Domain three - Summary - Designing Secure Application and Architectures


Summary - Domain Three
Summary - Domain Three

Domain three - Summary - Designing Secure Application and Architectures


- [Narrator] Hello, and welcome to this final lecture within domain three, which is focused on designing secure applications, and architectures. To recap, the requirements of knowledge and understanding of this domain were as follows, determine how to secure application tiers, determine how to secure data and, define the networking infrastructure for a single VPC application. Throughout this domain we had a mix of cause, content, and hands on labs, to help you put into practice some of the mechanisms and methods described. I started off by introducing you to the Identity and Access Management service, known as IM, or AIM. This service is used to manage identities, and their permissions. They are able to access your AWS resources and, so, understanding how this service works, and what you can do with it will help you maintain a secure AWS environment. IAM is an important step in ensuring your resources are secure. In this course, we learn how to set up, and configure users, groups, and roles to control which identities have authorization to access specific AWS resources. We also looked at how to implement multi-factor authentication, and how to create and implement IAM policies that allow you to grant and restrict very granular, and specific permissions across a range of resources. We looked at how to implement a password policy to align with your internal security controls, and way we'd use identity federation access to control access to your resources. And, then finally, we looked at the key management service, Or KMS, and how it's used in conjunction with identity and access management. Following this, you had the opportunity to get hands on with the lab, which guided you through how to create, and manage IAM uses, groups, and policies, to securely control access to AWS services and resources. I then focus more on the authentication, authorization, and accounting side of things within AWS, which provided an understanding of the different security controls and how they can help you design the correct level of security for your infrastructure. Once an identity has been authenticated, and is authorized to perform specific functions, it's then important that this access can be tracked with regards to usage and resource consumption, so that it can be audited, accounted, and billed for. In this course, we learned the differences between authentication, authorization, and access control. The different authentication mechanisms used by AWS. The different methods of granting authorized access to different AWS resources. How a combination of authentication, and authorization mechanisms can be used to create solid security policies. And, we also looked at how AWS billing can be used to help spot security breaches. And, then finally, how to track a user within AWS, and monitor their actions through monitored API core requests. Following this course, and again to help solidify some theory, you completed another hands on lab, which guided you through some of the best practices, where managing roles and groups within identity in access management. The next course guided you through more security best practices, that surround some of the most common container and abstract services. Understanding the security implications, and the responsibility level between you and AWS, enables you to adopt, and implement the correct level of security within your infrastructure. In this course, you've gained an understanding of the difference between both container, and abstract services within AWS, and how security is managed differently between the two. Also, an awareness of how data can be protected at rest, and at transit for different services. You gained a comprehension of the importance of network design and increasing the security of abstract, and container based services. And, finally the ability to apply the correct level of security to your services, depending on your classification, container or abstract, using security features from other AWS services, as well as the services owned built in protection. Following this course, you then learn about the Key Management Service, or KMS, which is a service that allows you to easily encrypt your data with protected keys preventing confidential data from being exposed. The services fully managed and regionally based, making it highly available with full auditing functions to encrypt your data within your applications. From this course, you learned how to create a customer master key, or CMK, How to encrypt EBS volumes, how to encrypt S3 objects, how to encrypt RDF storage, and audit the use of encryption. Next up, was another hands on lab. This time looking at Amazon Cloud Watch, and how you can use this service to monitor for specific security related events. Within this lab, you learn how to use Cloud Watch to monitor a log stream for specific patterns, in this case invalid SSH attempts, and sends a notification via the simple notification service, SNS. That now brings me to the end of this summary. Coming up next in this learning path, you will focus on domain four, designing cost optimized architectures.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.