AWS Solution ArchitectSecurity and IAMA Day in the Life of a Cloud ArchitectMr.

William works for an IT company as a cloud architect. The company has several
cloud-based applications. Recently, the company has been facing security and data
privacy issues. The company is facing a huge loss due to this.Now, the company
wants Mr. William to certify that these types of failures should not occur in the
future. In this lesson, he will get a brief idea about how to protect AWS accounts
with threat detection, management of security, and data privacy.Learning
ObjectivesBy the end of this lesson, you will be able to:Illustrate and configure
models in AWSDefine Identity and Access Management in AWSProtect the AWS accounts
with intelligent threat detection using Amazon GuardDutyManage data security and
data privacy using AWS MacieResponsibility Models in AWSIntroduction to Shared
Responsibility ModelAWS and the customer share responsibility for security and
compliance.The host operating system, virtualization layer, and the physical
security of the buildings are all managed.This shared approach can reduce the
operational load placed on the consumer.Introduction to Shared Responsibility
ModelAWS shared responsibility
model:https://docs.aws.amazon.com/whitepapers/latest/aws-risk-and-compliance/
images/image2.pngCompliance
Program•CustomerscanlearnmoreaboutthestrictmeasuresthatAWShasinplacetomaintainsecur
ity.•AWSComplianceEnablersexpandonconventionalprogramsbyconnectinggovernance-
focused,audit-friendlyservicefeatureswithrelevantcompliance.AWS and clients share
compliance responsibilities when systems are built in the AWS Cloud.Compliance
ReportsOn-demand access to AWSCompliance reportsGlobally availableEasy
identificationQuick assessmentsContinuous monitoringEnhanced transparencyFollowing
are the AWS artifact:DelegationA registered member account can be used for
administrative AWS SSO activities.The management account in AWS Organizations
automatically creates an SSO instance.Roles can be created, deleted, and updated
across all of the organization's member accounts using AWS SSO.Benefits of
DelegationMinimizes the number of individuals who need access to the management
account to assist reduce security risks.Enables a restricted number of
administrators to allocate users and groups to applications and user accounts for
organization members.FederationIdentity federation is a trust-based system that
links two parties together to authenticate users and transmit the data necessary to
grant them access to resources.Enabling Federated AWS Access•Using federation,
users can access their AWS accounts using single sign-on (SSO).•Utilizing AWS IAM
to control, federated, fine-grained access to AWS accounts.•Enabling federated
access to user-facing mobile and online applications.Security Is Job Zero-AWS
Security ProcessPhysical security•Perimeter Layer security is the first layer of
physical protection for AWS data centers.•Depending on the area, this layer can
contain security guards, fencing, security feeds, and intrusion detection
systems.Security Is Job Zero-AWS Security ProcessNetwork securityAWS's Network and
Application Protection services give the userthe power to apply fine-grained
security controls to each network control point in theircompany.Security Is Job
Zero-AWS Security ProcessPlatform security•Compliance: Users will inherit the most
effective compliance controls with AWS.•Encryption: AWS provides APIs that enable
users to integrate encryption and data security into any service they design or
deploy in an AWS environment.Security Is Job Zero-AWS Security ProcessPeople &
Procedures•Identity and Access Management (IAM) •SSO•MFA•Trusted identities/
federated identitiesAWS IAMSecurity CredentialsAWS offers a variety of options for
granting users secure access to their AWS resources:Email address and password:They
are used to sign in to the AWS Console.IAM username and password:They enable
accessto an AWS account for various users and programs.Access keys:Access keys can
be used to grant access to programmatic requests.AWS Multi Factor
AuthenticationMulti Factor Authentication or MFA adds an extra layer of security to
the signing in process. It requires users to authenticate from an AWS supported MFA
mechanism in addition to their sign in credentials when they access AWS
services.Multi Factor AuthenticationThe following are the AWS supported MFA
mechanisms:AWS Multi Factor AuthenticationVirtual MFA DevicesThis is a type of MFA
where an application running on a phone or other device generates a six-digit
numeric code. U2F Security KeyWhen a device is inserted into a USB port on the
user's computer, the U2F security key is enabled as a form of MFA.SMS Text Message-
Based MFAThis form of MFA includes the user's SMS-compatible mobile phone number in
the IAM user settings.Multi Factor Authentication User ID + PasswordMFA Devices
CodeAWS IAM supports Multi Factor Authentication (MFA) for users and resources to
ensure absolute security by using MFA devices.What Is IAM Policy?An IAM policy is a
document that defines one or more permissions. IAM policies can be attached to
users, groups, roles, and AWS resources. They are written in JSON format.More about
IAM policies:IAM Policies can be preselected from the AWS list of predefined
policies.Root users can edit the predefined policies to make
customizations.0102Root users can create and define a custom IAM policy from
scratch.03AWS IAM PoliciesWhat Is IAM Policy?AWS has many predefined policies that
allow users to define granular access to AWS resources. There are around 200
predefined policies available forusersto choose from.AdministratorAccessPolicyAdmin
UserAdministratorAccesspolicy provides full access to AWS services and
resources.AmazonEC2FullAccess PolicyUsersElastic Load Balancer Amazon EC2Amazon
CloudWatchAuto ScalingAmazonEC2FullAccess policy provides users or groups full
access to the Amazon EC2 services and resources.AmazonS3ReadOnlyAccess
PolicyUsersAmazonS3ReadOnlyAccess policy provides read-only access to all the
buckets using AWS Management Console.Types of IAM PoliciesThere are two types of
IAM policies:Identity-based policiesIdentity-based policies can be attached
directly to identities such as users, groups, and roles.Resource-based
policiesResource-based policies are attached to AWS resources such as Amazon S3,
Amazon EC2, and more."Version":"2012-10-17","Statement":
[{"Sid":"statement1","Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":
"arn:aws:s3:::*"}]Syntax of Writing AWS IAM PoliciesOne or more individual
statements:Effect: Allows permissionAction: Lists all the S3 bucketsResource: Name
of the S3 bucketPolicy-wide information:Version: Date when the policy was
createdAWS policies are written using JavaScript Object Notation (JSON).Example of
an Identity-Based PolicyAllowing a user to access Amazon EC2 from us-east-1:
{"Version": "2012-10-17","Statement": [{"Sid": "AllowEC2AccessUSEast1","Effect":
"Allow","Action":
["ec2:DescribeInstances","ec2:StartInstances","ec2:StopInstances","ec2:RebootInstan
ces","ec2:TerminateInstances"],}"Resource": "*","Condition": {"StringEquals":
{"ec2:Region": "us-east-1"}}}]}Allowing EC2 to access Amazon S3 from its public-
IP:Example of a Resource-based Policy{"Version":"2012-10-17","Statement":
[{"Effect":"Allow","Principal": "*","Action": "s3:*","Resource":
["arn:aws:s3:::YOUR_BUCKET_NAME","arn:aws:s3:::YOUR_BUCKET_NAME/*"],Allowing EC2 to
access Amazon S3 from its public-IP:Example of a Resource-based Policy"Condition":
{"IpAddress": {"aws:SourceIp": "YOUR_EC2_INSTANCE_PUBLIC_IP/32"}}}]}Allowing EC2 to
access Amazon S3 from its public-IP:Example of a Resource-based PolicyInline Policy
A policy that is included in an IAM identity is known as an inline policy (a user,
group, or role).Inline Policy Inline PoliciesExample AWS AccountGroup AdminsGroup
LtdAdminsPolicy account-admins-mfaPolicy limited-admins-mfaUser JackUser AdamUser
JasonUser MaxRole EC2-acessPolicy EC2-accessPolicy DynamoDB-books-appPolicy
DynamoDB-books-appRole EC2-acessThe following diagram explains inline
policies:Managed PolicyAWS creates and manages AWS managed policy, which is a
standalone policy.Example:arn:aws:iam::aws:policy/IAMReadOnlyAccessManaged Policy
Full access managed policies that provide complete access to a service include
AmazonDynamoDBFullAccessand IAMFullAccess, which establish permissions for service
administrators. An example of the same is common use cases.Managed PolicyAssigning
the proper permissions to individuals, groups, and roles is simpler with managed
policies than it would be with user-written policies.Amazon Resource Naming
(ARN)•AWS resources are identified uniquelyby ARNs (Amazon Resource Names).•When a
resource needs to be specified clearly throughout all of AWS, such as in IAM
policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls, the
user needs to provide an ARN.(ARN) FormatThe standard formats for ARNs are as
follows. The resource will specify the
formats.arn:partition:service:region:account-id:resource-
idarn:partition:service:region:account-id:resource-type/resource-
idarn:partition:service:region:account-id:resource-type:resource-idAWS Service
Principal•A service's identification is called a service principal.•Service roles
are IAM roles that can be used by an AWS service.•A trust policy is a requirement
for service roles.An example of a policy that can be related to a service role is
shown below."Principal": { "Service": [ "ecs.amazonaws.com",
"elasticloadbalancing.amazonaws.com" ] }AWS Service PrincipalThe following example
policy specifies permissions for the accounts 555555555555 or
123456789012:"Principal" : {"AWS": ["123456789012","555555555555"]}AWS Service
PrincipalAWS Account PrincipalsThe principal element of a resource-based policy or
condition keys that support principals are two places
where users can specify AWS account identifiers."Principal":
{ "AWS":"arn:aws:iam::123456789012:root" }"Principal": { "AWS": "123456789012" }IAM
Role PrincipalsIdentity resources in IAM are resources to which users can grant
permission. Roles rely on an additional authenticated identity to act in that
role."Principal": { "AWS": "arn:aws:iam::AWS-account-ID:role/role-name" }Role
Session PrincipalsA principal or identity that adopts a role is given temporary
security credentials with the privileges of the assumed role."Principal": { "AWS":
"arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }ExampleWeb
Identity Session PrincipalThe web identity session principal is created when the
AWS STS AssumeRoleWithWebIdentityaction is used.The user can log in using an
external web identity provider (IdP) and then utilize this action to take on an IAM
role.Due to the web identity federation feature in AWS STS, users can develop
applications where they may log in using a web-based identity provider like Login
with Amazon, Facebook, or Google.Format of Web Identity Session PrincipalUse the
format shown below as the main component of a role trust policy:"Principal":
{ "Federated": "cognito-identity.amazonaws.com" }"Principal": { "Federated":
"www.amazon.com" }"Principal": { "Federated": "graph.facebook.com" }"Principal":
{ "Federated": "accounts.google.com" }SAML Session PrincipalWhen the AWS STS
AssumeRoleWithSAMLoperation is used, a SAML session principal is
created."Principal": { "Federated":
"arn:aws:iam::AWS-account-ID:saml-provider/provider-name" }IAM User PrincipalIAM
users can be specified in condition keys that support principals or in the
principal element of a resource-based policy."Principal": { "AWS":
"arn:aws:iam::AWS-account-ID:user/user-name" }"Principal": {"AWS":
["arn:aws:iam::AWS-account-ID:user/user-name-1", "arn:aws:iam::AWS-account-
ID:user/user-name-2"]}AWS STS Federated User Session PrincipalA session principal
created by using the AWS STS GetFederationTokenprocedure is known as an AWS STS
federated user session principal.AWSIAM federated userFederated root userAWS STS
Federated User Session PrincipalUse the following format in the Principal element
to specify the federated user session ARN:"Principal": { "AWS": "arn:aws:sts::AWS-
account-ID:federated-user/user-name" }PrincipalAWS account and root user01IAM
roles02Role sessions03IAM users04The following principles are used in
AWS:PrincipalFederated user sessions05AWS services06Allprincipals07The following
principles are used in AWS:IAM JSON Policy Elements: EffectThe Effect element
indicates whether the statement results in anallow or an explicit deny.The Effect
has two possible values: Allow and Deny.“Effect":"Allow"IAM JSON Policy Elements:
ActionThe Action element specifies which specific actionswill be allowedor
denied.Every AWS service has a unique set of actions that outlines the tasks that
the usercan complete with that service.Some examples of various services' Action
elements are:Amazon SQS action"Action": "sqs:SendMessage“"Action":
"ec2:StartInstances“Amazon EC2 actionIAM JSON Policy Elements: ActionResourcesA
resource in AWS is an entity with which a user can interact.The following is the
format for resource type identifiers:service-provider::service-name::data-type-
nameResourceAmazon Simple Storage Service resource reference
AWS::S3::AccessPoint:The AWS::S3::AccessPointresource is a sort of Amazon S3
resource that allows users to access buckets.AWS::S3::AccessPointUse the following
syntax to declare this entity in the user's AWS CloudFormation templateJSON:{"Type"
: "AWS::S3::AccessPoint","Properties" : { "Bucket" : String,"Name" :
String,"Policy" : Json,"PolicyStatus" : Json,"PublicAccessBlockConfiguration" :
PublicAccessBlockConfiguration,"VpcConfiguration" : VpcConfiguration}}Use the
following syntax to declare this entity in the user's AWS CloudFormation
templateYAML:Type: AWS::S3::AccessPointProperties:Bucket: StringName: StringPolicy:
JsonPolicyStatus:
JsonPublicAccessBlockConfiguration:PublicAccessBlockConfigurationVpcConfiguration:V
pcConfigurationAWS::S3::AccessPointNot ClauseThe NOT rule statement logically
negates the outcomes of a single nested statement, the nested statements must not
match for the NOT statement to match, and vice versa.Conditional Access•Users can
provide conditions for when a policy is in effect using the condition element (or
condition block).•The condition element is optional."Condition" : { "{condition-
operator}" : { "{condition-key}" : "{condition-value}" }}The following condition
matches users with the names Anna or Ana by using the
StringEqualsIgnoreCaseoperator."Condition" : { "StringEqualsIgnoreCase" :
{ "aws:username" : "johndoe" }}Conditional AccessImplicit Deny•By default, each
request is denied. Thisis calledan implicit deny.•An implicit denial occurs when
there is no applicable deny statement and no applicable allow statement.Explicit
Allow and DenyA request is explicitly denied if the applicable policy contains a
deny statement.Explicit Allow and DenyThe AWS service decides whether to approve or
reject a request after it is sent. Implicit deny is the default setting, where all
requests are rejected. Explicit allow is a type of allowing that can overwrite this
option.The following policy, which includes allowed actions, acts that are
implicitly denied, and actions that are expressly denied, can be created.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGetList", "Effect":
"Allow", "Action": [ "iam:Get*", "iam:List*" ], "Resource": "*"Explicit Allow and
DenyThe following policy, which includes allowed actions, acts that are implicitly
denied, and actions that are expressly denied, can be created.},{ "Sid":
"DenyReports", "Effect": "Deny", "Action": "iam:*Report", "Resource":
"*" } ] }Explicit Allow and DenyPermission BoundaryAn advanced feature of managed
policies is the ability to set the maximum number of permissions that an identity-
based policy can provide to an IAM object.Assume that only Amazon S3, Amazon
CloudWatch, and Amazon EC2 should be accessible to the IAM user anna. The
permissions limit for the user can be configured using the following policy to
enforce this rule:{"Version": "2012-10-17","Statement": [{"Effect":
"Allow","Action": ["s3:*",Permission BoundaryAssume that only Amazon S3, Amazon
CloudWatch, and Amazon EC2 should be accessible to the IAM user anna. The
permissions limit for the user can be configured using the following policy to
enforce this rule:"cloudwatch:*","ec2:*"],"Resource": "*"}]}Permission BoundaryIAM
RolesIAM roles can be further discussed as follows:IAM Roles function in a way
similar to that of IAM users.01They are not password protected and do not require
access keys.02These roles can be used by anyone who requires them.03IAM Roles are
permissions and policies that determine the access available to the AWS
identities.IAM RolesVarious Functions of IAM Roles3. App retrieves role
credentialsfrom the instance1. Admin creates role thatgrants access to the
photosbucket2. Developer launches aninstance with the role4. App gets photosusing
the rolecredentialsAmazon S3 bucketEC2 InstanceAWS AccountApplicationRole: Get-
photosInstance Profile2. Application retrieves credentials of the Role from the
instance.1. Admin creates a Role that grants access to the photos in the bucket.3.
Developer launches an instance with the Role.4. Application gets photos using the
credentials of the Role.IAM Roles provide access to users, applications, and
services that do not have permission to use AWS resources.Cross-Account Policy•A
principal with access to one account that can also use the resources in another is
called cross-Account access.•When users enable cross-account access, the
principal's account is referred to as the trusted account.•The resource's account
performs as the trusting account.The following example shows the scenario where a
user in one account receives permissions from a resource-based policy in a
different account:{"Version": "2012-10-17", "Statement": [ { "Sid":
"AllowS3ListRead", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource":
"*" }, { "Sid": "AllowS3ProductionObjectActions", "Effect": "Allow", Cross-Account
Policy"Action": "s3:*Object*", "Resource": "arn:aws:s3:::Production/*" }, { "Sid":
"DenyS3Logs", "Effect": "Deny", "Action": "s3:*", "Resource":
[ "arn:aws:s3:::*log*", "arn:aws:s3:::*log*/*" ] } ] }Cross-Account PolicyExternal
ID•The External ID is a piece of information that can be supplied to the Security
Token Service's AssumeRoleAPI (STS).•When a certain value is present in the
external ID, the user can utilize the external ID in the condition element of a
role's trust policy to restrict when the role can be assumed.What Is the Purpose of
the External ID?The main goal of the external ID is to solve the issue of the
confused deputy problem.The external ID enables the person who is assuming the role
to declare their operating environment.It gives the account owner a way to restrict
the role's assumption to certain situations.Example of External IDCustomersAWS
resourcesThis is a scenario where a partner needs access to specific resources to
carry out AWS operations on their behalf. The partner requires a mechanism to
access the AWS resources belonging to all of its multiple customers.The Confused
DeputyIn this example, the confused deputy problem is utilized to show how an
unauthorized person could access users'AWS services. Given this situation:Users AWS
accountAWS 1: ExampleRoleTrusts example crop’s AWS account IAM userDoes not pass
external ID when assuming a role Example crop’s AWS accountAnother AWS accountCan
use an example corpto access user's account1.Provides AWS1: ExampleRoleARN to
Example Corp 2. Assumes role and accesses to user’s resources4. Assumes role and
accesses to user’s resources3. Provides AWS1:ExampleRole
ARN to example corpAWS CognitoSSOThe cloud-based single sign-on (SSO) solution,
AWS Single Sign-On, makes it simple to manage SSO access to all user'sAWS accounts
and cloud applications from a single location.Users can use AWS Organizations to
manage SSO access and user rights for all their AWS accounts.SAML•An identity
provider (IdP) can authenticate users and send identification and security
information about them to a service provider (SP).•Generally, an application or
service uses the open federation standard Security Assertion Markup Language 2.0
(SAML).Active DirectoryUsers'directory-aware workloads and AWS resources can use
managed Active Directory (AD) in AWS with the help of AWS Directory Service for
Microsoft Active Directory, commonly known as AWS Managed Microsoft Active
Directory (AD).AWS Organizations•As users'AWS resources expand and scale, AWS
organizations enable usersto manage and control theirenvironment centrally.•Users
can group accounts to organize theirworkflows, apply policies to accounts or groups
for governance, and organize billing by using a single payment method for all their
accounts using AWS organizations. CognitoAmazon Cognito handles web and mobile app
authentication, authorization, and user management.Users can sign in directly using
a username and password or via a third-party service such as Facebook, Amazon,
Google, or Apple.User pools and identity pools are the two fundamental components
of Amazon Cognito.This example is a combination of an Amazon Cognito user pool and
an identity pool.In the first step, theapp user registers via a user pool and
receives user pool tokens after successful authentication.Following that, the user
app usesan identity poolto exchange user pool tokens for AWS credentials.Finally,
app users can use their AWS credentials to access other AWS services like Amazon S3
and DynamoDB.CognitoCloud TowerAWS Control Tower •AWS Control Tower is the simplest
method to set up and manage a secure, multi-account AWS environment known as a
landing zone.•Provides user’slanding zone with AWS Organizations, providing
continuous account management and governance as well as best practices for
deployment based on AWS's expertise in working with hundreds of clients as they
migrate to the cloud.BenefitsSet up and create a new AWS environment
quickly.Automate continuous policy management.View policy-level summaries of users'
AWS environment.Cloud SecurityUsers don't need to handle actual servers or storage
components when using the cloud. As an alternative, users employ software-based
security measures to keep an eye on and secure the information flowing into and out
of their cloud resources.Identity-based policy, Implicit Deny, Explicit
AllowProblem Statement:You have been assigned a task to implement identity-based
policies, implicit deny, and explicit allow.Duration: 13 minsAssisted Practice:
GuidelinesSteps to be followed:1.Configuring identity-based policy2.Performing
implicit denial on the bucket3.Performing explicit allowPolicy Generator, Managed
Policy, Versions, GroupsProblem Statement:You have been assigned a task to perform
policy generator, managed policy, versions, and groups.Duration: 8 minsAssisted
Practice: GuidelinesSteps to be followed:1.Creating and managing policy2.Using
group users can attach policy and permissions directly to the group3.Creating and
managing S3 versioningResource-based policy, Policy Generator, PrincipalsProblem
Statement:You have been assigned a task to create a resource-based policy using a
policy generator and principals.Duration: 8 minsAssisted Practice: GuidelinesSteps
to be followed:1.Creating a resource-based policy2.Policy generator using
principalsConditional Variables Restricted Access By IPProblem Statement:You have
been assigned a task to allow or block conditional variables restricted access by
IP.Duration: 8 minsAssisted Practice: GuidelinesSteps to be followed:1.Creating a
security group2.Changing the security groupRestrict Access Using VPC
EndpointProblem Statement:You have been assigned a task to perform restricted
access using the VPC endpoint.Duration: 8 minsAssisted Practice: GuidelinesSteps to
be followed:1.Create a custom VPC and enable DNS hostname2.Create an Internet
Gateway3.Create 2 subnets4.Create a Route table and attach them to subnets5.Launch
3 instances6.Launch public and private VM7.Install DB on a private DB
server8.Create a bucket and upload a document9.Create an EndpointCross-account
Management Console access using IAM RolesProblem Statement:You have been assigned a
task to create and configure cross-account management console access using IAM
roles.Duration: 8 minsAssisted Practice: GuidelinesSteps to be followed:1.Creating
a role in the production account2.Granting access to the role3.Testing the access
by switching rolesCloud SecurityTypes of Cyber AttacksFollowing are some common
threats:PhishingPassword managementCredential leaksNetwork securityInsider
threatSecurity incident recovery planningCase Study: NetflixIn 2008, Netflix was
highly focused on DVD-by-mail services. Due to the above-mentioned database
corruption problem, DVD shipping was halted for three days.ChallengeNetflix
management decided to shift away from relational systems in their data centers and
toward the cloud. The cloud was AWS (Amazon Web Services), which allowed the
organization to scale as much as it required.Location:United States Industry:On-
demand media industry SolutionArchitecture DiagramFollowing is a F-secure Data
Pipeline:EC2 fwd2forwarderKRECVEndpointKRECVEndpointKRECVEndpointKKinesis-
rawKinesis-fwd1Kinesis-fwd2Kinesis-fwd3Lambda-fwd1-ForwarderLambda-fwd3-
ForwarderKinesis-All-ProcessedS3-Processed_WriterS3-Processed_BucketS3-raw-
bucketS3-raw-WriterEventProcessorDynamoDB(state)ElastiCache(duplicateChecker)IP
whitelistingLambda-Redshift-ForwardLambda-AllData-ForwarderRedshiftReceiver
1Receiver 2Receiver 3Receiver 2Receiver 3SQLinterfaceAWSAmazon EC2Amazon Elastic
Compute Cloud (Amazon EC2) provides the most comprehensive and deep compute
platform, with over 500 instances and a selection of the most recent processor,
storage, networking, and operating system.•Run cloud-native and enterprise
applications•Scale for HPC applications•Develop for Apple platforms•Train and
deploy ML applicationsUse Cases:Amazon KinesisAmazon Kinesis simplifies the
collection, processing, and analysis of real-time, streaming data, allowing the
userto gain timely insights and respond quickly to new information.•Build video
analytics applications•Evolve from batch to real-time analytics•Build real-time
applications•AnalyzeIoT device dataUse Cases:Amazon DynamoDBA serverless, fully
managed, key-value NoSQL database called Amazon DynamoDB is made to support high-
performance software at any scale.•Develop software applications•Create media
metadata stores•Deliver seamless retail experiences•Scale gaming platformsUse
Cases:Amazon RDSA group of managed services known as an Amazon Relational Database
Service (Amazon RDS) makes it simple to set up, operate, and scale databases in the
cloud.•Build web and mobile applications•Move to managed databases•Break free from
legacy databasesUse Cases:Amazon LambdaUsers can run code for practically any kind
of application or backend service using the serverless, event-driven compute
service provided by AWS Lambda, which eliminates the need for installing or
managing servers.•Process data at scale•Run interactive web and mobile
backends•Enable powerful ML insightsUse Cases:Amazon S3A leading provider of
scalability, data availability, security, and performance in the object storage
space is Amazon Simple Storage Service (Amazon S3).•Build a data lake•Back up and
restore critical data•Archive data at the lowest costUse Cases:Amazon VPCAmazon VPC
allows users to havecomplete control over their virtual networking environment,
including resource placement, connection, and security.•Launch a simple website or
blog•Host multi-tier web applications•Create hybrid connectionsUse Cases:Amazon
CloudFrontAmazon CloudFront is a CDN solution designed for great performance,
security, and developer simplicity.•Deliver fast, secure websites•Accelerate
dynamic content delivery and APIs•Stream live and on-demand videoUse Cases:WAFWhat
Is AWS WAF?AWS WAF is a web application firewall that lets users monitor the HTTP
and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an
Amazon API Gateway REST API, or an Application Load Balancer.AWS WAFAWS WAFAllow
all the requests except the ones that they specify01Block all the requests except
the ones that they specify02Count the requests that match the properties that they
specify03AWS WAF enables users to:How to Handle False Positives in WAF?Users have
to use a web browser. Then, to check for a false positive of style==xxxon their
example.com domain, they enter example.com/style==xxxin the web browser. The
response is error code 403 Forbidden.NoteUsers apply curl and replace users' false
positivefor false positive.$ curl -ikvhttp://example.com/[false positive]Benefits
of AWS WAFThe following are the benefits of AWS WAF:WAF offers additional
protection against web attacks.It provides real-time information and samples of web
requests.It offers automated administration.AWS WAFProblem Statement:You have been
assigned a task to create and configure AWS WAF.Duration: 8 minsAssisted Practice:
GuidelinesSteps to be followed:1.Creating and configuring IP sets2.Creating and
configuring web ACL3.Creating a Custom rule in web ACLsShieldWhat Is AWS Shield?AWS
Shield is a managed Distributed Denial of Service (DDoS) protection service that
safeguards applications running on AWS. AWS Shield provides always-on detection and
automatic inline mitigations that minimize application downtime and latency.AWS
ShieldNetwork and Application Protection•AWS offers services to the user'snetwork
and application security teams that address their specific protection needs and
regulatory requirements.•Amazon VPC security groups secure resources in user’s AWS
workloads at the host level.AWS Shield AdvanceThe advanced subscription service
adds DDoS mitigation capabilities, intelligent attack detection, and attack
mitigation at the application (AWS WAF included) and network layers.AWS Shield
Advance•Application-layer Attacks (layer 7):Consists of requests like HTTP Gets
designed to consume application resources. •Other Application-layer Attacks:The
OWASP Top 10 publication includes SQL injection (SQLi), cross-site scripting (XSS),
remote file inclusion (RFI), and other online application attacks and
threats.Benefits of AWS ShieldThe following are some of the benefits of AWS
Shield:Seamless integration and deploymentCustomizable protectionManaged protection
and attack visibilityCost-efficiency01020304Secrets ManagerAWS Secrets
ManagerSecrets Manager allows users to replace hardcoded credentials, such as
passwords, in the code with an API call to Secrets Manager to retrieve the secret
programmatically.AWS Secrets Manager ScenarioSecret
ManagerDatabaseAdminMyCustomAppThe diagram below depicts how the userscan save
database credentials in Secrets Manager and then use those credentials in an
application to access the database.Uses database credentials to access the
databasesearches for the secret AWS Secrets Manager Features01It always returns the
most recently encrypted secret value version.03It is easy to create, leaving users
time to focus on creating the applications.02It provides users with the scalability
and reliability provided by AWS.04It allows the users to replace stored credentials
with a runtime call to the Secrets Manager Web service dynamically.The features of
AWS Secret Manager can be listed below:Standards for AWS Secrets ManagerA set of
diagrams used for aligning process improvement efforts to customer requirements.A
list of the cost of each activity in a process is totaled to understand the cost
associated with a product or service.An analysis of time taken by each activity
within the process.Used to develop new processes or improve existing processes.AWS
Secrets Manager has a few standards which can be listedbelow:Standards for AWS
Secrets ManagerIt validates that appropriate controls are in place and determines
the appropriate responsibility model.It provides an approach to security assessment
and continuous monitoring for cloud products. It provides process improvement
effort to customer requirements.It demonstrates to customers AWS's commitment to
meeting the high expectations. AWS Secrets Manager has a few standards which can be
listed below:Working with Access Secrets ManagerMethodsCommand line toolsHTTPS
Query APIAWS SDKsSecrets Manager consoleAny of the following methods can be used to
interact with Secrets Manager:Working with Access Secrets ManagerThe browser-based
Secrets Manager console allows users to manage the secrets and perform almost any
task related to the secrets.Secrets Manager consoleWorking with Access Secrets
Manager0101010000100001000100001001000101010101000001001000110101001010101010010110
10010The AWS command line tools enable usersto perform Secrets Manager and other
AWS tasks by issuing commands from the system command line. Command line
toolsWorking with Access Secrets ManagerThe AWS SDKs include libraries and sample
code for a variety of programming languages and platforms, including Java, Python,
Ruby, .NET, and others. AWS SDKsWorking with Access Secrets ManagerThe HTTPS Query
API allows users to access Secrets Manager and AWS programmatically. HTTPS Query
APISecrets Manager Administrator PermissionsEnd users should not be granted
administrator permissions that helps them to carry out the following tasks:Focusing
on how an organization performs work Viewing the value delivery of an
organizationPermissions to Access SecretsUsers may manage which people or services
have access to the secrets by using IAM authorization policies. A permissions
policy specifies who can do what on which resources. Users may:Attach a permissions
policy to an identityAttach a permissions policy to a secretAttach a Permissions
Policy to an IdentityIdentity-based policies can be used to:Give a user access to
several secretsAllow an IAM group to access secretsControl who can create new
secrets and who can access already generated secretsIn a resource-based policy,
users determine who will have access to the secret and what actions they may do
with it. Resource-based policies can be used to:Attach a Permissions Policy to a
SecretGrant access to a single secret to multiple users and roles01Grant access to
users or roles in other AWS accounts02AWS CLIUse get-resource-policy to obtain the
policy associated with the secret. The policy related to the secret is retrieved
using the CLI command below:awssecretsmanagerget-resource-policy --secret-id
production/MyAwesomeAppSecret{"ARN": "arn:aws:secretsmanager:us-east-
2:123456789012:secret:production/MyAwesomeAppSecret-a1b2c3","Name":
"MyAwesomeAppSecret","ResourcePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":
{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":
[\"arn:aws:iam::111122223333:root\",\"arn:aws:iam::444455556666:root\"]},\"Action\"
:
[\"secretsmanager:GetSecret\",\"secretsmanager:GetSecretValue\"],\"Resource\":\"*\"
}}"}AWS CLIUse delete-resource-policy to remove the policy associated with the
secret. The following CLI command removes the policy from the secret:$
awssecretsmanagerdelete-resource-policy --secret-id
production/MyAwesomeAppSecret{"ARN": "arn:aws:secretsmanager:us-east-
2:123456789012:secret:production/MyAwesomeAppSecret-a1b2c3","Name":
"production/MyAwesomeAppSecret"}AWS SDKUse Get-Resource-Policy to obtain the policy
that is associated with a secret. Use Delete-Resource-onePolicyto remove a policy
that is associated with a secret.The following policy allows ApplicationRolein
Account2 to access the secret in Account1.Step 1: Attach a resource policy to the
secret in Account1Permissions for Users in a Different Account{"Version": "2012-10-
17","Statement": [{"Effect": "Allow","Principal": {"AWS":
"arn:aws:iam::Account2:role/ApplicationRole"},"Action":
"secretsmanager:GetSecretValue","Resource": "*"}]}The ApplicationRolein Account2 is
permitted to use the KMS key in Account1 to decode the secret by the following key
policy clause. Add this clause to the key policy for the KMS key in order to use
it.Step 2: Add a statement to the key policy for the KMS key in Account1Permissions
for Users in a Different Account{"Effect": "Allow","Principal": {"AWS":
"arn:aws:iam::Account2:role/ApplicationRole"},"Action":
["kms:Decrypt","kms:DescribeKey"],"Resource": "*"}Permissions for Users in a
Different AccountThe following policy permits ApplicationRolein Account2 to access
the Account1 secret and decrypt the secret value using the Account1 encryption
key.Step 3: Attach an identity policy to the identity in Account2{"Version" :
"2012-10-17","Statement" : [{"Effect": "Allow","Action":
"secretsmanager:GetSecretValue","Resource": "SecretARN"},{"Effect":
"Allow","Action": "kms:Decrypt","Resource":
"arn:aws:kms:Region:Account1:key/EncryptionKey"}]}Permissions PolicyThere are many
similarities between the permissions policies that users apply to resources and
identities. The users might include the following things in a secret access
policy:PrincipalResourceActionExampleSecrets Manager ConceptsA secret in Secrets
Manager is made up of secret information, the secret value, and secret-related
metadata. A string or binary can be used as a secret value.The following concepts
are important for understanding how Secrets Manager works.SecretsA secret in
Secrets Manager is made up of secret information, the secret value, and secret-
related metadata. A string or binary can be used as a secret value.Secrets Manager
ConceptsTo make it more challenging for an attacker to access the credentials, a
secret is rotated on a regular basis.RotationSecrets Manager ConceptsVersions of a
secret store copies of the secret value that has been encrypted. VersionSystems
ManagerAWS Systems ManagerAWS Systems Manager is a set of tools that can assist
users in managing the infrastructure and applications that are hosted on the AWS
Cloud. How Systems Manager Works?The activities performed by the Systems Manager on
the resources are shown in the following diagram with a detailed description of
each interaction between different
components:Source:https://docs.aws.amazon.com/systems-manager/latest/userguide/
what-is-systems-manager.htmlSystems Manager Service Name HistorySystems Manager
Agent: SSM AgentSystems Manager parameters: SSM parametersSystems Manager service
endpoints: ssm.region.amazonaws.comAWS CloudFormation resource types:
AWS::SSM::DocumentThe previous names for AWS Systems Manager are listed
below:Systems Manager Service Name HistoryAWS Config rule
identifier:EC2_INSTANCE_MANAGED_BY_SSMAWS Command Line Interface (AWS CLI)
commands:awsssmdescribe-patch-baselinesAWS Identity and Access Management (IAM)
managed policy names:AmazonSSMReadOnlyAccessSystems Manager resource
ARNs:arn:aws:ssm:region:account-id:patchbaseline/pb-07d8884178EXAMPLEThe previous
names for AWS Systems Manager are listed below:AWS ConfigAWS ConfigAWS Config is a
service that allows users to inspect, audit, and review the AWS resource setups.
Config monitors and records the AWS resource configurations in real time and allows
users to manage the comparison of recorded configurations to desired
configurations.Features of AWS ConfigContinuous assessmentContinuous
monitoringSupport for third-party resourcesChange managementEnterprise-wide
compliance monitoringOperational troubleshooting010203040506How does it work?When a
resource's configuration changes, AWS Config creates configuration items, and
starting with
the moment users start the configuration recorder, it keeps historical recordings
of the configuration items of the
resources.Source:https://aws.amazon.com/config/Use casesChange managementContinuous
audit and complianceCompliance-as-code frameworkTroubleshootingSecurity
analysisDiscoveryThe following use cases of AWS Config can be listed as follows:AWS
Config S3 Bucket Encryption ComplianceProblem Statement:You have been assigned a
task to configure S3 bucket encryption compliance.Duration: 8 minsAssisted
Practice: GuidelinesSteps to be followed:1.Setting up the AWS config2.Create rules
in AWS Config ConsoleAWS Config Automated Remediation Problem Statement:You have
been assigned a task to configure automated remediation.Duration: 8 minsAssisted
Practice: GuidelinesSteps to be followed:1.Open the AWS Config console by logging
into the AWS Management Console at https://console.aws.amazon.com/config/2.From the
navigation pane, choosePreferences3.ChooseDisable Trusted AdvisorAWS Inspector,
Trusted AdvisorAWS InspectorAmazon Inspector is an automated vulnerability
management program that continuously checks for software flaws and accidental
network exposure in an AWS workload. It looks for vulnerabilities in an Amazon
Elastic Compute Cloud(EC2) instance and creates
reports.source:https://aws.amazon.com/config/AWS InspectorSome features of Amazon
Inspector are as follows:010203040506Central ManagementIt can be managed by a
single administrator.Real Time ScansEligible objects and resources are scanned
automatically.AWS Inspector Risk ScoreA report mentioning the weakness and
severity.Amazon Inspector DashboardIt displays a detailed list of findings.Manage
FindingsAll vulnerabilities are listed according to their type.Monitor
VulnerabilityEventBridgecan be used to process them in almost Real-time.AWS
Inspector•AWS inspector provides recommendations following the AWS best
practices.•It performs searches to optimize the security of the AWS
infrastructure.•It aids in reducing cost, boosting performance, and enhancing
security.AWS Inspector: AccessAWS Command LineIt is a faster and more convenient
approach to performing tasks.AWS Inspector REST APIIt can be used to send web
requests to the AWS Inspector.AWS SDKsThey provide an easy and convenient way to
manage errors.AWS Management ConsoleAWS Management Console can be accessed through
a browser.AWS Inspector: Vulnerability AssessmentMade specifically to
enableDevSecOpsAPI-enabled automationIntegrates with CI/CDOn-demand Pricing
ModelStatic and Dynamic Rules PackageProducing FindingsAWS Inspector: Use CaseSome
common use cases of AWS inspector are:•Validate Network; Find Vulnerability.•VPC
Configuration Mistake.•Check that no exposure has opened.Network Reachability•Check
Gold AMIs; DevOps Pipeline.•Check for Software Changes;New(Zero Day)
Vulnerabilities•Check for Software Changes;New(Zero Day) VulnerabilitiesHost
Assessment•Before Deployment•Migration•ProductionWorking of AWS InspectorAWS
Inspector works in the following ways:Configure Assessment●Automated
Scans●Configure assessmentRun Assessment●One Click for network reachability●Deep
Scans of eligible resourcesFindings•Vulnerability•Resource
Affected•RecommendationAction•Remediation•Inspector
Partners;1.SIEM2.Reporting3.Ticketing•Store in DatabaseThree Levels of Warning by
AWS InspectorThere are three levels of warning given by the AWS
Inspector.Red•Critical error in one or more resources.•Recommended action is
“action recommended”Yellow•Warning condition for one or more resources•Recommended
action is “investigation recommended”.Green•No vulnerability.•No recommendation.
All resources are fine.Benefitsof AWS InspectorCost
OptimizationPerformanceSecurityServicesFault ToleranceIntegrated Usage Walk-
throughAWS Inspectors Dashboard gives out information regarding the
findings.Integrated Usage Walk-throughAWS Inspector Dashboard gives an overview of
the number of findings and assessments.Important FindingsRecent FindingsAssessments
RunningAssessment Runs CompleteAssessment Runs FailedTrusted Advisor•AWS Trusted
Advisor provides recommendations that help users follow AWS best practices.•Trusted
Advisor evaluates a user's account by using checks. •These audits help
usersoptimize theirAWS infrastructure, boost performance and security, reduce
expenses, and keep an eye on service quotas.AWS Trusted Advisor provides
recommendations that help users follow AWS best practices.How Trusted Advisor
works?AWS Trusted Advisor offers recommendations to help users adhere to AWS best
practices. Source:https://aws.amazon.com/premiumsupport/technology/trusted-
advisor//Trusted Advisor uses checks to analyze the account.AWS Inspector for
Network Reachability, Vulnerability, and Host HardeningProblem Statement:You have
been assigned a task to configure AWS inspector for network reachability,
vulnerability, and host hardening.Duration: 8 minsAssisted Practice:
GuidelinesSteps to be followed:1.Developing the AWS Inspector 2.Creating the AWS
Inspector dashboard Trusted AdvisorProblem Statement:You have been assigned a task
to create a trusted advisor.Duration: 8 mins.Assisted Practice: GuidelinesSteps to
be followed:1.Open theTrusted Advisor console2.From the navigation pane,
choosePreferences3.ChooseEmail Save PreferencesGuardDutyAmazon GuardDutySource:
twitter.comAmazon GuardDutyis a threat detection service that delivers in-depth
security findings for visibility and remediation.It continuously scans your AWS
accounts and workloads for malicious activity.Comprehensive threat
identificationStrengthens security through automationEnterprise scale and central
managementBenefitsAmazon GuardDutyBenefitsAccessing GuardDutyWith GuardDuty, users
can cooperate in the following ways:GuardDutyConsoleSDKs for AWSHTTPS API for
GuardDutyHow GuardDutyworks?AWS CloudTrail, Amazon VPC Flow Logs, and domain name
system (DNS) logs are being continuously examined for any malicious activities by
Amazon GuardDuty.The service performs analysis in close to real time by utilizing
built-in threat intelligence, anomaly detection, and machine learning capabilities
created by the AWS security team.Source:https://aws.amazon.com/guardduty/GuardDuty-
Managing Findings from Multiple AccountsManaging multiple accounts with AWS
OrganizationsUsers can designate a particular account as the organization's
delegated administrator for GuardDutyif that account is a member of an organization
in AWS OrganizationsManaging multiple accounts by invitationUsers can specify an
administrator account in GuardDutyand then use the administrator account to invite
additional AWS accounts to become member accountsGuardDutyadministrator and member
accountsThe administrator account can control specific GuardDutyfeatures on behalf
of the member accounts when using GuardDutyin a multi-account environment. Use
casesEnable continuous monitoring and analysisSimplify forensicsStop unauthorized
activityIntelligent threat detectionThe following use cases of AWS GuardDutycan be
listed as follows:Three Main Types of ThreatsReconnaissanceCompromised
accountsCompromised instancesAvailable RegionsAsia Pacific (Mumbai, Seoul,
Singapore, Sydney and Tokyo)Europe(Frankfurt, Ireland, and London)Oregon ,N.
California, N. Virginia and OhioSouth America(Sao Paulo)Canada(Central)Currently,
the following AWS regions offer support for Amazon GuardDuty:Detecting Known
ThreatsKnown malware infected hostsAnonymizing proxiesSites hosting malware and
hacker toolsCrypto-currency mining pools & walletsGreat catch-all for suspicious &
malicious activityDetecting Unknown Threats•Highly skilled data scientists to study
data.•Develop theoretical model•Experiment with implementations•Testing,tuningand
validationsAlgorithms to detect unusual behaviourLarger R&D Effort•Analyzing
signaling patterns for signatures.•Profiling normal and looking at
deviations.•Machine Learning ClassifiersDetection FlywheelAWS Field Organizations
consists of AWS Support/TAM Solutions Architect and Professional servicesCustomer
and partners receive a steady flow of detection streams and develop new
detections.Amazon GuardDutylearns new threats, consumes threat intelligence,
develops new analytics and new detectionsAWS Security investigates threats and
patterns, produces threat intelligence and provides guidance to all service
teams1234Detection FlywheelCloudWatch
EventsSource:https://www.slideshare.net/AmazonWebServices/amazon-guardduty-
intelligent-threat-detection-and-continuous-monitoring-to-protect-your-aws-
accounts-and-workloads?qid=6b0a46cf-9937-42c7-a81d-
dc09dca1e939&v=&b=&from_search=2Amazon CloudWatch Events provides a near-real-time
stream of system events describing changes to Amazon Web Services (AWS)
resources.Languages SupportedThe information regarding GuardDutyis available in
eight languages including Chinese,English,French,German,JapaneseKorean,Portugeseand
Spanish.MacieAmazon MacieAmazon Macie is a fully managed data security and data
privacy solution that discovers and protects sensitive data in AWS using machine
learning and pattern matching.DiscoveryoursensitivedataatscaleVisibility of your
data security postureEasy to setup and manage010203Benefits of MacieHow does it
work?After activating Macie for the AWS account, the S3 bucket list will be created
in the region where useractivated it. Macie will also start monitoring the access
control and security of the buckets.Source:https://aws.amazon.com/macie/Use
CasesMaintaining regulatory complianceIdentifying sensitive data in data
migrationsAssessing your data privacy and securityThe following use cases of AWS
Macie can be listed as follows:Features Of MacieMacie summary dashboardMacie
JobsMacie FindingsOther Security ServicesSecurity HubAWS Security Hub is a cloud
security posture management service that checks for quality standards, collects
alarms, and allows automated repair.Source
:https://dev.classmethod.jp/articles/aws-security-hub-check-count-use-aws-cli/
Security
in AWS Security HubBoth AWS and users share responsibility for security. This is
referred to as cloud security and security in the shared responsibility model of
the cloud.Security of the cloudSecurity in the cloudSetting Up AWS Security HubThe
way the accounts are managed determines whether an account needs to manually enable
AWS Security Hub. Users have two options for managing accounts:Setting
UpIntegration with organizationsManual account managementHow does It work?
Source:https://aws.amazon.com/security-hub/To make it easier to respond to security
alerts (or findings) from multiple AWS services and partner products, Amazon
Security Hub compiles them in a consistent manner. Security Hub makes it easier to
analyze and enhance security posture with automatic security best practices powered
by AWS Config rules.Use CasesInitiate Security Orchestration, Automation, and
Response (SOAR) workflowsConduct Cloud Security Posture Management (CSPM)Correlate
the security findings to discover new insightsSave time and money by simplifying
integrationsThe following use cases of AWS Security Hub can be listed as
follows:Security Hub and AWS Services IntegrationThe AWS services are integrated in
the following ways in Security Hub:Use Amazon GuardDutyto continuously identify
threats to the AWS accounts, workloads, and data stored in Amazon S3 in order to
lessen risksIdentify personally identifiable information in the S3 buckets with the
aid of Amazon MacieUse Amazon Inspector to check Amazon EC2 instances for common
flaws and exposesThese AWS services are integrated:Examine the policies related to
the AWS resources that IAM Access Analyzer use, such as S3 buckets, KMS
keys,andLambda functionsAutomate any reaction to the discovered alerts using AWS
Lambda, Amazon CloudWatch, and CloudWatch eventsManage web application firewalls
and security groups across many AWS accounts using the solution known as AWS
Firewall ManagerSecurity Hub and AWS Services IntegrationSecurity Standards
Enabling Security HubAWS Foundational Security Best PracticesAWS Security Hub CIS
BenchmarkPayment Card Industry Data Security Standard (PCI DSS)Users can currently
enable three automated checks :Setting Up Integration with AWS Security HubIn the
AWS environment, the integration builds AWS Lambda functions that transfer findings
from AWS Security Hub to Sophos Cloud Optix.Using a CloudFormation template
provided by Sophos, it generates an IAM role.With the help of CloudFormation
StackSetsoffered by Sophos, it generates AWS Lambda functions that utilize this IAM
role.Top Available Security Standards The three automated checks users can
currently enable are as follows:01AWS Foundational Security Best Practices02AWS
Security Hub CIS Benchmark03Payment Card Industry Data Security Standard (PCI
DSS)DetectiveAmazon Detective simplifies the analysis, investigation, and rapid
identification of the root cause of security findings or suspicious activity. It
collects log data from the AWS resources automatically.Souce:
https://www.hava.io/blog/what-is-amazon-detectiveHow Does Detective Work?Detective
automatically pulls time-based events from AWS CloudTrail and Amazon VPC flow logs,
such as login attempts, API calls, and network activity.Detective-tailored graphics
establish a baseline and summarize account data. It combines machine learning and
visualization to provide a unified, interactive view of the resource activities.It
eliminates the need to organize data or build algorithms.Who Uses Detective?An
account becomes the administrator account for a behavior graph when it enables
Detective. A behavior graph is a connected collection of data taken and examined
from one or more AWS accounts. Administrator accounts encourage member accounts to
add their data to the behavior graph of the administrator account.How to Use Amazon
Detective?Having discovered a potential security concern, users can utilize Amazon
Detective.Alert Analysis is the first use casefor Detective. Users can prioritize
security warnings and findings using Detective, which could prevent unneeded
security escalations. Another important task performed by Amazon Detective is
incident investigation. Amazon Detective Key ConceptsUsers can use Detective to
archive the issue if the incidence turns out not to be a problem, such as a false-
positive Guard Duty notice.The behavior graph belongs to the management account,
which also uses it to gather source data and carry out research.Profile panels are
designed to give an analyst the answers to a particular query regarding a result
and supporting information. The scope time is a span of time that includes the
security event and often begins when suspicious activity is first noticed and ends
when it stops. Data is ingested, and Detective employs machine learning to
determine the typical behavior of traffic, roles, and resources in order to spot
anomalies.InvestigationAccount StructureProfile Panel VisualizationsScope
TimeBehavior GraphRequirements to Begin Using Amazon DetectiveAmazon Guard DutyTo
enable Detective, users must have a GuardDutyservice operational for more than 48
hours. Permissions PolicyBefore usersmay enable detective, theymust attach a
permissions policy to the IAM principle.An AWS AccountGiven that Detective keeps an
eye on AWS resources, this should be quite evident.Pricing of DetectiveCost$2.50
per GBUsageFirst 1,000 GBCost$1.25 per GBNext 4,000 GBUsageCost$0.63 per GBNext
5,000 GBUsageCost$0.31 per GBNext 10,000 GBUsageAmazon Detective offers a free 30-
day trial.Let us look at the cost per account, region, and month for the Asia
Pacific:IAM Access AnalyzerSource:https://aws.amazon.com/blogs/security/automate-
resolution-for-iam-access-analyzer-cross-account-access-findings-on-iam-roles/For
each active discovery, Access Analyzer sends an event to Amazon EventBridge. By
configuring an event rule in EventBridgeto match an active finding, this solution
starts an AWS Lambda function for resolution.Patch ManagerPatch Manager, an AWS
Systems Manager tool, automates the process of patching managed nodes with both
security and non-security upgrades. Patch Manager can be used to apply patches to
both operating systems and apps.Why Patch Manager?An automated application called
AWS SSM Patch Manager can assist users to make a patch management procedure to save
time and lower the risk of non-compliance. By automating the patch maintenance
procedure, users can save time and lower the possibility of non-compliance.Patching
Linux Instances with AWS SSM Patch
ManagerSource:https://www.1cloudhub.com/automate-the-linux-patches-using-aws-
system-manager-ssm/For managed instances, security-related upgrades are patched
automatically using Patch Manager.gh. The Patching ProcessThe five key phases in
the Patch Manager patching process must be followed.0102030405Establish the Default
Patch BaselineEstablish a Maintenance WindowCompliance CheckEstablish Patch
GroupsExecuting the Patch RUN CommandKey TakeawaysIAM policies let users control
employee and system access to ensure least-privilege access.For web and mobile
apps, Amazon Cognito enables quick, secure user authentication, authorization, and
management.AWS WAF gives control over how traffic enters the applications, allowing
users to establish security rules to block common attack vectors.AWS Shield offers
always-on detection and automatic inline mitigations that reduce application
downtime and latency.Key TakeawaysAmazon Macie continually checks the Amazon S3
environment and provides an S3 resource summary across all the
accounts.User'ssecurity posture within Amazon Web Services is fully visible through
AWS Security Hub (AWS).Users can compare their environment to security best
practices and standards with the aid of AWS Security Hub.Users can automate the
process of creating and configuring numerous accounts made possible by AWS Control
Tower.Users can secure, analyze, and manage secrets in the AWS Cloud, on external
services, and on-premises using Secrets Manager.Duration: 30 minsProject agenda: To
create and configure groups and users using policiesDescription: The admin of a
corporate decides to create 3 groups (each with any 2 policies) of IAM users (2 in
each group), each with their own set of policies for the tasks in their respective
groups.Perform the following:1.Creating a group2.Configure the user for CLI
operationCreate and Configure Groups and Users Using PoliciesThank You