This course is focused on the details you need to know for the 20% of the Solutions Architect – Associate for AWS exam that covers data security. You will learn to recognize and explain platform compliance for AWS, and be able to both recognize and implement secure procedures for optimum cloud deployment and maintenance, including understanding the shared responsibility security model, and knowing what that looks like in practice.
- Recognize and explain the AWS shared security responsibility model
- Recognise and implement IAM users, policies and roles
- Recognize and explain how AWS enables you to protect data and rest and in transit
This course is for anyone preparing for the Solutions Architect–Associate for AWS certification exam. We assume you have some existing knowledge and familiarity with AWS, and are specifically looking to get ready to take the certification exam.
Basic knowledge of core AWS functionality. If you haven't already completed it, we recommend our Fundamentals of AWS Learning Path.
This Course Includes:
- 7 Video Lectures
- Everything you need to know about data security to prepare for the Solutions Architect–Associate for AWS certification exam
What You'll Learn
|Lecture||What you'll learn|
|Shared Responsibility Model||What's managed by AWS vs. customers|
|Identity and Access Management||How to use IAM to keep your data secure|
|Platform Compliance||Best practices for platform compliance|
|Data at Rest and in Transit||How to secure your data at rest and in transit|
|Identity Federation||Web identity federation|
|CloudFront Security||How to secure Amazon CloudFront|
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
- [Instructor] Okay, CloudAcademy ninjas let's just review some of important areas for our exam from domain three, Data Security, the triple A's, access, authentication, and accounting. In terms of who does what Amazon is responsible for securing the infrastructure. You as the customer are responsible for anything you put on top of that infrastructure. So, a few things to remember. First off, IAM is the web service that enables us to manage AWS users and AWS user permissions. IAM is not an identity store authorization system for your applications. Alright? It's not a way to manage permissions within your application. And there's three principles with IAM. There's root user which is associated with the account and it cannot be restricted in any way. Then we have our IAM users and then we have the all important roles which provide temporary access with different credentials. Which are generally assumed via a temporary token, e.g., the simple token service or STS that will expire after a set period of time. Now, authentication is via user name and password if we're logging in via the console. And if we're connecting via an application access is generally gonna be via using two part access keys or a temporary token that uses the access key plus a unique session token. Okay, so my exam to appear as that if you do have a question that asks about how you access some sort of resource. It is generally gonna be a role-based one that's correct. Okay? So, look through the question. If there's nothing that trips you up think it's likely to be a role that will help you access this thing with temporary credentials. Now, multi factor authentication, or MFA, increases the account security by adding a device specific one time password. Now all IAM policies are in the JSON format. And each policy includes an effect, a service name, and action, and a resource. A policy can be associated with an IAM user in two ways. We can use the user policy and that only exists in the context of the user. And then we have our managed policies which exist independently of users. And it created in the policies tab on the IAM page or via the command line interface. Now, a few things to keep in mind with permissions. Alright? Permission is denied by default in IAM. So, if an action on a resource has not been explicitly allowed by a policy access is denied. Now, if two policies contradict each other, the default action is denied. Keep that in mind. Now, a few use cases to think through. If we want to lock down an account or reduce vulnerability of an IAM administrator user account or even the admin group, we might add multi factor authentication to the accounts, implement a password policy, and restrict access by IP addresses. Another use case say our administrator wants to leave the company. Well, first off we'll change the password and add multi factor authentication to the root account. Then we'll rotate the keys and change the passwords for all our IAM user accounts. Then we'll delete the users personal account and put IP restrictions on the root account as well. Now, when we're talking about data security remember that all AWS endpoints used https to secure data in transit. And when we're looking at what can be done, EC2 instances cannot send spoofed or anonymous network traffic within the VPC. So you cannot run an instance in stealth or promiscuous mode in the VPC. Alright? AWS Cloudfront enables private content to be delivered via Signed URLs, Signed cookies, and also a thing called Origin Access Identities. Now while the Signed URLs and the Signed cookies control how users access resources through CloudFront the Origin Access Identity ensures only Cloudfront can access your origin files in Amazon S3. Very useful. Port scans are not allowed under the Aws usage policy. So you can't run a port scanner on an instance and scan all of your neighbors for example. Penetration testing is allowed but you need to ask for permission by logging a ticket with the AWS support crew first. And there are rules about what you can and can't do. Now, another a and now AAA is auditing and AWS CloudTrail is a vital service for auditing as it logs all API calls on your account and it delivers that log to an Amazon S3 bucket. So, it can be easily looked at and viewed. Remember that EC2 uses public key cryptography to encrypt and decrypt your log in information. Now, for Linux instance, there's no password. You use a key pair to log in using SSH. And for Windows instances you use a key pair to obtain the admin password and then you log in using RDP. Now, AWS KMS stands for key management service and it's a managed service that makes it easy to manage encryption keys. And the benefit of KMS is that it's integrated with your AWS services. You can also use custom and managed keys. And another service available is the AWS CloudHSM and that's a dedicated key management appliance based on the SafeNet luna appliances. The benefit of CloudHSM is that it helps you meet corporate or regulatory standards because your keys are stored in the separate appliance. Okay, one consideration with the CloudHSM is that you pay an upfront fee for it, and then an hourly rental fee. So, it can be quite an expensive service compared to something like perhaps KMS. Now, securing access. The AWS Directory service is a managed service that enables controlled information about your organization and some of the access methods that are common are the Microsoft Active Directory. Simple AD which uses san before or the AD Connector. And the AD Connector is a proxy service that enables you to connect your on-premise Microsoft Active Directory to the AWS Cloud without the need for direct synchronization or the complexity of a hosted federation infrastructure. So, it makes it much simpler. Now, you can't setup a trust relationship between simple AD and another active directory domain. Alright? And remember that security groups act as your virtual firewall within the VPC. So when you launch an instance you associate one or more security groups with the instance. Remember that security groups need to have inbound and outbound rules. And security groups can only allow. A security group is our first layer of defense. You can protect your host operating systems using multi factor authentication. And remember that all access is logged and recorded. Guest operating systems are always controlled by you, the customer. Remember which services offer encryption. Amazon S3, Amazon EBS, Amazon Glacier, AWS Storage Gateway, Amazon RDS, Amazon Redshift, and Workspaces. Alright, all offer encryption services. Make sure you print these out these cards out and stick them on your wall so you're reminding yourself about the great things you need to remember for this exam. One thing I want to stress with IAM security and everything that goes with this domain is that you need to try this out for yourself in the console. Okay? Create a user, create roles, setup accounts, learn how every one of the functions works because it's not something I can give you in a shortcut. The only way you're going to remember this so that you will know how to answer these questions is by trying it out yourself. Okay ninjas? I just want you to pass so just go and try this out. Alright! Let's get in to the next domain.
About the Author
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.