Welcome to AWS Certification Bootcamp (CLF-C02)

Not for Resale

For Education Purposes Only

Module 2 �Security and Compliance ��

​

• Understand the AWS shared responsibility model
• Understand AWS Cloud security, governance, and compliance concepts
• Identify AWS access management capabilities
• Identify components and resources for security

Define the AWS shared responsibility model

Shared responsibility model - overview

Shared responsibility model

AWS responsibility “Security of the Cloud” 

AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud.

​

Customer responsibility “Security in the Cloud”

Customer responsibility will be determined by the AWS Cloud services that a customer selects.

Shared responsibility model - Lambda

• For AWS Lambda, AWS manages the underlying infrastructure and foundation services, the operating system, and the application platform. You are responsible for the security of your code and AWS IAM to the Lambda service and within your function.

​

​

• AWS responsibilities appear below the dotted line in orange, and customer responsibilities appear above the dotted line in blue.

Shared responsibility model – infra, containers and managed services

Define AWS Cloud security and compliance concepts

Finding AWS compliance information

AWS compliance program

Three Categories of AWS Compliance Program

Certifications / Attestations:– are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.

Laws / Regulations: AWS customers remain responsible for complying with applicable compliance laws and regulations. In some cases, AWS offers functionality (such as security features), enablers, and legal agreements (such as the AWS Data Processing Agreement and Business Associate Addendum) to support customer compliance.

.

Alignments / Frameworks: Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.

y

AWS compliance benefits

Third-party validation for 1,000s of global requirement

Inherit the latest security controls AWS uses on its own infrastructure

​

Streamline and automate compliance

Automate compliance reporting

The IT infrastructure that AWS provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. 

Some AWS Security Services

AWS Inspector

Automatically inspects applications for vulnerabilities and exposures based on best practices deviations

Amazon GuardDuty

Protect your AWS accounts and workloads with intelligent threat detection and continuous monitoring.

Amazon Artifact

No cost, self-service portal for on-demand access to AWS’ compliance reports to evaluate compliant with regulatory.

AWS Security Hub

Improves security position with automated security best practice checks with AWS Config rules and automated integrations.

AWS Config

Fully managed service that provides resource inventory, config history, config change notifications to enable security and governance.

AWS CloudTrail

A service that provides tracking of all users’ actions that are conducted in your AWS Account.

AWS encryption at rest

• AWS uses server-side encrypts data on the server or data going through a server.

• Application-level, client-side , encrypts the communications between client and server (i.e., storage)

Encryption is controlled by KMS which integrates with CloudTrail for logging and recording.

1. The administrator encrypts a secret password by using KMS. The encrypted password is stored in a file.
2. The administrator puts the file containing the encrypted password in an S3 bucket.
3. At instance boot time, the instance copies the encrypted file to an internal disk.
4. The EC2 instance then decrypts the file using KMS and retrieves the plaintext password.

All data written to the encrypted file system is encrypted by using an AES-256 encryption algorithm when stored on disk.

AWS encryption in transit

• All traffic within a VPC and between peered VPCs across regions is transparently encrypted at the network layer when using supported Amazon EC2 instance types.

• All network traffic between AWS data centers is transparently encrypted at the physical layer.

AWS DC

Encryption a Physical Layer

Encryption at Physical Layer

• The application layer use encryption with the Transport Layer Security (TLS).

Web Apps

Web Apps

• All AWS service endpoints support TLS to create a secure HTTPS connection to make API requests.

Viewing HSM audit log in CloudWatch

• Amazon CloudWatch Logs organizes the audit logs into log groups and, within a log group, into log streams. Each log entry is an event.

​

• AWS CloudHSM creates one log group for each cluster and one log stream for each HSM in the cluster. 

Security and compliance services

Amazon CloudWatch monitors resources and the applications in real time. CloudWatch collects and tracks metrics, which can be used to measure resources and applications.

Utilizes alarms that watch metrics and send notifications or automatically make changes to the resources you are monitoring when a threshold is breached. System-wide visibility into resource utilization, application performance, and operational health.

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

​

An AWS resource is an entity you can work with in AWS, such as an Amazon Elastic Compute Cloud (EC2) instance.

​

AWS CloudTrail is an AWS service that helps you enable operational and risk auditing, governance, and compliance of your AWS account.

​

Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.

​

Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Least privilege access principle

• Provide users a minimum set of rights and access required to do their job.
• IAM policies are used to apply this principle.
• IAM Access Analyzer implements least privilege permissions by generating IAM policies based on access activity. It also analyzes what IAM role has been shared with external entities.

Break (15 minutes)

Identify AWS access management capabilities

IAM access management

With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally managed permissions, and analyze access to refine permissions across AWS. It includes identities: users, groups, roles and credentials. AWS IAM Identity Center (Successor to AWS Single Sign-On). IAM is a global service, applies to entire account/region.

IAM access management – users and groups

• Root user – every AWS account has root level user. Full access to everything in the account.
• Only use root credentials for initial setup of account & creation of IAM admin account, (security best practice)

​

• Federated permission is supported. Single access across different enterprises.

IAM access management – policies (authorization)

• Once authenticated, must now get authorization to access resources

​

• Permissions are created using policies

​

• Policies grants explicit permissions and defines the effects, actions, resources and what identities can invoke.

​

• If permissions are not explicitly granted, access is denied by default.

IAM access management – roles

Roles are like users. IAM policies are assigned to roles. It’s an identity with permissions. No long-term credentials or access keys. If users are assigned to a role, access keys are created dynamically and temporarily. Used to delegate access to users, applications or services that don’t normal have access to resources.

IAM - managing access keys

• Access keys are long-term credentials for an IAM user or the AWS account root user. Max of 2 keys per IAM user.

​

• Access keys consist of two parts: (an access key ID and a secret access key
• (both are needed to authenticate a request)

​

• You can manage keys using the AWS console, API or CLI.

​

• The secret access key is available only at the time you create it. If lost, it must be deleted and a new one created.

Rotating Keys

• It’s best practices to regularly rotate (change) IAM user access keys.
• Ex. If an employee leaves
• If permission is granted, users can rotate their own access keys.

IAM access management – MFA

MFA adds extra security because it requires users to provide unique authentication from an AWS supported MFA mechanism:

​

• FIDO (fast identity online) - authentication standards are based on public key cryptography, which enables strong, phishing-resistant authentication.
• Virtual MFA devices –runs on a phone or other device and emulates a physical device. implements the time-based one-time password (TOTP) algorithm and support multiple tokens on a single device.
• Hardware TOTP token – A hardware device that generates a six-digit numeric code based on the time-based one-time password (TOTP) algorithm. The user must type a valid code from the device on a second webpage during sign-in

SMS text message-based MFA – AWS ended support for enabling SMS multi-factor authentication (MFA)

​

IAM access management – root user tasks (required)

• Change your account settings. This includes the account name, email address, root user password, and root user access keys.
• Restore IAM user permissions. 
• Activate IAM access to the Billing and Cost Management console.
• View certain tax invoices.
• Close your AWS account.
• Changing support plans.
• Register as a seller in the Reserved Instance Marketplace.
• Configure an Amazon S3 bucket to enable MFA (multi-factor authentication).
• Edit or delete an Amazon Simple Storage Service (Amazon S3) bucket policy.

Security best practices

• Safeguard your passwords and access keys.
• Activate multi-factor authentication (MFA) on the AWS account root user. 
• Limit AWS account root user access to your resources.
• Audit IAM users and their policies frequently.
• Use AWS Git projects to scan for evidence of unauthorized use.
• Monitor your account and its resources.

​

• Note: If you're using AWS Identity Center or IAM federated users, the best practices for IAM users also apply to federated users.

Identify components and resources for security

Native AWS security capabilities – security group

• Virtual firewall that determine what network traffic can pass into and out of an instance.
• They don’t contain inbound rules by default.
• Every virtual private cloud (VPC) contains a default security group.
• Inbound rules of security groups control what traffic can flow to the instance.

Native AWS security capabilities – NACL (network access control lists)

A network access control list (NACL) is a firewall that operates at the subnet level. It consists of inbound and outbound rules that, by default, allow all traffic.

• Subnet: Provides logical separation and isolation of resources within the same VPC.
• VPC Peering: Allows resources in different VPCs to communicate with each other over the private AWS network.
• Virtual private network (VPN): Allows to connect a VPC to an external network via a secure connection that traverses the public Internet.

Native AWS security capabilities – WAF (web application firewall)

• AWS WAF is a web application firewall that lets you monitor web requests that are forwarded to Amazon CloudFront distributions or an Application Load Balancer.
• You can also use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses that requests originate from or values in the requests.

Native AWS security capabilities – AWS Shield

• AWS Shield Standard provides protection against Distributed Denial of Service (DDoS) attacks for AWS resources at the network and transport layers (layer 3 and 4) and the application layer (layer 7).

​

• Both WAF and Shield provide protection at the edge for DDoS attacks:
• WAF provides protection on the application layer
• AWS Shield protects the infrastructure layers of the OSI model.

Native AWS security capabilities – finding security documentation and information

• AWS Knowledge Center – all services and resources available in AWS.
• Security Center – security whitepapers.
• Security Forum – brings the cloud security community together.
• Security Blog - security related information and articles.
• Security Hub – analyzes security trends using data collections from AWS accounts and their party partners.

Native AWS security capabilities – trusted advisor

Continuous monitoring of the environment and assist customers is following best practices in each category.

Native AWS security capabilities – trusted advisor

• Cost optimization – inspects the AWS environment and recommend cost saving strategies.
• Performance - Improve the performance of your service by checking your service quotas/limits (i.e., overprovisioned resources).
• Security – checks for securing the AWS account best practices and recommends changes.
• Fault tolerance – checks to ensure environment is highly available and not SPOF.
• Service limits – ensures your resources are not at capacity and recommends solutions.

Module 2�Game Summary���1 point for each correct answer�2 points for each correct stolen answer��

Sample Question 1

Which controls are shared between customers and AWS based on shared responsibility model? (Select two)

​

1. Awareness and training
2. Communication protection
3. Configuration management
4. Patching your managed services resources
5. Physical and environmental controls

​

Sample Question 2

When using RDS, which is a managed/container service, are the customers’ responsibility? (Choose two)

​

1. Building the relational database schema
2. Install the database software on the infrastructure
3. Backup and snapshots
4. Updating database by patching
5. Manage the database settings

Sample Question 3

Which task is the customer’s responsibility when managing Lambda functions?

​

1. Maintaining server and OS
2. Creating versions of Lambda functions
3. Updating the Lambda runtime environment
4. Scaling the Lambda resources based on demand.

Sample Question 4

Which AWS service protects against DDoS attacks at the application layer?

​

1. AWS Shield
2. AWS WAF
3. AWS Guard
4. AWS Inspector

Sample Question 5

An organization needs an automated security assessment to identify unintended network access to an EC2 instances. Which AWS service should they use?

1. AWS Trusted Advisor
2. Security Groups
3. AWS Inspector
4. AWS CloudTrail

​

Sample Question 6

A web application is hosted on AWS using ELB and multiple EC2 Instances and AWS RDS, which security measures fall under the responsibility of AWS? (Choose two)

​

1. Virus scanning on the instances
2. ​Encrypting the communication between the instances and ELB
3. ​Protecting against IP spoofing and packet sniffing
4. ​Installing the latest security patches on the RDS instance
5. Configuring the NACL and security groups

​

Sample Question 7

Who can create and manage access key for the root user?

1. AWS account owner
2. IAM user with admin permissions
3. IAM user with required role
4. IAM policy-based rule user

​

Sample Question 8

A company stores configuration files in AWS S3 bucket. The files must be accessed by applications that are running on EC2 instances. Based on security best practices, how should the permissions be granted to allow the application access to the S3 bucket?

1. Activate MFA on the S3 bucket
2. Use the AWS access ID and secret access key
3. Use the root user access keys
4. Use an IAM role with the necessary permissions

​

Sample Question 9

Which tasks require the use of the AWS account root user? (Choose Two)

1. Modifying EC2 instance type
2. Changing the AWS support plan
3. Running applications in containers
4. Closing an AWS account
5. Removing administrative permissions

​

Sample Question 10

Which AWS service/feature identifies if a S3 bucket or an IAM role has been shared with an external entity?

1. Security Hub
2. IAM Access Analyzer
3. IAM role manager
4. IAM policy protector

​

Sample Question 11

Which feature/service provides documentation and reports to help a company evaluate whether AWS is compliant with local regulatory standards?

1. AWS GuardDuty
2. AWS Artifact
3. AWS Compliance Center
4. AWS Config

​

Sample Question 12

A company needs to continuously monitor their AWS account for suspicious activity. The service/feature must be able to initiate automated actions on the security findings, which service/feature can meet this requirement?

1. AWS GuardDuty
2. AWS Trusted Advisor
3. AWS Detective
4. AWS Security Program

​

Sample Question 13

Which services tracks all user changes made in the AWS management console?

1. Least privilege
2. IAM log files
3. AWS Detective
4. CloudTrail

​

Sample Question 14

How does AWS Trusted Advisor provide guidance to administrators?

1. Cost optimization recommendations based on current usage
2. Automatically fixes security issues caused by permissions on resources
3. Automatically open support cases for security issues found
4. Sends security best practices based on security triggers and/or breaches

​