avatar

AWS Certified SysOps – Associate Notes

AWS Certified SysOps – Associate Notes

Mục lục

1. Security on AWS

Shared Responsibility Model

Customer
Responsible for security IN the cloud
AWS
Responsible for security OF the cloud
Customer dataRegions, availability zones & edge locations
Platform, application & IAMPhysical level and below
OS patching on EC2Fire, power, climate management
AntivirusStorage device decommissioning according to industry standards
Network and firewall configurationPersonnel security
Multi-factor authenticationNetwork device security & ACLs
Password and key rotationAPI access points use SSL for secured communication
Security groupsDDos protection
Resource-based policyEC2 instances and spoofing protection
Access control listPort scanning even if it's your environment
VPCEC2 instances hypervisor isolation
OS level patchesInstances on the sane physical devices are separated at the hypervisor level
they are independent of each other
Data in transit & data at restUnderlying OS patching for Lambda, RDS, Dynamo DB, and other managed services
customers focus on security

IAM: users and Groups

Root user

  • The user created when the AWS account is created
  • The credentials are the email & password used when signing up for the AWS account
  • By default, the root user has full administrative rights & access to every part of the account

Best practices for the root user

  • We should not use the root user for daily work & administration
    • another account that has admin rights should be used
  • The root user account should not access keys. Delete them if they exist
  • The root user should use MFA

IAM User

  • A new user has an implicit deny for all AWS services and requires a policy be added to grant them access
  • Users receive unique credentials (username, password & access keys)
  • Users can have IAM policies applied directly to them, or they can be a member of a group that has policies attached
  • With policies, an explicit deny always overrides an explicit allow from attached policies
    • for instance, AWS will ignore all policies attached to a user if a single deny-all policy is added

Best practices for users

  • Never store or "pass" your credentials to EC2 instances - use SSH forwarding
  • MFA can and should be used for users' accounts
  • Access credentials are unique and should never be shared

IAM Groups

  • Allow for policy assignments to multiple users at the same time
  • We may assign permission to a group
  • More organized and efficient way's to manage users and policies
  • Cannot be nested
  • Users may be the members of multiple groups

Rest practices for groups

  • Organize users by functions
  • Assign IAM policies to groups, not individual users

IAM policies

  • A document that states one or more permissions (JSON formatted)
  • An explicit deny always overrides an explicit allow.
  • This allows for the users of a deny-all policy to quickly restricts all access a user may have

Managed policies

  • AWS provides pre-built policy templates to assign to users & groups
  • Examples include:
    • Administrator access: Full access to all AWS resources
    • Power-user access: Admin access, except it does not allow user/group management
    • Read-only access: Only view AWS resources (e.g., user can only view what is in S3 buckets)

Custom policies

  • You can create custom IAM policies using the policy generator or write them from scratch
  • More than one policy can be attached to a user/group at the same time
  • Policies can not be directly attached to AWS resources (such as an EC2 instance)

IAM Roles

  • Temporary security credentials in AWS managed by Security Token Service (STS)
  • Another entity can assume the specific permissions defined by the Roles
  • These entities include:
    • AWS resources (e.g., EC2 instance)
    • A user outside of AWS needs temporary access

Roles with AWS services

  • We must use role because policies cannot be attached directly to AWS resources
  • Services can only have one role attached at a time
  • You should never pass or store credentials to an EC2 instance - instead, use role
  • You may change the role of running EC2 instances through the console or URI

Other uses of Roles

  • Cross-account access (delegation)
    • Provide access to another AWS account from another account
  • Identity Federation
    • Users ordside AWS can assume a role for temporary access to aws account and resources
  • These users assume an identify provider access role
  • Example identity providers:
    • Active Directory
    • Single sign on providers: like Facebook, Google, Amazon

IAM: Multi -Factor Authentication (MFA)

What is Multi -Factor Authentication?

  • A security method that requires multiple seperate authentications
  • One authentication option we nave with AWS uses time-based codes.
  • Familiar examples of MFA: ATM to withdraw morey, both physical card & a PIN

AWS Scenario

  • Enable MFA in order to access AWS console:
    • Users type in their username and password as well as a time-based code
    • The username and password are not enough to be authenticated
    • The time-based code can be on the user's computer, smartphone or a device they carry around
  • This should be turn on for users who have access to the console
  • MFA Delete for S3 obrects can be used to mitigate acidental deletions

Amazon 53: Bucket Policies

  • JSON statement used to allow or deny permission across obfects in a single bucket

Elements of a Pucket Policies

Effect

  • Define whether to allow or deny the action

Action

  • Actions we want to allow or deny
  • Important An explicit deny always override an explicit allow

Resource

  • Used to identity resources (like a bucket & object) with ARNs

Principal

  • An account or users that this policy applies to
  • Specific to S3 bucket policies, not user policies

Sid (Optional)

  • Statement identifier that provides a way to indude information about an individual statement

Condition (Optional)

  • Specify condition for when the policy is in effect

S3 Data Integrity

Versioning

  • Enable to store new versions for every modification or deletion
    • Help with accidental deletion by creating Dersions for deleted obrects

Replication

  • Object are replicated across AZ automatically
  • Standard and Infrequent Acces options at differents price options

Multi-Factor Authentication Delete (MFA Delete)

  • MFA to prevent accidental deletion of objects
    • Requires Versioning enable on a bucket
  • We can enforce the use of MFA in order to permanently delete an object
  • Only root account (the bucket owner) can access this feature

Amazon VPC: Security Group and NACLS

VPC (Virtual Private Clond)

  • Isolate workloads into separented VPCs (based on applications , department, test, dev, etc)

Security Groups

  • Group instances with similar functions
  • Stateful = every allowed TCP or UDP ports will be allowed in both directions.

NACLS (Network Access Control list)

  • Stateless = inbound and outbound rules are separate, no dependencies
  • Granular control over IP protocols (allow and deny rules for inbound and outbound evaluated in order)
  • Work with security groups (NACLs applies for the whole subnet, security groups app to members)
  • Ephemeral ports: Client requests depending on OS(port 1024-65535)

Host-based Fire walls: Os-level frewalls as needed

Os-level frewalls as needed

AWS STS: Federation

Secure Token Service (STS)

An extensions of IAM that allows for management of temporary security credentials for IAM users or federated users

  • It allows for granular control of how long the access remains active
    • Fifteen minutes to one hour (default = 1 hour)
  • Credentials are not stored with the user or service granted temporary access -A token is attached to the access request of API call
  • Beneficial in a mumber of ways
    • Low risk of credentials being exposed (not distributed)
    • Do not have to create IAM identities for every user
    • Because they are temporary in nature, there is no need to rotate keys
  • STS uses a single endpoint
    • This single endpoint resides in us-east-1
    • Latency can be reduced by using STS API calls to regions that support them
    • Temporary credentials have global scope, just like IAM

Identity Federation

  • Federation: Providing a non-AWS user temporary AWS access by linking that user's indentity accross multiple identity systems
  • Federation with Third-Party Providers:
    • Most commonly used in web and mohile applications
    • Amazon Cognito allows for creation of unique identities for users
    • Uses identity providers to federate them: Facebook, Google, Amazon, etc
  • Establishing Single-Sign-On (SSO) using SAML2.0
    • Most commonly used in enterprise environment with an existing directory system
      • Active Drectory,...
    • Federated users can access AWS resources using their corporate domain account
    • Federation also aids user management by allowing central management of accouts

Amazon Inspector

Inspector can

  • Analyze the behavior of your AWS account
  • Test network accessibility and security state
  • Assesses for secunty vulnerabitaties and deviations from best pratices
  • Target: A collection of Ecz instances
  • Assessment template: Composed of security rules and produce a list of findings
  • Assessment run: Applying the assegment tiplate to a tanget
  • Findings: Security report, organized by severity level
  • Features:
    • Configuration scanning and activity monitoring engine:
      • Determines what a target look like, its behavior, and any dependencies it may have
      • Identifies security and compliances issues

TO BE UPDATED