AWS Solution Architect Professional Certification Prep.
Covered AWS Security services
This article provides high-level information on how to prepare for AWS SAP-C02. In this, I have incorporated my daily routine, which I am following to crack this certification.
17-Aug-24
AWS CloudTrail -
History of events/API calls
Audit logs to track AWS account activities
A trail can be applied to all regions/single region
Can push logs into CloudWatch or S3, default log retention
Event types - management events (read/write events), data events, CloudTrail insight events
You can use Athena to analyze logs
An organizational trail can be created from the management account to monitor all member accounts
CloudTrail may take 15 minutes to deliver events. You can use EventBridge, which is the fastest reactive way, and log delivery to S3; events are delivered every 5 minutes.
Meditation by Sadhguru - 10 mins
KMS (Key Management Service) -
Key Types -
Symmetric - AES:256, AWS services that are integrated with KMS use this key. You never get access to the unencrypted KMS key.
Asymmetric - RSA and ECC key pairs, public and private key pair. Use case: encryption outside of AWS for those who can't call the KMS API.
Types of KMS keys -
NOTE - Don't get confused with the above types, as the above ones are key types/methods generally with/without AWS, and these are types of AWS KMS keys:
Customer-managed keys
AWS-managed keys
AWS-owned keys
Cloud HSM (hardware security module) - custom key store, integrate KMS with HSM, cluster in 2 AZ for multi-AZ, direct control over HSM. You can use it when you want to have dedicated hardware for cryptographic operations. Supports both symmetric and asymmetric encryption. Redshift supports database encryption and key management. Good option to use with SSE-C, CRUD (create, update, delete) permission from IAM, no free tier, and MFA support, FIPS 140-2 level 3, AWS admin -> manages the appliance however you control the key.
KMS key external - BYOK (bring your own key), supports both symmetric and asymmetric keys, own and manage by yourself, can't be used with HSM, manually rotate your key.
KMS multi-region key - same key/key ID in multiple regions, the concept of primary+replicas, only one primary key at a time (can promote replicas into their own primary).
we can encrypt max 4KB of data with CMK. To encrypt the data of more than 4kb, we can use the data key.
Meditation by Sadhguru - 10 mins
18Aug24
SSM Parameter Store - 2 types: Standard and Advanced
Secure storage for configuration and secrets, version tracking
Serverless, scalable, durable
Security through IAM
Integration with CloudFormation
You can also fetch secrets from Secret Manager through Parameter Store
AWS Secrets Manager
Used to store secrets
Capability of rotating the secrets (using Lambda)
Natively supports AWS RDS, Redshift, DocumentDB
Supports other DBs and services (using custom Lambda function)
Control access to secrets using resource-based policy
Sharing across accounts - share KMS key, and modify resource-based policy
RDS security
KMS - encryption at rest for storage
TDE (transparent data encryption) for Oracle and SQL Server
SSL encryption for in-flight operations
IAM authentication for MySQL, PostgreSQL, and MariaDB
Authorization still happens in RDS, not in IAM
Can copy unencrypted RDS snapshots to encrypted
CloudTrail cannot be used to track queries within RDS
SSL/TLS
Asymmetric encryption is expensive.
SNI - multiple SSL certs on the server to serve multiple websites.
Only works for ALB, NLB, and CloudFront.
Man-in-the-middle attack - use HTTPS, use a DNS with DNSSEC.
Route 53 supports DNSSEC.
Isha kriya by Sadhguru 10 mins
20Aug24
ACM - 2 types - public, private
integrations - Load balancers, CloudFront distributions, API Gateway
renewal process - automatically done if generated by ACM, otherwise manual process
regional service, so multiple certs for each ALB across the region; no need to do this for CloudFront as it is a global service
How does SSL work on EC2? - retrieve on EC2 boot from SSM Parameter Store; better to set up Cloud HSM for SSL offloading, which will save some CPU of EC2
S3 security - types of encryption
SSE-S3, SSE-KMS, SSE-C, Client-side encryption
Glacier - data is encrypted with AES-256
Encryption in transit - SSL/TLS, HTTPS is mandatory for SSE-C
Events in S3 bucket - S3 access logs, S3 event notifications, Trusted Advisor, EventBridge
IAM policy, resource-based policy, ACLs
S3 bucket policy condition -
Source IP -> public IP or elastic IP
VPC Source IP -> private IP (through VPC endpoint)
Source VPC -> for all VPC endpoints, VPC endpoint (source VPCE) -> for one or a few VPC endpoints
PFB the link to find more policies:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
S3 pre-signed URLs -
Can generate using SDK and CLI
The default timeout is 1 hour
URLs are signed with your IAM credentials, so whoever tries to access the URL inherits access to that IAM user
VPC gateway endpoints for S3
Object lock (WORM - write once read many) - S3 object lock, Glacier vault lock
Isha kriya by Sadhguru - 10 mins
21Aug24
S3 Access points -
An additional policy layer before S3 will be helpful to redirect a principal to the exact bucket location. For example, access point A allows access to S3 folder A, access point B allows access to S3 folder B, and so on.
It simplifies security management in S3 as the S3 policy will become simpler and can scale better since access points have offloaded the policy management. Each access point will have its own DNS name (Internet or VPC origin).
S3 multi-region access points provide failover control, a global endpoint for multiple buckets (can enable S3 replication), and route your request to the nearest region with the lowest latency if failover is not enabled.
S3 Object Lambda
Uses the Lambda function to change the object just before it is retrieved.
Flow will be: S3 bucket -> access points -> Lambda function -> S3 Object Lambda access points -> User
DDOS and AWS Shield -
What is a DDOS attack? - types:
DDOS, SYN Flood, UDP reflection, DNS flood attack, Slow loris attack, application level attack -> cache busting strategies
AWS Shield
Standard - enabled by default - protects from layer 3/4 attacks
Advanced - 24/7 premium support
AWS WAF - filters requests
CloudFront and Route 53 - DDoS attack mitigation at the edge level for the global network
Auto Scaling - be ready to scale
Separate static and dynamic requests
Isha kriya by Sadhguru - 10 mins
22aug24
AWS WAF -
protects from Layer 7 web attacks
can be deployed on ALB, API Gateway, CloudFront, AppSync
WAF is not for DDoS protection
need to define web ACLs and create/attach different rules
AWS WAF managed rules - baseline rule groups, use case-specific rule groups, IP reputation rule groups, bot control managed rule group
WAF logs -> CloudWatch, S3, Kinesis Data Firehose
AWS Firewall Manager - manages rules in all accounts of an organization
Isha kriya by Sadhguru - 10 mins
23aug24
AWS Inspector - automated security assessment for EC2, container images, and Lambda functions. Reporting and integration with the Security Hub and EventBridge. A risk score is associated with prioritization.
AWS Config -
Helps record configuration and changes over time.
Doesn't help in preventing actions.
Can receive notifications via SNS for any changes and can aggregate data across regions/accounts in a central place. AWS Config rules -> AWS managed rules, custom config rules (using Lambda).
Rules can be triggered for each change or at regular intervals. Auto remediation through SSM automation.
AWS managed logs
LB access logs to S3
CloudTrail logs => to S3, CloudWatch
VPC flow logs => to S3, CloudWatch, Kinesis Data Firehose
R53 access logs => to CloudWatch logs
S3 access logs => to S3
CloudFront logs => to S3
AWS Config logs => S3
Amazon GuardDuty - Intelligent threat discovery to protect your account, using machine learning, with no need to install additional software, can protect against cryptocurrency attacks, trusted IPs, threat IPs
Input data includes:
CloudTrail event log - management events, S3 data events
VPC flow log
DNS log
Optional features - EKS audit logs, RDS & Aurora, EBS, Lambda, etc.
GuardDuty delegated administrator - An admin member account to manage GuardDuty on all accounts within the organization. Only the organization management account can grant the admin permission.
IAM advanced policies -
for AWS source IP (public IP)
for requested region
EC2 resource tag
to force MFA
AWS principal org ID to restrict resources so that a user/account who is part of a particular organization can only access it.
Isha kriya by Sadhguru - 10 mins
24aug24
AWS Security Hub -
Central security tool to manage security across accounts and automate security checks.
Must enable AWS Config.
Automatically aggregates alerts in predefined or personal finding formats from various AWS services and AWS partner tools: AWS Config, Guard Duty, Inspector, Macie, IAM Access Analyzer, AWS Systems Manager, AWS Firewall Manager, AWS Health, Partner Network Solutions, etc.
Amazon Detective - Analyzes, investigates, and quickly identifies the root cause of security issues or suspicious activities (using ML and graphs), automatically collects and processes events from different AWS logs, and creates a unified view.
AWS network firewall - is a stateful, managed, network firewall, intrusion detection and prevention service for your vpc. different components - Rule groups, firewall policy, firewall
Amazon Macie - makes use of machine learning to identify sensitive data in AWS S3.
Isha kriya by Sadhguru - 10 mins
Good to know points:
Architecture with the use of WAF, CloudFront, and Secrets Manager to avoid direct request routing to ALB
Difference between WAF, Firewall Manager, and Shield
Ways to block an IP/s on different architectures:
The app is deployed on EC2 and the user has direct access to it
The app is deployed on EC2+ALB or EC2+NLB
The app is deployed on EC2+ALB+CloudFront
EC2 instance connect understanding and IP list:
how do symmetric and asymmetric encryption work?
how does SSL/TLS work?