AWS Logging Mechanisms
Advanced networking at scale
The course is part of this learning path
In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various network management services currently available in AWS that are relevant to the ANS-C01 exam.
- Identify and describe the various network management services available in AWS
- Understand the use of AWS Config to assess network infrastructure
- Describe how AWS CloudTrail is used to monitor and audit network infrastructure
- Explain how Amazon Inspector is used to enhance AWS network security and compliance
- Describe how VPC Flow Logs are used to capture IP traffic within the AWS Cloud
- Identify strategies for solving common issues that occur when running cloud networking at scale
The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this lecture, where I answer the question of what Amazon Inspector is and does, and why you may want to use it. Amazon Inspector is a managed service that is used to help you find security vulnerabilities within your EC2 instances and any applications running on them during any stage of development and deployment.
This is automatically achieved for a series of assessments against specified resources, based on hundreds of best practices and known security weaknesses. Covering common vulnerabilities and exposures; The CVE is a publicly known reference list of security threats that are well documented.
Center for Internet SecurityBenchmarks. These benchmarks are continuously refined, and are used as global standards for best practices for protecting data and IT resources.
Security best practices, which look for weaknesses in common security best practices, and Runtime Behavior Analysis, which looks at the behavior of your EC2 instances during an assessment.
On assessment completion, a detailed assessment report can be produced which will highlight all of the findings, including any threats allowing you to make the necessary changes to resolve any security and compliance issues.
The Amazon Inspector service is agent based, meaning it requires software agents to be installed on any EC2 instances you want to assess. This makes it an easy service to be configured and added at any point to existing resources already running within your AWS infrastructure. This helps Amazon Inspector to become a seamless integration with any of your existing security processes and procedures as another level of security.
Through a level of customization of the vast knowledge base of best practices and vulnerabilities that is constantly updated that Amazon Inspector can call upon, you are able to select which packages are best for your use case, fitting into your own standards that your resources must adhere to. This allows you to customize the security for your environment, and ensures that any specific security loopholes are identified and addressed immediately.
Amazon Inspector records it's assessments, which makes this a great service to present findings to auditors who may require to see evidence of security compliance and adherence to specific government controls.
Maintaining these records and reports helps you to maintain compliance that you may need for certifications such as PCI. So now we know at high level what the service is used for, why would we use the service? In the industry today we hear more and more about how the level of attacks and sheer quantity of hacking into small and large enterprise infrastructure in the attempt to steal and manipulate data is rising. New methods of cyber security attacks are being devised and as a result, new methods of prevention have to follow suit.
In a traditional data center deployment, most organizations have a level of intrusion detection and prevention plus monitoring systems in place at different levels within their infrastructure. However, not everyone has the same within the cloud. Security as a topic within the cloud is still the number one reason that prevents businesses from adopting the cloud. Much of this can be identified due to the lack of understanding, the correct skillset, and compliance.
AWS invests a huge amount of capital into security, and as a result, more and more security services and tools are being made available to us as customers, which is what spawned the creation of Amazon Inspector.
By using the Amazon Inspector service, we gain confidence in the level of security built into our applications and services due to the configurable assessments that we can run. The level of confidence not only benefits your organization, but your customers too. Having your service cross-checked for security compliance, threats, and vulnerabilities, ensures a reduction of attacks that your customer may be exposed to.
As you can see, this service offers some amazing benefits when looking at security compliance and reduction of exposure attack points within your infrastructure. Traditionally, to implement, manage, operate, and analyze your infrastructure resources and applications for these threats and best practices, would be difficult and take a very particular security focused skillset. This skillset, along with the systems and applications to implement such a service would come at a high cost to your business. The talent and budget may not be there for many organizations for this to happen. Thankfully, Amazon Inspector offers a solution that is lower in cost than that of a traditional solution.
As your organization grows, Amazon Inspector scales with it through the use of it's agents. This allows repeatable and automated assessments to take place. With easy to understand assessment reports, it removes the highly skilled resource, that may have been required traditionally, to dissect and implement the necessary fix to resolve any findings.
That now brings us to the end of this lecture. Coming up next, I'm going to look at the service in greater detail, identifying the components used.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.