

    2. It simplifies security management in S3 as the S3 policy will become simpler and can scale better since access points have offloaded the policy management. Each access point will have its own DNS name (Internet or VPC origin).

    3. S3 multi-region access points provide failover control, a global endpoint for multiple buckets (can enable S3 replication), and route your request to the nearest region with the lowest latency if failover is not enabled.

  2. S3 Object Lambda

    1. Uses the Lambda function to change the object just before it is retrieved.

    2. Flow will be: S3 bucket -> access points -> Lambda function -> S3 Object Lambda access points -> User

  3. DDOS and AWS Shield -

    1. What is a DDOS attack? - types:

      DDOS, SYN Flood, UDP reflection, DNS flood attack, Slow loris attack, application level attack -> cache busting strategies

    2. AWS Shield

      1. Standard - enabled by default - protects from layer 3/4 attacks

      2. Advanced - 24/7 premium support

    3. AWS WAF - filters requests

    4. CloudFront and Route 53 - DDoS attack mitigation at the edge level for the global network

    5. Auto Scaling - be ready to scale

    6. Separate static and dynamic requests

  4. Isha kriya by Sadhguru - 10 mins

22aug24

  1. AWS WAF -

    1. protects from Layer 7 web attacks

    2. can be deployed on ALB, API Gateway, CloudFront, AppSync

    3. WAF is not for DDoS protection

    4. need to define web ACLs and create/attach different rules

    5. AWS WAF managed rules - baseline rule groups, use case-specific rule groups, IP reputation rule groups, bot control managed rule group

    6. WAF logs -> CloudWatch, S3, Kinesis Data Firehose

  2. AWS Firewall Manager - manages rules in all accounts of an organization

  3. Isha kriya by Sadhguru - 10 mins

23aug24

  1. AWS Inspector - automated security assessment for EC2, container images, and Lambda functions. Reporting and integration with the Security Hub and EventBridge. A risk score is associated with prioritization.

  2. AWS Config -

    1. Helps record configuration and changes over time.

    2. Doesn't help in preventing actions.

    3. Can receive notifications via SNS for any changes and can aggregate data across regions/accounts in a central place. AWS Config rules -> AWS managed rules, custom config rules (using Lambda).

    4. Rules can be triggered for each change or at regular intervals. Auto remediation through SSM automation.

  3. AWS managed logs

    1. LB access logs to S3

    2. CloudTrail logs => to S3, CloudWatch

    3. VPC flow logs => to S3, CloudWatch, Kinesis Data Firehose

    4. R53 access logs => to CloudWatch logs

    5. S3 access logs => to S3

    6. CloudFront logs => to S3

    7. AWS Config logs => S3

  4. Amazon GuardDuty - Intelligent threat discovery to protect your account, using machine learning, with no need to install additional software, can protect against cryptocurrency attacks, trusted IPs, threat IPs

    1. Input data includes:

      1. CloudTrail event log - management events, S3 data events

      2. VPC flow log

      3. DNS log

      4. Optional features - EKS audit logs, RDS & Aurora, EBS, Lambda, etc.

    2. GuardDuty delegated administrator - An admin member account to manage GuardDuty on all accounts within the organization. Only the organization management account can grant the admin permission.

  5. IAM advanced policies -

    1. for AWS source IP (public IP)

    2. for requested region

    3. EC2 resource tag

    4. to force MFA

    5. AWS principal org ID to restrict resources so that a user/account who is part of a particular organization can only access it.

  6. Isha kriya by Sadhguru - 10 mins

24aug24

  1. AWS Security Hub -

    1. Central security tool to manage security across accounts and automate security checks.

    2. Must enable AWS Config.

    3. Automatically aggregates alerts in predefined or personal finding formats from various AWS services and AWS partner tools: AWS Config, Guard Duty, Inspector, Macie, IAM Access Analyzer, AWS Systems Manager, AWS Firewall Manager, AWS Health, Partner Network Solutions, etc.

  2. Amazon Detective - Analyzes, investigates, and quickly identifies the root cause of security issues or suspicious activities (using ML and graphs), automatically collects and processes events from different AWS logs, and creates a unified view.

  3. AWS network firewall - is a stateful, managed, network firewall, intrusion detection and prevention service for your vpc. different components - Rule groups, firewall policy, firewall

  4. Amazon Macie - makes use of machine learning to identify sensitive data in AWS S3.

  5. Isha kriya by Sadhguru - 10 mins

Good to know points:

  1. Architecture with the use of WAF, CloudFront, and Secrets Manager to avoid direct request routing to ALB

  2. Difference between WAF, Firewall Manager, and Shield

  3. Ways to block an IP/s on different architectures:

    1. The app is deployed on EC2 and the user has direct access to it

    2. The app is deployed on EC2+ALB or EC2+NLB

    3. The app is deployed on EC2+ALB+CloudFront

  4. EC2 instance connect understanding and IP list:

    https://ip-ranges.amazonaws.com/ip-ranges.json

  5. how do symmetric and asymmetric encryption work?

    https://www.youtube.com/watch?v=AQDCe585Lnc

  6. how does SSL/TLS work?

    https://www.youtube.com/watch?v=j9QmMEWmcfo