Protecting Web Apps with AWS WAF
AWS Security Hub
The course is part of this learning path
In this section of the AWS Certified: SAP on AWS Specialty learning path, we introduce you to the various Security services currently available in AWS that are relevant to the PAS-C01 exam.
- Understand the purpose of AWS user and identity management
- Identify resources and capabilities for AWS network security
- Understand how to evaluate the security of an AWS environment
- Describe AWS services used to create a comprehensive security solution for SAP deployments
The AWS Certified: SAP on AWS Specialty certification has been designed for anyone who has experience managing and operating SAP workloads. Ideally you’ll also have some exposure to the design and implementation of SAP workloads on AWS, including migrating these workloads from on-premises environments. Many exam questions will require a solutions architect level of knowledge for many AWS services, including AWS Security services. All of the AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this lecture where I am going to be looking at AWS Trusted Advisor, explaining what it is and the different components that make up this service.
Trusted Advisor plays an integral part in helping you to optimize your infrastructure across a number of key areas, allowing you to make decisions upon recommendations made by the service which follow and best practices that have been honed over the years by AWS.
The service itself can be found within the AWS Management Console under the Management & Governance category, alongside services such as Amazon CloudWatch, Control Tower and Systems Manager.
The main function of Trusted Advisor is to recommend improvements across your AWS account to help optimize and streamline your environment based on these AWS best practices. These recommendations cover 5 distinct categories:
- Cost optimization - Helps to identify ways in which you could optimize your resources to help you reduce costs by implementing features such as reserved capacity and removing unused capacity
- Performance - This reviews your resources to highlight any potential performance issues across your infrastructure, determining if you could take benefits from performance-enhancing capabilities such as provisioned throughput
- Security - This analyses your environment for any potential security weaknesses or vulnerabilities that could potentially lead to a breach.
- Fault Tolerance - This helps to suggest best practices to maintain service operations by increasing resiliency, should a fault or incident occur across your resources.
- Service Limit - This identifies and warns you when your resources reach 80% capacity of their service limit quota.
Within each of these 5 categories, Trusted Advisor has a list of control points and checks to see how your account, resources and architecture is implemented to determine if you’re aligned with best practice. So it essentially acts as an automatic auditor across your account, which can save you money, increase the efficiency of your resources, maintain a tighter and more secure environment, help to ensure your resources remain operational should a failure occur and that you remain in line with your service limitations, allowing you to request an increase where possible.
Between the 5 different categories and at the time of writing this course, there are over 115 different checks. Please note, that the number of these checks are constantly changing, so for the most up to date figures, please review the following link: https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/
Although there are a lot of these checks that Trusted Advisor can perform, not all of them are freely available to anyone with an AWS account. The list of checks that you have access to is very dependent on the support agreement with hold with AWS.
The full power and potential of AWS Trusted Advisor is only available if you have a Business or Enterprise Support Plan with AWS. Without either of these plans then you will only have access to 6 core checks in the security category and all the Service Limits
The 6 checks within security are as follows:
- S3 Bucket permissions
- Security Groups - Specific Ports Unrestricted
- EBS Public Snapshots
- RDS Public Snapshots
- IAM Use
- MFA on root account
At the time of writing this course, here are the available service limit checks.
Now if you compare this to the full list of checks here: https://aws.amazon.com/premiumsupport/technology/trusted-advisor/best-practice-checklist/
….that are included with Business and Enterprise support plans, you will see that the full checklist can provide a huge wealth of valuable information to help you optimise your infrastructure.
In addition to these extra checks that these support plans offer, you will also get the additional benefit of being able to administer certain functions of Trusted Advisor, such as:
- being able to track the most recent changes to your AWS account by bringing them to the top of your AWS Trusted Advisor dashboard.
- using the AWS Support API to retrieve and refresh trusted advisor results.
- Also you’ll have the added advantage of having Amazon CloudWatch integration to detect and react to changes made to your Trusted Advisor checks
There are also a number of features that everyone has access to, including those outside of the Enterprise and Business support plans, these being:
- Trusted Advisor Notifications - This is an opt-in or opt-out feature which is completely free to everyone and can be configured within the preferences pane of the Trusted Advisor console. It tracks your resource check changes and cost saving estimates over the course of a week and it will then email up to 3 recipients, for billing, operations and security notifications with a report.
- Exclude Items - This allows you to select specific resources to be excluded from appearing in the console within a specific check. You may want to do this if you are not interested in the reporting for that particular resource and so you decide to exclude it. You can decide to include it again at any point if you do change your mind. This feature can make viewing and managing your checks easier by eliminating some resources within the console.
- Action Links - Many of the items identified within the Checks against resources have hyperlinks associated, these are known as Action Links which allow quick access to the resource in question allowing you to remediate the issue identified. For example, if you reached 80% of the number of VPC’s within a Region, the ‘VPC’ Service Limit Check would highlight this as an issue. The Action Link against the resource would lead you to an AWS Support Center page to create a case to increase the quantity of VPCs you’re allowed within a single region.
- Access Management - AWS Trusted Advisor is tightly integrated within Identity & Access Management. You can grant different levels of access to Trusted Advisor, including Full Access, Read Only, or even restrict access down to specific Categories, Checks and Actions. For example, the following IAM policy allows access to AWS Trusted Advisor, but denies the user from performing a refresh and updating notification preferences.
For a full list of IAM permissions using the trustedadvisor namespace please see the following AWS reference: https://docs.aws.amazon.com/awssupport/latest/user/security-trusted-advisor.html
- Refresh - The data within Trusted Advisor is automatically refreshed if the data is more than 24 hours old when you view it within the console. However, after any refresh, you can perform a manual refresh 5 minutes after the previous refresh. You can either choose to perform a refresh against individual checks or against all checks.
Before I finish this lecture I just want to give a high level overview of how Trusted Advisor works in a few simple steps:
- Once you connect to AWS Trusted Advisor, the service will scan your infrastructure
- It will then compare the state of your infrastructure against best practices defined within the 5 categories of Cost Optimization, Security, Performance, Fault Tolerance and service limits
- The output of this scan will generate a number of recommendations of how your infrastructure could be optimised with a priority factor
- This then allows you to optimize your resources based on the recommendations
AWS Trusted Advisor uses a service-linked IAM role to access you resources, named AWSTrustedAdvisorServiceRolePolicy. This is a predefined role created by AWS and allows the services to call other services on your behalf. The policy summary of this role is as shown here and helps to define which AWS services that Trusted Advisor communicates with.
Please be aware that this list will change over time, so for an updated list please refer to the role within IAM to determine which services AWSTrustedAdvisorServiceRolePolicy has access to.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.