This course is focused on the details you need to know for the 20% of the SysOps Administrator – Associate for AWS exam that covers data security. You will learn to recognize and explain platform compliance for AWS, and be able to both recognize and implement secure procedures for optimum cloud deployment and maintenance, including understanding the shared responsibility security model, and knowing what that looks like in practice.
- Recognize and explain the AWS shared security responsibility model
- Recognise and implement IAM users, policies and roles
- Recognize and explain how AWS enables you to protect data and rest and in transit
This course is for anyone preparing for the Solutions Architect–Associate for AWS certification exam. We assume you have some existing knowledge and familiarity with AWS, and are specifically looking to get ready to take the certification exam.
Basic knowledge of core AWS functionality. If you haven't already completed it, we recommend our Fundamentals of AWS Learning Path.
This Course Includes:
- 7 Video Lectures
- Everything you need to know about data security to prepare for the Solutions Architect–Associate for AWS certification exam
What You'll Learn
|Lecture||What you'll learn|
|Shared Responsibility Model||What's managed by AWS vs. customers|
|Identity and Access Management||How to use IAM to keep your data secure|
|Platform Compliance||Best practices for platform compliance|
|Data at Rest and in Transit||How to secure your data at rest and in transit|
|Identity Federation||Web identity federation|
|CloudFront Security||How to secure Amazon CloudFront|
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Let's have a quick look at Amazon CloudFront Security, while we're talking about security. By default, Amazon CloudFront will accept requests over both HTTP and HTTPS, so it's another layer of possible defense, combined with ELBs set with HTTPS enabled, and with encryption between your instances and your databases. Having that additional distribution that supports HTTPS is just another layer that you can add. You can configure Amazon CloudFront to require only HTTPS for requests, and disallow all HTTP requests. For HTTPS requests, Amazon CloudFront will also utilize HTTPS to retrieve your object from Amazon S3 origin storage, so that your object is encrypted whenever it's transmitted, basically.
CloudFront Access logs contain a comprehensive list of information about requests that are made for your content, which includes the object requested, the date and the time of the request, and the edge location serving the request. Most importantly, it includes the client IP address, the referrer, and the user agent. So to enable access logs, all you do is specify the name of the Amazon S3 bucket to store the logs in when you configure your Amazon CloudFront distribution.
Amazon S3 is providing the durability here, because that's our origin store, and working as that origin for Amazon CloudFront, it holds the original definitive copies of objects delivered by CloudFront. If you want more control over who has the ability to download content from Amazon CloudFront, you can enable the services private content feature. Restricting access to objects in CloudFront Edge Locations is one. You can configure CloudFront to require that users access your objects using either signed URLs or signed cookies. You then develop your application, either to create and distribute signed URLs to authenticated users, or to send set cookie headers that set signed cookies on the viewers for authenticated users.
To control access to the original copies of your object, so origin, we call it, in Amazon S3, Amazon CloudFront allows you to create one or more origin access identities, and associate these with your distributions. When an origin access identity is associated with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects from Amazon S3.
A quick summary of CloudFront Security. Only authenticated users can create, modify, or delete their own Amazon CloudFront distributions. Requests are signed with an HMAC-SHA1 signature that's calculated from the request and the user's private key. The control API is only accessible via SSL-encrypted endpoints. Durability is provided by Amazon S3 as the origin server for Amazon CloudFront. You can control who is able to download content from Amazon CloudFront using the private content feature. Private content is an optional feature that must be enabled when you set up your CloudFront distribution. Content delivered without this feature enabled will be publicly readable by anyone. There are two options for private content. First, control how the Amazon CloudFront edge locations access your objects in Amazon S3. Second, control how content is delivered from the Amazon CloudFront edge location to end users.
Okay, well done. We made it to the end of data security. Now let's talk about how we can make our systems even more available and more durable using recovery point objectors and recovery time objectors. See you in the next section.
About the Author
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.