└── README.md
/README.md:
--------------------------------------------------------------------------------
1 | # AWS Service Security Notes
2 | An all-in-one-place collection of security information about all of the core AWS services.
3 |
4 | These are the notes I created whilst studying for the [AWS Certified Security - Specialty](https://aws.amazon.com/certification/certified-security-specialty/) exam. They are intended as a knowledge check, reminder, and subject list for each AWS service. They are not intended as a primary learning source, and they assume an existing knowledge of security. I think if you can look through this list and feel confident that you are familiar with all of it, don't come away with a lot of follow up questions, and think you can recall most of it unaided, then you will probably pass the security certification exam. It worked for me, anyway!
5 |
6 | I don't plan to actively maintain this document as AWS evolves - reader beware, the rate of change at AWS is high! I would like to correct any errors though - please do raise an issue. I'll also happily accept pull requests if you find yourself using it and wish to bring it up to date, or fix errors, or otherwise enhance it in any way.
7 |
8 | Final caveat: this doesn't teach you how to be good at AWS security. See my blog post on [what I think the Security Speciality certification means](https://mykter.com/2019/05/04/aws-security-certification), and hence what this document aims to cover.
9 |
10 | If you found this useful please [let me know](https://twitter.com/michael_macnair)!
11 |
12 |
13 | 
AWS Service Security Notes is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Based on a work at https://github.com/mykter/aws-security-cert-service-notes.
14 |
15 | # Services
16 | A complete list of the AWS security services, and selected additional AWS services of relevance to security (in particular, the security specialist certification). Taken from the [AWS product list](https://aws.amazon.com/products/) as of March 2019; if a category isn't listed it's because I thought none of the services in that category are particularly applicable.
17 |
18 | Particularly important services from an exam perspective are in **bold**.
19 |
20 | Security service links are to their FAQ pages, as a useful source of information on particular use cases and constraints that might be examined. Other service links are to their main product pages, but the FAQ pages often have good information including a security section too.
21 |
22 | ## Security
23 |
24 | * [Artifact](https://aws.amazon.com/artifact/faq/)
25 | + Generic AWS compliance docs
26 |
27 | * [Certificate Manager](https://aws.amazon.com/certificate-manager/faqs/)
28 | + Issuance can take a few hours
29 | + Email or DNS validation (CloudFormation only supports email validation)
30 | + Validates DNS CA Authorization records first
31 | + Certs are region-locked, unless CloudFront is used (w/ Virginia)
32 | + Private keys are KMS protected - CloudTrail shows services using KMS to get the keys
33 | * Private CA
34 | + Allows export of the private key, whereas public standard only integrates with AWS services
35 |
36 | * [Cloud Directory](https://aws.amazon.com/cloud-directory/faqs/)
37 | + Generic directory service - not Active Directory. Could be used for user/device management.
38 | + Encrypted at rest and in transit
39 |
40 | * [CloudHSM](https://aws.amazon.com/cloudhsm/faqs/)
41 | + Advertised as only suitable when you have contractual/regulatory constraints.
42 | + Only option for SQL Server and Oracle transparent database encryption (but not AWS RDS Oracle! only instances running on EC2. RDS Oracle only works with CloudHSM Classic). Also works with Redshift.
43 | + PKCS#11, JCE, CNG
44 | + FIPS 140-2 Level 3 certified
45 | + KMS can use it as a key store - see KMS section
46 | + Each instance appears as network resource in VPC; client does load-balancing.
47 | + [[HSM] Server] <-TLS-in-TLS-> [client] <-p11 etc-> [app]
48 | + HSM users authenticate with username + password
49 | + CloudTrail for provisioning API calls; CloudWatch Logs for HSM logs
50 |
51 | * [**Cognito**](https://aws.amazon.com/cognito/faqs/)
52 | * User Pools
53 | + Free up to 50k monthly active users
54 | + OAuth user tokens
55 | * Identity Pools
56 | + Mapping between federated user IDs and Cognito user IDs. Per pool.
57 | + Grants temporary AWS creds (either directly from federation, or in exchange for a user pool token)
58 | + IAM Roles assigned based on: mappings defined for a user pool group / rules / guest
59 | + API Gateway has direct support for Cognito tokens (no need for identity pool)
60 | + Sync store - key/value store per identity
61 | + [Common scenarios](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html)
62 | + Various soft limits e.g. API calls/s, groups/pool, etc. No limit on number of users.
63 |
64 | * [**Directory Service**](https://aws.amazon.com/directoryservice/faqs/)
65 | + Works with EC2 (manage them via group policies), RDS SQL server, WorkSpaces, AWS SSO, and a few more obscure ones
66 | + Can assign IAM roles to AD users for AWS access
67 | * Managed Microsoft AD
68 | + Can join to existing AD with trust relationships
69 | + Or replace an on-prem AD by using Direct Connect or VPN
70 | + EBS volumes are encrypted. Deployed on two AZs. Daily backups.
71 | + Some high-priv operations not available. No remote access or powershell access. You get an OU and delegated admin account for it.
72 | * AD Connector
73 | + Proxy for [a specific list of AWS services](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_app_compatibility.html) through to on-prem AD.
74 | + Notably works with: SSO; management console; EC2 Windows (join domain)
75 | * Simple AD
76 | + Samba backend. Like Managed Microsoft AD but less features and smaller resource limits.
77 |
78 | * [Firewall Manager](https://aws.amazon.com/firewall-manager/faqs/)
79 | + Centrally manage WAF rules across CloudFront and ELB Application Load Balancers via Organizations
80 | + (not NACLs or Security Groups)
81 |
82 | * [**Guard Duty**](https://aws.amazon.com/guardduty/faqs/)
83 | + Uses CloudTrail, VPC Flow Logs, and DNS Logs (if EC2 instances are configured to use Route 53 resolvers - the default). Doesn't require you to enable them!
84 | + ^^ meta-data, + AWS' threat intelligence - domains & ips, + ML
85 | + Pricing per volume of data analyzed
86 | + Looks for reconnaissance, (ec2?) instance compromise, account compromise
87 | + Findings -> GuardDuty console (for 90 days) + CloudWatch Events. Findings in JSON format similar to Macie & Inspector
88 | + Regional. Can aggregate via CloudWatch Events to push to a central store
89 | + CloudWatch events -> SNS topic (-> email) / Lambda (->S3)
90 |
91 | * [**IAM**](https://aws.amazon.com/iam/faqs/)
92 | * Users, Groups, Roles
93 | + Roles for EC2 instances
94 | + creds found in http://169.254.169.254/latest/meta-data/iam/security-credentials/
95 | + To launch an instance, users need iam:PassRole for the relevant roles.
96 | + Can be attached at launch or later.
97 | + Auto rotation, built in support for obtaining the creds when using CLI & SDKs
98 | + Service linked role - predefined policy granting service what it needs; immutable trust policy.
99 | + Role trust policy: what principals (account/user/role/service/federated user) can sts:AssumeRole. IAM users/roles also need an identity policy that allow them to assume the role.
100 | + Assumed role ARN: `arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name`, where the session name might be the EC2 instance ID, or the IAM username, for example.
101 | * Access keys
102 | + Rotate by creating second access key, start using it, check last used date of old one, make old one inactive, then delete it
103 | + Trusted advisor can look for overly long-lived access keys
104 | * Policies
105 | + Resource based policies
106 | + Specifies a Principal.
107 | + Can't be managed policies - always inline.
108 | + Not actually IAM policies at all - just usually use the same policy language
109 | + Notable ones: Organizations (SCP); S3; API Gateway; Lambda; KMS
110 | + Identity based policies (aka IAM policies)
111 | + Attached to a user/group/role - implicit Principal
112 | + Limit of 10 managed policies can be attached
113 | + Versions - up to 5, you set which is the 'default' for customer managed policies. Inline policies don't have versions.
114 | * [Permissions boundaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html)
115 | + Set the maximum permissions that an identity-based policy can grant to an IAM entity
116 | + Unlike SCPs, can specify resources and use conditions
117 | + Service Control Policies (SCPs) - see Organizations
118 | + Session policies - like a permission boundary, optionally passed programatically as part of AssumeRole*
119 | * [Evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) - but there are special cases not listed here, e.g. KMS, S3
120 | * Conditions
121 | * Operators
122 | + Date, Numeric, String, Bool, Binary (b64), IpAddress, Arn, Null (key:true - key doesn't exist, key:false - key does exist and isn't null)
123 | + operators are ANDed, multiple values in an operator are ORed
124 | + ...IfExists returns true if key doesn't exist
125 | + Set operators for keys with multiple values - ForAllValues:... ForAnyValue:...
126 | + All services: time, MFA, secure transport, user agent
127 | + aws:source{Vpc,Vpce (endpoint),Account,Arn,Ip}
128 | + aws:PrincipalOrgID - instead of listing lots of accounts, just use the Org. In resource policies - Principal:*, then this condition
129 | + aws:PrincipalTag/ - you can tag users and roles. Also service:ResourceTag and aws:RequestTag (control what tags users can use when tagging resources).
130 | + aws:PrincipalType
131 | + aws:RequestedRegion
132 | + aws:userid aws:username
133 | * Policy variables
134 | + Use in resource element and string operators in conditions
135 | + Basically the same set of variables as global conditions. aws:username etc.
136 | * (Not)Principal
137 | + AWS - users, roles, accounts
138 | + Federated - just "this principal authenticated with this provider" - no info on the role
139 | + Service - in trust policies
140 | + AWS:* - IAM identities (not services)
141 | + NotPrincipal rarely, and not with Allow as v fragile. NotPrincipal+Deny acts like a whitelist due to policy eval rules.
142 | + NotAction - matches everything except the list of actions. With Allow is very broad - combine with a resource constraint to make it more selective.
143 | * Resource
144 | + Wildcards - *? - don't span segments
145 | + NotResource + Deny: blacklist. NotResource + Allow: risky - allows all others incl. future ones.
146 | * Access advisor
147 | + When did an entity last use a permission
148 | + For each of User, Group, Role, and Policy
149 | * Federation
150 | + SAML
151 | + Users gets SAML assertion from their IdP portal, uses STS to exchange it for temporary creds.
152 | + IdP maps users/groups to roles.
153 | + Requires config info including keys registered with both the IdP and AWS IAM
154 | + Use AWS SSO to access the console.
155 | + Web identity federation - just use Cognito. IAM does support it natively too though.
156 | + Active Directory - use Directory Service, setup roles that trust DS, assign users or groups to roles
157 | + [Service support](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html)
158 | + Of interest are services that have resource-based policies, services that don't have resource-level permissions, and services that don't support temporary creds
159 | + Notable resource-based policies: ECR; Lambda; S3 & Glacier; KMS; Secrets Manager; API Gateway; VPC endpoints; SNS; SQS; SES
160 | + Notable ones missing resource level permissions: CloudFront (no resource policies either)
161 | + ~everything that matters supports temporary credentials
162 | * Temporary credentials
163 | + Can't be revoked, but you can revoke an IAM user if they created the temporary creds, which invalidates them.
164 | + Include a token as well as access key & secret key. Token is appended to requests (header/query param)
165 | + Not regional
166 | + You can use AssumeRoleWithWebidentity as a less-featured alternative to Cognito w/ your users
167 | * Multifactor
168 | + No support for SMS any more.
169 | + U2F, virtual TOTP, hardware TOTP provided by AWS.
170 | + Root user can recover from lost second factor by verifying email address + phone number ownership.
171 | + APIs can require it by adding condition statements to identity or resource policies using `aws:MultiFactorAuthPresent` or `aws:MultiFactorAuthAge` (time since factor seen). Users then call STS to get temporary credentials that allow them to use the API. Doesn't work with root or U2f.
172 | + Doesn't work with federation
173 |
174 | * [Inspector](https://aws.amazon.com/inspector/faqs/)
175 | * Rules packages
176 | + Predefined only.
177 | + Network: Network Reachability
178 | + Host: CVEs; CIS Benchmarks; Security Best Practices (OS config incl remote access); Runtime Behavior Analysis (protocols, ports, software config)
179 | * Template
180 | + Rules packages (predefined only), target EC2 instances, SNS topic
181 | + Network reachability + host config (CVEs in package manager installed software, CIS benchmarks for popular OSes)
182 | * Agent required for host config
183 | + Network reachability: enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents)
184 | + Service linked role to enumerate EC2 instances and network config
185 | + Simple schedule in template, or more advanced via CloudWatch events / custom use of API
186 |
187 | * [**KMS**](https://aws.amazon.com/kms/faqs/)
188 | * Key policies
189 | + Required. Also different evaluation logic to standard IAM - if the key policy doesn't allow, then the request is denied regardless of identity policies.
190 | + Resource: "*" - this CMK
191 | + Principal: accounts/users/roles/services. Not groups! Have to use IAM identity policies to manage access via groups (or group -> assumerole).
192 | + Default policy for API-created CMKs allows `kms:*` for the account / root user. This ensure it doesn't become unmanageable, and also _enables_ identity based IAM policies - without it IAM policies are ineffective.
193 | + Default policy for console created keys also allows you to specify:
194 | + Roles/Users who are Key Administrators, who can manage it - incl change its policy.
195 | + Roles/Users/other AWS accounts who are Key Users. They can encrypt/decrypt/generatedatakey, and manage grants for AWS services using the `kms:GrantIsForAWSResource` condition.
196 | + IAM/identity policies
197 | + Required for non-key specific tasks list ListKeys, ListAliases, and CreateKey
198 | + Required to use the console
199 | + Bunch of [KMS-specific condition keys](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html?shortFooter=true#conditions-kms) that can be used in either policy type.
200 | + `kms:ViaService` to prevent direct API use or block specific service use. All AWS managed CMKs use it to restrict access to the creating service.
201 | * Grants
202 | + Another resource-based policy attached to keys.
203 | + Allow-only, no Deny.
204 | + "grantee principal" - who can use the CMK.
205 | + "retiring principal" - who can revoke the grant
206 | + Actions: drawn from using the key, and creating further grants
207 | + Grant tokens: passed back when creating a grant, allows grantees to use the grant even before it has fully propagated. Not secret, no security impact, just practical.
208 | + Key usage -> CloudTrail
209 | + AWS services use wrapped data keys with KMS - 'envelope encryption'
210 | + APIs expose raw encrypt/decrypt operations, <4kb
211 | * CMKs
212 | + AES-256
213 | + CMKs are stored in HSMs (140-2 level 2)
214 | + AWS managed CMKs you have no control over. Customer managed ones you can set policies.
215 | + Imported CMKs can be deleted immediately and can have an expiry time.
216 | + 1000 CMKs per region
217 | + Keys are region-specific. For a [multi-region solution](https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/), encrypt a single data key under CMKs in different regions.
218 | + Customer controlled CMKs can be enabled/disabled
219 | + Automatic annual key rotation can be enabled for customer controlled keys that don't use imported key material.
220 | * Custom key store
221 | + Uses CloudHSM
222 | + Can't import or automatically rotate keys - otherwise the same management as normal key stores
223 | + Only for customer managed CMKs
224 | + You're responsible for availability
225 | + Manual rotation: create key and remap key alias
226 | * CloudHSM
227 | + Single tenant 140-2 level 3 HSM - compliance
228 | + CloudHSMs appear in a VPC
229 | + Audit options beyond CloudTrail - CloudHSMs log locally and copy to CloudWatch
230 | + PKCS11 etc interfaces (as well as using as a custom key store)
231 | + Each region has a FIPS 140-2 validated endpoint (uses openssl fips module) and a standard endpoint.
232 | + AES-128 or AES-256 data keys
233 | + Crypto operations accept an optional _encryption context_, which is used as additional authenticated data (AAD) in the operation. If differs then decryption fails. Included in CloudTrail logs. Example used by S3:
234 | ```json
235 | "encryptionContext": {
236 | "aws:s3:arn": "arn:aws:s3:::bucket_name/file_name"
237 | },
238 | ```
239 |
240 | * [Macie](https://aws.amazon.com/macie/faq/)
241 | + Classifies data in S3.
242 | + Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
243 | + Watches policy and ACL changes
244 | + Watches access patterns via CloudTrail
245 | + Alerts on CloudWatch Events, Lambda, and Macie dashboard
246 | + Primarily English
247 |
248 | * [**Organizations**](https://aws.amazon.com/organizations/faqs/)
249 | + Organizational Units (OUs) divide up the 'administrative root'
250 | + Accounts can only be in one OU, and OUs can only be in one OU. But they can be nested up to 5 levels.
251 | * Service Control Policies (SCPs)
252 | + Which IAM policy Actions can be used in the account.
253 | + Applied to the root, to an OU, or to an account
254 | + Implicit and explicit Deny.
255 | + All statements: Version, Statement, Sid, Action, and Effect:Allow/Deny
256 | + Allow statements: no conditions, Resources must be '*'
257 | + Deny statements: support conditions and resources and NotAction
258 | + No principal - implicitly the accounts it's applied to
259 | + Is a whitelist, but can simulate a blacklist with Allow Action:'*' and another Deny statement
260 | + FullAWSAccess (allow *) is automatically attached to the root and new OUs. You can remove it.
261 | + Use policy simulator in member accounts to test effect
262 | * Trusted access
263 | + service-linked roles get created in member accounts as needed. Authorized via master account.
264 | + CloudTrail can create an [organizational trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html), for all events in all member accounts. Member accounts can't modify it.
265 | + Landing Zone account structures, incl logging & security accounts
266 |
267 | * [Secrets manager](https://aws.amazon.com/secrets-manager/faqs/)
268 | + Also see: Systems Manager Parameter Store - no rotation features, but free.
269 | + Automatic rotation for AWS RDS, DocumentDB, Redshift
270 | + Lambda functions to rotate other types
271 | + 4kb limit on secrets (JSON docs)
272 | + Encryption at rest via KMS. (for cross-account access to a secret, must use a custom CMK that the principal in the other account can use)
273 | * [Policies](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html)
274 | + Resource-based (action+principal) and identity-based (action+resource) policies.
275 | + `arn:aws:secretsmanager:::secret:optional-path/secret-name-6-random-characters`
276 | + ```json
277 | {
278 | "Sid" : "Get current TestEnv secrets",
279 | "Effect": "Allow",
280 | "Action": [ "secretsmanager:GetSecretValue" ],
281 | "Resource": "arn:aws:secretsmanager:::secret:TestEnv/*",
282 | "Condition" : {
283 | "ForAnyValue:StringLike" : {
284 | "secretsmanager:VersionStage" : "AWSCURRENT"
285 | }
286 | }
287 | }
288 | ```
289 | + Condition keys include `secretsmanager:ResourceTag/`, `secretsmanager:VersionStage`
290 | + Configuring rotation requires creating and assigning a role to a Lambda function, which needs e.g. IAMFullAccess
291 |
292 | * [Security hub](https://aws.amazon.com/security-hub/faqs/)
293 | + Regional - findings don't cross regions
294 | + Multi-account support
295 | + Findings from Guard Duty, Inspector, Macie, third party, and self-generated against CIS standards
296 | + Insights: collections / filters of findings
297 |
298 | * [Shield](https://aws.amazon.com/shield/faqs/)
299 | + Standard - integrated into existing services. Not a stand-alone service. Netflow monitoring & TCP/UDP protection.
300 | * Advanced
301 | + Layer 7 protection, WAF rule creation
302 | + CloudFront integration - can protect non-AWS origins
303 | + CloudWatch metrics notifications of attacks
304 | + Global threat environment dashboard, see overall stats for the whole of AWS
305 | + AWS DDoS team support
306 |
307 | * [SSO](https://aws.amazon.com/single-sign-on/faqs/)
308 | + Free
309 | + Primary use case: manage multi-account access with Organizations.
310 | + Additional use case: SSO to other applications via SAML 2 (custom or a bunch of built-in integrations)
311 | + IAM identity provider created in member accounts for SSO. Also service-linked roles created to allow SSO to manage Roles
312 | + Sign-ins logged to CloudTrail
313 | * Directories
314 | + Native directory - default. Create users & groups within SSO
315 | + AWS Directory Service - Managed AD & AD Connector (not simple AD)
316 | + Only a single directory can be connected
317 | * Permissions sets
318 | + collections of policies.
319 | + Implemented as Roles in member accounts.
320 | + Limit of 20 per account.
321 | + Ref 10 AWS managed policies, or use an inline policy
322 | + Control access by mapping users/groups (from the attached directory) to permissions sets & accounts. This data is held in SSO, not the directory.
323 | + No API!
324 | + For CLI access, SSO user portal gives you temporary creds for the Roles you have access to
325 |
326 | * [WAF](https://aws.amazon.com/waf/faqs/)
327 | * Conditions
328 | + Inspect: IP addresses (+ region mapping), HTTP headers, HTTP body, URI strings
329 | + Match against: SQL injection, cross-site scripting, regex, strings, IP ranges, regions, sizes.
330 | * Rules
331 | + Comprise a number of conditions ANDed together
332 | + Rate based rule - 5 minute period for given IP, e.g. to protect against DDoS or login brute forcing
333 | + Need conditions for normal rules, but they're optional for rate-based rules (no condition=all requests count)
334 | + Managed rules from Marketplace sellers.
335 | * Web ACLs
336 | + Collection of rules, ORed together
337 | + Actions per rule: allow, block, or count (for testing)
338 | + Default action if no rule matches
339 | + Associate Web ACLs with CloudFront, ALB, and API Gateway instances which will then proxy requests via WAF and act on result
340 | + Also see Firewall Manager and Shield (Advanced)
341 |
342 | ## Analytics
343 | (mostly of interest for their application to logs)
344 |
345 | * [Athena](https://aws.amazon.com/athena/faqs/)
346 | + SQL queries over data in S3 after you define a schema. Including (optionally compressed) JSON & CSV
347 | + Integrates with Glue's Data Catalog - a more featureful version of Athena's built in Data Catalog which supports fine-grained permissions.
348 | + Charged per query (volume of data scanned)
349 | + Security model uses both athena:* permissions for queries and data models, and then the underlying S3 permissions
350 | + Can query encrypted data that uses S3 or KMS managed keys. Can encrypt results.
351 | + Athena is better than Redshift for querying smaller datasets without pre-processing.
352 | + CloudTrail can automatically create Athena tables for you, and AWS are keen to push Athena as an ideal CloudTrail analysis tool. Other good candidates: VPC flow logs (if sent to S3), CloudFront, ELB.
353 |
354 | * [Elasticsearch service](https://aws.amazon.com/elasticsearch-service/faqs/)
355 | + IAM auth for management, ES APIs, and resource-based policies down to index level
356 | + Resource based policies can allow specific IP addresses
357 | + Kibana auth via Cognito
358 | + Can configure public or VPC endpoints
359 | + Ingress via Kinesis Firehose, Logstash, or ES's index/bulk APIs
360 | + KMS integration for data at rest
361 |
362 | * [Glue](https://aws.amazon.com/glue/faqs/)
363 | + "Select a data source and data target. AWS Glue will generate ETL code in Scala or Python to Extract data from the source, Transform the data to match the target schema, and Load it into the target. "
364 | + Sources: S3, Redshift, and RDS and other databases
365 | + Loading into other services for querying (e.g. Athena, Redshift)
366 |
367 | * [Kinesis](https://aws.amazon.com/kinesis/)
368 | + Ingest and analyse various data sources, notably logs
369 | * [Data Firehose](https://aws.amazon.com/kinesis/data-firehose/faqs/)
370 | + "capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk"
371 | + Create delivery stream, with optional Lambda function to transform the data
372 | + Configure producers to send data to Kinesis with the Kinesis Agent (which monitors log files) or Firehose API
373 | + Source integrations: CloudWatch Logs subscription filter; CloudWatch Events rule with Firehose target; Kinesis Data Streams.
374 | + Configure an IAM role that it assumes to access e.g. S3 or Elasticsearch
375 | + Manage delivery frequency with buffer size or interval
376 |
377 | * Redshift (see Database section)
378 |
379 | ## Application Integration
380 |
381 | * [SNS](https://aws.amazon.com/sns/)
382 | + Pub/sub.
383 | + Sources include: SNS API, Lambda, ELB, S3, databases, Code*, CloudWatch, Inspector, and others
384 | + Destinations: Lambda, SQS, webhooks, SMS, email
385 | + Subscribers have to validate - a challenge message is first sent
386 |
387 | * [SQS](https://aws.amazon.com/sqs/)
388 | + Polling, vs SNS's push mechanism
389 | + Standard queues might reorder messages or deliver them multiple times
390 | + Has its own resource-based security policy, that predates IAM? Looks similar to IAM policies. Only resource is a queue.
391 | + Can subscribe to SNS topics
392 | + Can trigger Lambda functions on message receipt
393 | + Uses KMS for optional encryption
394 |
395 | ## Compute
396 |
397 | * [**EC2**](https://aws.amazon.com/ec2/)
398 | * AMIs
399 | + LaunchPermission attribute - which _accounts_ can use the AMI.
400 | * [Keypairs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)
401 | + Create or import - 2k RSA.
402 | + Independent of instances, but each instance is associated with 1+ keys
403 | + Linux: it's just an SSH key
404 | + Windows: upload the private key to the ec2 console to decrypt the default admin password so you can RDP in...
405 | + Subsequent management: tinker with the `authorized_keys` file
406 | + [Resources and condition keys](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html)
407 | + Instance store - hard disk attached to the instance; reset when the instance is stopped. Not encrypted - could use host software disk encryption for a temporary data partition.
408 | + Instance profile - credentials for a role available to the instance (see IAM section)
409 |
410 | * [Elastic Container Registry (ECR)](https://aws.amazon.com/ecr/)
411 | + IAM access control for pulling & pushing images - identity & resource based
412 | + Repository policies - e.g. to allow other accounts to pull
413 | + Images encrypted at rest by default with S3 SSE; HTTPS access
414 |
415 | * [Elastic Container Service (ECS)](https://aws.amazon.com/ecs/)
416 | + Tasks: set of containers that are placed together.
417 | + Containers run on customer-controlled EC2 instances in a VPC, or are Fargate managed.
418 | + Networking options:
419 | + none
420 | + bridge - docker's virtual network
421 | + host - tasks get the host's network interface
422 | + awsvpc: Task network interfaces are normal ENIs so all the VPC properties apply: exist in a subnet, have security groups, have flow logs. Also means each container can have its own security group & IP, vs host networking where all the containers on one host share interfaces.
423 | + Tasks are configured with an execution role they use to access services
424 | + Can send logs to CloudWatch
425 | * [Fargate](https://aws.amazon.com/fargate/) launch type
426 | + Must use awsvpc network mode, CloudWatch logs
427 | + Uses [Firecracker](https://firecracker-microvm.github.io/) under the hood (definitely not in scope of the exam, but an interesting topic!)
428 |
429 | * [Lightsail](https://aws.amazon.com/lightsail/)
430 | + Like an entirely separate cloud offering within AWS, with extremely limited features. DigitalOcean competitor.
431 | + No VPC - separate management of exposed ports
432 | + Hopefully not in the exam :)
433 |
434 | * [Elastic Beanstalk](https://aws.amazon.com/elasticbeanstalk/)
435 | + Management wrapper around EC2, S3, EBS, RDS
436 | + Publicly available by default - configure to use a VPC to limit access
437 | + Beanstalk service role to manage other services. Instance profile - role used by instances to get the app, write logs, etc
438 | + Logs stored locally, can be configured to use CloudWatch Logs
439 |
440 | * Fargate - see ECS
441 |
442 | * [**Lambda**](https://aws.amazon.com/lambda/)
443 | + Logs to CloudWatch
444 | + Execution role
445 | + assumed to run
446 | + at minimum CloudWatch logs creategroup/createstream/putevents
447 | + Potentially also XRay write, SQS/Kinesis/dynamodb read to get the event data
448 | + Resource policies
449 | + Resources: functions, their versions and aliases, and layer versions
450 | + `arn:aws:lambda:region:123456789012:function:my-function`
451 | + `arn:aws:lambda:region:123456789012:function:my-function:1` - version
452 | + `arn:aws:lambda:region:123456789012:function:my-function:TEST` - alias
453 | + Use to give other services (principal: service: sns.ama...) and other accounts (principal: aws: account-arn) permission to use them
454 | + The console updates function policies automatically when you add a trigger to give the triggering service access
455 | * Identity policies
456 | + nice examples: ARN pattern so users have to include their username in function names; have to include a logging layer
457 | + To give users the ability to create functions with limited permissions, constrain what roles they can iam:PassRole on.
458 | + To give users the ability to add resource permissions to functions so they can be invoked, but only from specific sources, check lambda:Principal in a condition
459 | * VPC access
460 | + Can access resources in a VPC if subnet + security group is specified.
461 | + No internet access unless there is a NAT in the VPC.
462 | + No AWS service access unless there is internet access or VPC gateways
463 | + Role needs ability to create network interfaces in each subnet (and VPC must have ENI capacity & subnets must have spare IPs)
464 |
465 | * [Elastic Load Balancing (ELB)](https://aws.amazon.com/elasticloadbalancing/)
466 | + Integrated with Certificate Manager to terminate TLS. Can also upload certs to IAM and configure ELB to use them from there.
467 | + Can specify which of several predefined cipher-suites - 'security policies' - to support
468 | * Application Load Balancer (ALB) - HTTP/HTTPS
469 | + In a security group
470 | + Integrated with WAF
471 | + Authentication: integrates with Cognito and supports Open ID Connect. Redirects users to IdP authorization endpoint, then adds headers with signed JWT containing user info.
472 | + Can have a Lambda function as a target. Transforms JSON response to HTTP. Function policy needs to allow `elasticloadbalancing.amazonaws.com` to InvokeFunction
473 | + Can enable access logging to an S3 bucket
474 | * Network Load Balancer - TCP/TLS
475 | + Doesn't support Server Name Indication (SNI)
476 | + 2k RSA certs only (ALB is more flexible)
477 | + Creates a (read only) network interface in a subnet in each AZ you choose. Not in a security group - instance security groups must allow traffic from its IP address and from client IP addresses
478 | * (Classic)
479 | + Logs to S3
480 |
481 | ## Customer Engagement
482 |
483 | * [Simple Email Service (SES)](https://aws.amazon.com/ses/)
484 | + potentially incident notification, but SNS probably more appropriate
485 | + Can receive mail, which can be encrypted using a KMS protected key. SDK available to support decryption.
486 | + TLS API or TLS SMTP connection (port 587), also supports STARTLS and DKIM, and can work with SPF and DMARC
487 |
488 | ## Database
489 |
490 | A comparison and summary of some of the security aspects of the various database offerings:
491 |
492 | | **Database** | **Transport encryption** | **Encryption at rest** | **Audit** | **DB Authentication** | **DB Authorization** |
493 | |--------------|----------------------------------------------------------------------------------------|--------------------------------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
494 | | RDS | Rooted at global RDS certs, configuration is per-engine
[docs][rds-tls] | KMS; TDE w/ SQL Server and Oracle - RDS managed key (used to be CloudHSM Classic)| per-engine log files | per engine user accounts - SQL | per engine - SQL |
495 | | DynamoDB | Standard AWS HTTPS endpoint | KMS | CloudTrail, excl. Get/Put
[docs][dynamodb-audit] | IAM only. Cognito possible.
[docs][dynamodb-cognito] | IAM identity policies - resources & condition keys
[docs][dynamodb-auth] |
496 | | Redshift | ACM managed certificate, redshift specific root
[docs][redshift-tls] | KMS; CloudHSM Classic | S3
[docs][redshift-audit] | DB user accounts - SQL; IAM with custom drivers
[docs][redshift-auth] | SQL |
497 | | Neptune | Publicly trusted Amazon root; mandated for some regions
[docs][neptune-tls] | KMS | Console
[docs][neptune-audit] | User accounts; or a limited IAM identity policy mechanism + request signing
[docs][neptune-auth] | Engine-specific; or broad access if using IAM |
498 | | Aurora | Rooted at global RDS certs, configuration as per mysql/postgres
[docs][aurora-tls] | KMS | mysql -> CloudWatch Logs
[docs][aurora-audit] | User accounts; or an IAM authenticated API to obtain short lived passwords to connect
[docs][aurora-auth] | mysql/postgres - SQL |
499 | | DocumentDB | Rooted at global RDS certs, configuration as per MongoDB
[docs][documentdb-tls] | KMS | CloudWatch Logs
[docs][documentdb-audit] | MongoDB user accounts | MongoDB standard |
500 |
501 | [rds-tls]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
502 | [dynamodb-audit]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/logging-using-cloudtrail.html
503 | [dynamodb-auth]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
504 | [dynamodb-cognito]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WIF.html
505 | [redshift-tls]: https://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html
506 | [redshift-audit]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html
507 | [redshift-auth]: https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html
508 | [neptune-tls]: https://docs.aws.amazon.com/neptune/latest/userguide/security-ssl.html
509 | [neptune-audit]: https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html
510 | [neptune-auth]: https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html
511 | [aurora-tls]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
512 | [aurora-audit]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.html
513 | [aurora-auth]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html
514 | [documentdb-tls]: https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html
515 | [documentdb-audit]: https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html
516 |
517 |
518 | * [DynamoDB](https://aws.amazon.com/dynamodb/)
519 | + Optional encryption at rest integrated with KMS
520 | + Main resource is a table. No resource based policies. Full access to a table requires access to not just the `table/` resource, but also `table//*`
521 | + Some predefined policies: `AmazonDynamoDBReadOnlyAccess`, `AmazonDynamoDBFullAccess` - custom policies with resource constraints are better
522 | + Several condition keys for fine-grained access including: `dynamodb:LeadingKeys`, `dynamodb:Select`, `dynamodb:Attributes`
523 | + Example fine-grained permission: you can only access items where the partition key matches your own (web identity) user ID, by using LeadingKeys and a substitution variable.
524 | + Get and Put API calls are not logged to CloudTrail - management things are like describe, list, update, create
525 | + Has a VPC endpoint you can use
526 | + Integration with Cognito: identity pool with roles configured; roles have appropriate policy to (a) allow cognito to assume them and (b) perform desired DynamoDB actions.
527 |
528 | * [RDS](https://aws.amazon.com/rds/)
529 | + IAM controls database instances. Each instance type has its own permission model for managing the database - a master user is created with the instance.
530 | + Lots of different resources. The main one is an instance - `db` in the arn. No resource based policies.
531 | + 'RDS Encryption' - encryption at rest, set during creation, uses KMS. Covers database, backups, replicas, snapshots.
532 | + Transparent data encryption for SQL Server and Oracle with CloudHSM
533 | + There's a single root for all RDS database TLS certs; each engine uses its own method for connecting over TLS
534 | + Manifests as network interfaces in subnets with security groups attached to the interfaces. You specifc a "db subnet group" - a collection of subnets which it can use to put interfaces in.
535 | + "Publicly accessible" option controls whether there is a publicly resolvable DNS name for the instance. Still needs appropriate security group rules.
536 |
537 | * [Redshift](https://aws.amazon.com/redshift/)
538 | + Cluster management with IAM.
539 | + Database user accounts for DB permissions (SQL).
540 | + With custom Amazon Redshift JDBC or ODBC drivers, you can authenticate via IAM and get temporary DB user creds. Gives access to existing users or creates new users (groups specified via claims).
541 | + Lots of resources, main one is a cluster. No resource based policies. Managed policies to give access to all resources - `AmazonRedshiftFullAccess` and `AmazonRedshiftReadOnlyAccess`
542 | + Cluster are associated with 1+ security groups. Doesn't appear as an interface in a subnet. Contrast with RDS and DynamoDB - all different combos of network access control.
543 | + Audit logs, disabled by default, -> S3 (as well as the standard CloudTrail logs). Bucket policy has to allow putobject and getacl to a specific user from a redshift AWS account that varies by region: `arn:aws:iam:::user/logs`. If creating the bucket via the console, it does that for you.
544 | + Optional encryption at rest. With KMS or CloudHSM Classic (only). Big symmetric encryption key heirarchy.
545 |
546 | * [Neptune](https://aws.amazon.com/neptune)
547 | + HTTPS access
548 | + Encryption at rest with KMS
549 | + Interface appears in at least two subnets spanning two AZs in a VPC, interfaces have security groups.
550 | + CloudTrail events appear as though they are from the RDS service not Neptune - it shares some underlying management infrastructure.
551 | + Optional audit logs, view or download from the console (no other service integrations, strangely)
552 | + IAM for management. Permissions are a subset of rds permissions all the actions are `rds` actions. Can constrain to just neptune with a condition of `rds:DatabaseEngine = graphdb`
553 | + Has a very unique hybrid model where you can authenticate with IAM, and define identity policies that allow access. Limited - no condition keys, no fine grained access (only a single `neptune-db:*` action). Pretty confusing when compared to the previous point. HTTP requests then need to be signed with standard AWS v4 signatures that you construct yourself.
554 |
555 | * [Aurora](https://aws.amazon.com/rds/aurora/)
556 | + The same as the other RDS engines, except:
557 | + Supports IAM database authentication, similar to Neptune. Attach identity policy to IAM principals that allow `rds-db:connect` for a resource that is a particular database user you create in particular way in the DB. You manage user permissions within the DB as per normal - IAM is just for authentication. You get a 'token' from the RDS API by specifying the db and user, then use the token in place of the user's password when connecting normally.
558 | + Uses normal VPC security groups to control access within a VPC. Has its own 'DB security group' to control access from outside the VPC - either security groups in other VPCs/accounts or the internet? The other RDS engines only use DB security groups in EC2 classic when a VPC isn't available.
559 |
560 | * [DocumentDB](https://aws.amazon.com/documentdb/)
561 | + Similar to RDS: TLS from the RDS root; KMS encryption at rest; master user + mongodb user mgmt; IAM identity policies for management; VPC security groups; endpoints on multiple subnets/AZs; cloudtrail
562 | + arns follow the RDS format
563 | + Auditing can be enabled to send events to CloudWatch Logs. Categories: connection, data definition language (DDL), user management, and authorization
564 |
565 | ## Developer tools
566 |
567 | * [Code Pipeline](https://aws.amazon.com/codepipeline/)
568 | + Resource-level permissions for pipelines, and their stages and actions.
569 | + Can integrate with GitHub via OAuth
570 | + CloudWatch Events for pipeline state changes - started, failed, etc.
571 | + Supports interface VPC endpoint
572 | + Trigger from, e.g.: CloudWatch Events (many options, e.g. S3 bucket upload, schedule), webhooks (e.g. github), manual
573 | + Deploy to, e.g.: CloudFormation, S3, ECS, Service Catalog
574 |
575 | ## End User Computing
576 |
577 | * [WorkSpaces](https://aws.amazon.com/workspaces/)
578 | + Supports EBS volume encryption for both root and user volumes
579 | + CloudWatch Event on user login
580 | + Uses AWS Directory Service for user authentication, works with any of Managed AD, AD Connector, and Simple
581 | + Can require Mac and Windows clients to use a certificate to authenticate a device to connect
582 | + WorkSpace network interfaces are associated with a standard VPC security group
583 | + Has some form of MFA support
584 |
585 | ## Internet of Things
586 | These sound like they should be in scope, but I suspect they're not as they're very niche.
587 |
588 | * IoT Device Defender
589 | * IoT Device Management
590 |
591 | ## Management and Governance
592 |
593 | * [CloudFormation](https://aws.amazon.com/cloudformation/)
594 | * Stacks
595 | + You can assign a service role, if you can iam:PassRole it. Anyone who can operate on that stack can leverage that role's permissions (even if they can't run it - they could modify it then someone else runs it!).
596 | + Otherwise the user/role that is using the stack needs to have permission to perform all the operations
597 | * StackSets
598 | + Custom administration role, with identity policies that constrain iam:PassRole for that role to control who can use it
599 | + Custom execution role, with limits on what resources it has action to, and a trust policy for specific administration role(s) in the admin account
600 | + Some interesting condition keys:
601 | + `cloudformation:ChangeSetName` e.g. enforce prefixes
602 | + `cloudformation:ResourceTypes` to control which resources can be involved in a stack
603 | + `cloudformation:TemplateUrl` e.g. can only create stacks from this URL (as oppoed to operating on an existing stack resource)
604 |
605 | * CloudWatch
606 | * [**Logs**](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html)
607 | + CloudWatch Agent can be installed on a host (e.g. via SSM) to push logs to CloudWatch Logs. [Troubleshooting info](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/troubleshooting-CloudWatch-Agent.html).
608 | + Log group: a collection of log streams that share the same retention, monitoring, and access control settings
609 | + Log stream: a sequence of log events that share the same source
610 | + Logs last forever unless you set a retention period on a group
611 | + Subscription filters: define a filter pattern that matches events in a particular log group, send them to Kinesis Data Firehose stream, Kinesis stream, or a Lambda function.
612 | + Can export log groups (in a particular time range) to S3. Not real time.
613 | + Can receive events from other account by creating a 'destination' in CloudWatch, which references a receiving Kinesis stream? The destination has a resource-based policy that controls which accounts can write to the destination. CloudWatch Logs on the sender side can then stream to the other account.
614 | * [Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html?shortFooter=true)
615 | + Limited query language for analysis and visualization of data in CloudWatch Logs
616 | + Much more powerful than the native CloudWatch Logs interface
617 | * [Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html)
618 | + Rules that trigger from either event patterns or a schedule
619 | + Rules send JSON to one or more targets
620 | + Has other capabilities (metrics, alarms, scaling)
621 |
622 | * [**CloudTrail**](https://aws.amazon.com/cloudtrail/)
623 | + Also logs Cognito events, step function logs, and CodeDeploy
624 | + Logs to S3 and/or CloudWatch Logs
625 | + Without creating a trail, the event history shows 90 days but excludes various events including all read events
626 | + A [small number](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html) of services don't log to CloudTrail, notably SimpleDB
627 | + Trails by default don't include data events (incl S3 object activity and Lambda execution). Can specify those resources you want to record.
628 | + Trails are regional, but you can create a global trail which creates identitical trails in all regions. Limit of 5 trails per region.
629 | + eventSource: what service produced the event.
630 | + Can enable SNS notifications for when a new log _file_ is produced
631 | + Can set up CloudWatch metric filters for certain events to trigger a CloudWatch Alarm
632 |
633 | * [**Config**](https://aws.amazon.com/config/)
634 | + Resource inventory, configuration history, and configuration change notifications
635 | + Configuration changes or deviations -> SNS, CloudWatch Events, console dashboard, S3
636 | + Regional, but can aggregate data across (a limited set of supported) regions and accounts. Can't centrally manage rules.
637 | + Inspects software running on SSM managed EC2 instances, incl OS version, installed apps, network config.
638 | + Configuration changes sent to 'delivery channel' - S3 bucket & SNS topic
639 | + Console provides a timeline view of configuration changes
640 | + AWSConfigRole is the managed audit role; also needs permisisons for the SNS topic & S3 bucket.
641 | * Rules
642 | + Continuously evaluate configs against rules
643 | + Retrospective and non-enforcing
644 | + Custom rules in Lambda
645 | + Soft limit of 50 active rules
646 | + Periodic (hourly to daily) or change-triggered. Change-triggered must be constrained by tag/resource type/resource id
647 |
648 |
649 | * [Control Tower](https://aws.amazon.com/controltower/)
650 | + In preview at the time of writing - likely to become an important security service as it enables easier robust multi-account setups.
651 |
652 | * Management Console
653 | + The web console!
654 |
655 | * [Service Catalog](https://aws.amazon.com/servicecatalog/)
656 | + Portfolio: collection of catalogs. Catalogs: collection of products. Product: CloudFormation template (with the usual optional CloudFormation parameters).
657 | + Portfolios can be shared across accounts.
658 | + Admin access control is via IAM. User access control is initially via IAM - You need ServiceCatalogEndUserAccess to use Service Catalog. It doesn't support resource-level permissions nor resource-based policies, which is weird. Portfolio access is instead managed within Service Catalog by associating IAM users/groups/roles with a Portfolio.
659 | + Launch role: a role that is used to run the templates, instead of the user having the necessary permissions. Don't think the user needs iam:PassRole to use it - so a way of constraining user of the permissions in the role.
660 |
661 | * [**Systems Manager (SSM)**](https://aws.amazon.com/systems-manager/)
662 | + Group resources of different types together based on a query, e.g. an application.
663 | + Many features require the Agent installed - many AWS AMIs include it by default. EC2 instances need an instance profile for a role that has the necessary permissions to allow the agent to interact with SSM.
664 | * Insights dashboard - per resource group
665 | + Shows CloudTrail, Config, software inventory, and patch compliance
666 | + Can integrate CloudWatch dashboards, Trusted Advisor notificaitons, Personal Health Dashboard
667 | + Potentially useful for understanding baseline usage patterns to contrast with during an incident
668 | + Inventory - applications, files, network configurations, Windows services, registries, more
669 | * Automation
670 | + documents of tasks to run; scheduled, triggered, or manually launched
671 | + Approval feature - configure approvals required (via the console) before it continues
672 | + Documents can have roles, and users can have permission to run documents - nice restriction of privileges to particular tasks
673 | * Run command
674 | + Sometimes called EC2 run command
675 | + Logs via CloudTrail
676 | + Can be triggered by CloudWatch Events
677 | * Session Manager - browser based shell w/ IAM & CloudTrail
678 | + Can log session data to S3 and/or CloudWatch Logs
679 | * Patch Manager
680 | * State Manager - specify OS configuration, rollout schedule, compliance reporting
681 | * Parameter store
682 | + Can be tagged + organized in a hierarchy.
683 | + KMS for encryption - users need KMS permissions to use the corresponding CMK (can restrict using a condition on kms:EncryptionContext to just particular parameters)
684 | + IAM resource per-parameter
685 | + 10k params per account
686 | + Patch Manager and State Manager can operate on on-prem instances too
687 | + Lots of resources, no resource-based policies
688 | + The CloudWatch Agent can send SSM actions on the host to CloudWatch Logs
689 |
690 | * [**Trusted Advisor**](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/faqs/)
691 | + 7 free checks, all checks with appropriate support plan.
692 | + API; Console; Weekly notification email with summary of findings
693 | + Can exclude resources from all checks. Can't suppress individual checks.
694 | + Cost optimization, security, service limits, fault tolerance, performance
695 | + Security checks:
696 | + Security group open access to specific high-risk ports
697 | + Security group unrestricted access
698 | + Open write and List access to S3 buckets
699 | + MFA on root account
700 | + Overly permissive RDS security group
701 | + Use of cloudtrail
702 | + Route 53 MX records have SPF records
703 | + ELB with poor or missing HTTPS config
704 | + ELB security groups missing or overly permissive
705 | + CloudFront cert checks - expired, weak, misconfigured
706 | + IAM access keys not rotated in last 90 days
707 | + Exposed access keys on GitHub etc
708 | + Public EBS or RDS snapshots
709 | + Missing or weak IAM password policy
710 |
711 | * Snow Family (see storage)
712 |
713 | ## Mobile
714 |
715 | * API Gateway (see network & content delivery)
716 |
717 | ## Networking & Content Delivery
718 |
719 | * [API Gateway](https://aws.amazon.com/api-gateway/)
720 | + Logs to CloudWatch
721 | + sigV4 signed requests with IAM; or Cognito User Pool token verification; or Lambda authorizers for other token verification
722 | + Can configure with a 'client-side' certificate that API gateway uses for authenticating its requests to backend servers
723 | + Resource based policies attached to API, the only action is `execute-api:Invoke`. Can use to allow cross-account access, or in combo with conditions to constrain access to specific VPCs / VPC endpoints / IP ranges etc. Rather complex [logic](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-authorization-flow.html) for evaluating them in combo with identity policies.
724 | + Supports rate limiting requests from an IP
725 | + Private APIs - only accessible through VPC endpoints.
726 | + Private integrations - connect to non-public VPC resources behind the API. Create an ELB network load balancer in the VPC, API Gateway associates it with a 'vpclink' VPC endpoint
727 | + CORS - necessary to allow cross-origin requests; will need to be configured if using the default API gateway URLs rather than proxying via CloudFront, otherwise browsers won't honor requests to the API.
728 | + Integrates with WAF
729 |
730 | * [CloudFront](https://aws.amazon.com/cloudfront/)
731 | + Optional access logs to S3 - bucket ACL configured to give the awslogsdelivery account full control. Metrics via CloudWatch.
732 | + Field level encryption - CloudFront can encrypt specific POST fields with a public key you've configured. Reduces exposure of sensitive data as it passes through the backend.
733 | + HTTPS: can configure HTTP, redirect to HTTPS, or HTTPS only for client side. For origin side can do HTTP, match viewer, or HTTPS.
734 | + To serve content from S3 _only_ via CloudFront, create an 'origin access identity' for the distribution, then create a bucket policy that blocks public access and allows the special `"Principal":{"CanonicalUser":""}`
735 | + Can only allow specific geographic regions based on IP
736 | + Can require signed URLs or signed Cookies - CloudFront creates keypairs for each "trusted signer" AWS account, and the account generates time-limited signed URLs or Cookies for clients to use.
737 |
738 | * [Route 53](https://aws.amazon.com/route53/)
739 | + Private DNS - create a hosted zone associated with at least one VPC.
740 |
741 | * VPC PrivateLink - see VPC Interface Endpoints
742 |
743 | * App Mesh
744 | + Envoy for ECS/EKS. Security is important if your app uses this, but unlikely to be in scope of the cert.
745 |
746 | * [Direct Connect](https://aws.amazon.com/directconnect/)
747 | + Dedicate WAN link to AWS
748 | + Alternative backend to Virtual Private Gateway instead of "vanilla internet"
749 | + Doesn't use encryption?
750 | + Virtual interfaces are either private - access to a VPC, or public - access to AWS public endpoints. Can have multiple interfaces per connection if its fast enough.
751 |
752 | * [Transit Gateway](https://aws.amazon.com/transit-gateway/)
753 | + "A hub that controls how traffic is routed among all the connected networks which act like spokes"
754 | + Instead of lots of (1:1) VPC peering relationships and lots of (1:1) VPN connections, connect each VPC to the single transit gateway and manage centrally
755 |
756 | * [**VPC**](https://aws.amazon.com/vpc/)
757 | + Spans all AZs in a single region
758 | + Soft limit of 5 VPCs per region
759 | + Has a CIDR, can have 4 additional CIDRs
760 | + See [example scenarios](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenarios.html)
761 | + [Policy resources and condition keys](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html)
762 | + Most resources support the `ec2:Vpc` and `ec2:Region` condition keys. Other notable ones listed below.
763 | + `arn:aws:ec2:::internet-gateway/igw-id`
764 | + `arn:aws:ec2:::network-acl/nacl-id`
765 | + `arn:aws:ec2:::network-interface/eni-id` and `ec2:{Subnet,AvailabilityZone}`
766 | + `arn:aws:ec2:::route-table/route-table-id`
767 | + `arn:aws:ec2:::security-group/security-group-id`
768 | + `arn:aws:ec2:::vpc/vpc-id` and `ec2:Tenancy`
769 | * Network interfaces
770 | + Has one or more IP addresses, a MAC address, one or more security groups,
771 | + Can be moved between EC2 instances
772 | + Can't move the primary interface of an instance
773 | * Egress options:
774 | * Internet Gateway
775 | + Attached to VPC
776 | + Interface must have a public address, but the gateway does NAT so incoming traffic is addressed to the interface's private address
777 | * Virtual Private Gateway
778 | + IPSec VPN attached to a VPC
779 | + Need a corresponding customer gateway in the other network(s)
780 | + Route table(s) need updating to point at customer gateway. Route propagation can do this automatically.
781 | + Security groups need rules to allow access from remote network
782 | * VPC Peering Connection
783 | + VPC peering can cross both accounts and regions, but is not transitive between VPCs
784 | * VPC Endpoints
785 | + To keep service traffic within AWS. No public IP needed.
786 | + Endpoint policies - resource policies that constrain what service actions are possible via that endpoint.
787 | + S3 bucket policies can limit access to a specific endpoint or VPC using aws:sourceVpce and aws:sourceVpc, e.g.:
788 | ```json
789 | { "Sid": "specific-vpc-endpoint",
790 | "Condition": {
791 | "StringNotEquals": {
792 | "aws:sourceVpce": "vpce-1a2b3c4d"
793 | }
794 | },
795 | ```
796 | + Similarly can use `aws:sourceVpce` in an identity policy for DynamoDB
797 | * Gateway Endpoint
798 | + Gateway in the VPC that you route to with a special-case entry in route tables
799 | + S3 and DynamoDB only - they don't have interface endpoints
800 | * Interface Endpoint (PrivateLink)
801 | + Elastic network interface with a private IP address
802 | + In a subnet and security group(s) - security group needs to allow outbound access to the service
803 | + Several services including EC2, ELB, SNS, CloudWatch, Systems Manager, and various Marketplace products.
804 | + Has an endpoint specific DNS hostname.
805 | + Private DNS allows you to use the normal hostname for the services, by creating a DNS zone in the VPC using Route53 that has a record for the service that resolves to the interface's private IP address.
806 | * NAT Gateway
807 | + To prevent unsolicited inbound connections but allow outbound connections for instances without a public IP
808 | + Within a public subnet, in a specific AZ
809 | + The subnet's NACL applies, but NAT Gateways aren't in any security groups
810 | + Has an Elastic IP address
811 | + Connects to an Internet Gateway
812 | + Can be used by instances in a different (private) subnet in the same VPC
813 | + Also see Transit Gateway
814 | * Subnets
815 | + Within a single AZ
816 | + Can be shared across accounts!
817 | + CIDR is within the VPC's CIDR and can't overlap other subnets in the VPC. Must have IPv4 CIDR.
818 | + Associated with a route table for outbound traffic. Default to VPC's main route table.
819 | + Public subnet = route table includes an internet gateway. Otherwise called a private subnet.
820 | + Instances have a private IP and optionally (configured at subnet + instance level) either a public IP (random from AWS' pool) or an Elastic IP (persistent, owned by your account)
821 | + Instances with a public/elastic IP also get a public DNS hostname
822 | * Network ACLs
823 | + Each subnet has a NACL
824 | + What traffic can enter/exit a subnet
825 | + Stateless - must have explicit inbound and outbound rules - replies aren't special. For web-facing servers, need to allow outbound ephemeral ports e.g. 1024+ for all addresses
826 | + VPC default NACL is used for new subnets, its initial rules allow all traffic
827 | + Rules: Allow/Deny, dest port, src/dst addr, protocol.
828 | + Rules evaluated in order until one matches. Default deny (there's an immutable final deny rule that matches all).
829 | + Custom NACLs start with no rules (except the deny-all).
830 | * Route tables
831 | + Exist in the VPC. Subnets are associated with a single route table
832 | + The most specific route that matches is used
833 | + Always have unmodifiable local routes for in-VPC traffic
834 | + Need to have entries for gateways and VPC peering
835 | + New VPCs have a main route table. You can make a custom route table the main one.
836 | * Flow logs
837 | + to S3 or CloudWatch Logs
838 | + Log streams/files are per interface, but can be configured at VPC, subnet, or network interface level
839 | + Capture window: ~10 minutes after which a log entry is published
840 | + ` `
841 | + Doesn't record: Amazon DNS requests (does record requests to a custom DNS server); 169.254.169.254 metadata; DHCP; traffic to the default VPC router
842 | + Identity policies only - no resource based policies
843 | + Flow logs service needs a role to assume so it can publish logs to S3 or CloudWatch, and users need iam:PassRole for the role
844 | + S3 Bucket policy must allow the service to PutObject + a bit more. Automatically created if the flow log creator can create and modify bucket policies.
845 | * Security groups
846 | + What traffic can flow to/from an instance
847 | + Allow rules only, direction specific.
848 | + Multiple SGs per instance are possible.
849 | + Rules on src/dest, dest port, protocol (TCP, UDP, etc)
850 | + src/dest can be ip range; a sg in this VPC or a peered one; service prefix list for gateway endpoints
851 | + Default rules in a new group: no inbound, all outbound.
852 | + The default security group also allows inbound from other instances in the sg.
853 | + Stateful - responses are always allowed
854 | + Can reference SGs in peered VPCs.
855 |
856 | ## Storage
857 |
858 | * [**S3**](https://aws.amazon.com/s3/)
859 | * Monitoring
860 | + CloudTrail by default records bucket-level actions
861 | + Can enble CloudTrail logging of object-level actions by setting that property on a bucket in S3 (can choose read/write)
862 | + Server access logging - separate audit log, configured per-bucket, that stores events in a bucket. Destination bucket needs a special ACL (see ACL section). Best-effort delivery.
863 | + Buckets and Objects are the main resources, each have various subresources (versioning, policies/acls, ...)
864 | + Buckets are truly global - no region or account ID in their ARN
865 | + The account that uploads objects owns them - even if the bucket is owned by a different account! Bucket owner pays for storage, manages storage class, and can delete or deny access to any object.
866 | + [Access control](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html) logic is complex. That page doesn't include "block public access" logic.
867 | + User needs to have permission - using identity policies (or user is the root of an account)
868 | + For bucket operations: bucket needs to have permission - either just bucket policy/acl for user in a different account, or both bucket policy/acl and identity policy if user is in the same account
869 | + For object operations: User has to have permission (or be root). Bucket policy/acl has to _not deny_. Object ACL (or bucket policy) has to allow. Three different account contexts in play - the user's account (IAM), the bucket's account (for bucket ACL/policy & identity policy if same-account), the object's account (for object ACL).
870 | * Bucket policies
871 | + Bucket resource-based policy.
872 | * ACLs
873 | + Bucket and object resource-based policy
874 | + Default ACL grants the owner account full control
875 | + List of grants, each grant gives a grantee (an AWS account or predefined group) a permission
876 | + Grantee groups: Authenticated Users group - _any_ AWS user. All Users group - incl anonymous. Log Delivery group - S3 audit logs.
877 | + Permissions: READ, WRITE (only applies to buckets - allows overwriting and deleting objects), READ/WRITE ACL, FULL CONTROL (all of the above)
878 | + Don't use bucket ACLs except for allowing write access to the Log Delivery Group for access logging. This is the only way.
879 | * Block Public Access
880 | + Applied to specific buckets, or all buckets in an account
881 | + BlockPublicAcls - can't create new public bucket or object ACLs
882 | + IgnorePublicAcls - existing (and new) public ACLs are ignored
883 | + BlockPublicPolicy - can't create public bucket polciies (only really works if applied account-wide, otherwise you can undo it via a bucket policy that allows modifying this policy...)
884 | + RestrictPublicBuckets - blocks all anonymous and cross-account access to a bucket
885 | + Query string authentication - instead of using the authorization header, you specify the access key ID and signature in
886 | * Event notifications
887 | + Per bucket.
888 | + Sources: object creation, deletion, restoration from Glacier, and loss (for reduced redunadancy class)
889 | + Destinations: SNS topic, SQS queue, Lambda
890 | + Versioning
891 | + Enable on a bucket, then all object versions (including deleted one) remain available. Bucket owner can permanently delete.
892 | + Object lock: can't be deleted or overwritten until a particular date. Governance mode - needs s3:BypassGovernanceMode to override; Compliance mode - can't be overridden, even by root. Legal Hold - no end date (separate perm needed to override). Applies to an individual object version.
893 | + MFA delete: have to provide a TOTP code to delete (separate to IAM MFA) in `x-amz-mfa` header
894 | * Lifecycle policies
895 | + Transition action - change storage class
896 | + Expiration action - delete
897 | + e.g. archive old versions to glacier, then delete.
898 | * Encryption
899 | + SSE-S3 - pure S3 managed encryption
900 | + SSE-KMS - standard KMS integration like other services
901 | + SSE-C - you send the plaintext encryption key in the request (!)
902 | + The SDKs also ease support for client-side encryption
903 |
904 | * [Elastic Block Store (EBS)](https://aws.amazon.com/ebs/)
905 | + Redundancy but only within a single AZ
906 | + Snapshots might be useful for recovery
907 | + Encryption (if enabled) happens on the EC2 server side (outside the EC2 VM), hence encrypted in transit and rest. Uses KMS - wrapped data key stored alongside volume.
908 | + `ec2:CreateVolume` action paired with `ec2:Encrypted` condition key can enforce use of encrypted volumes
909 |
910 | * [EFS](https://aws.amazon.com/efs/)
911 | + NFS filesystem
912 | + Standard posix permissions
913 | + Mount targets appear as endpoints in a VPC, so Security Groups can control access
914 | + IAM only used for administration
915 | + transparent encryption at rest with KMS (could monitor compliance with a CloudWatch alarm over CloudTrail logs)
916 | + NFS over TLS is an option with the EFS mount helper (stunnel)
917 |
918 | * [S3 Glacier](https://aws.amazon.com/glacier/)
919 | + Encrypted by default
920 | + Value access policies - resource based policy attached to a vault. Like a bucket policy.
921 | + Vault lock policies - a vault access policy that can be locked to prevent changes to it
922 | + Other than the global ones and tags, supports `glacier:ArchiveAgeInDays` condition key - nice in combo with the `glacier:DeleteArchive` action
923 | + Retrieval requires job initiation then getting the output from the job
924 | + Data retrieval policy: a resource-based policy for regions? They don't describe it as such, but each region can have one policy that constrains Glacier retrievals to free tier / maximum transfer rate / unlimited.
925 |
926 | * [Backup](https://aws.amazon.com/backup/)
927 | + Centralise backups across RDS, DynamoDB, EBS, EFS, Storage Gateway. Uses those services' native capabilities (snapshots etc)
928 | + Can be encrypted in transit and at rest. Uses the service's native encryption capabilities, or for EFS where the backup functionality comes from Backup itself, it does the usual KMS encryption. Other than EFS, encryption depends on whether the source is encrypted (note DynamoDB tables are always encrypted at rest).
929 | + Resources: plans, vaults, recovery points.
930 | + Resource-based policy for vaults, but these only constrain _vault_ access, not access to the underlying backup like an EBS or RDS snapshot.
931 |
932 | * [Snow family](https://aws.amazon.com/snow/)
933 | + All use encryption integrated with KMS. Encryption is performed client-side prior to transfer to the device.
934 | + Snowball and Snowball edge use tamper-resistant designs and active monitoring using a TPM
935 | + API calls use IAM as normal. The Snowball devices don't - combo of an encrypted manifest & access code give full control of it.
936 | + Snowmobile is a little different :D ... "dedicated security personnel, GPS tracking, alarm monitoring, 24/7 video surveillance, and an optional escort security vehicle"
937 |
938 | * [Storage Gateway](https://aws.amazon.com/storagegateway/)
939 | + SMB/NFS front end to S3 - file gateway
940 | + iSCSI front end to Glacier/S3 - tape gateway / volume gateway
941 | + Encrypted in transit and at rest. By default uses SSE-S3, can configure to use SSE-KMS.
942 | + iSCSI has its own authentication model (CHAP)
943 |
--------------------------------------------------------------------------------