- Okay, Cloud Academy ninjas. Let's just review some of the important areas for our exam from Data Security. The triple A's: Access, Authentication, and Accounting. In terms of who does what, Amazon is responsible for securing the infrastructure, you as the customer are responsible for anything you put on top of that infrastructure. So, a few things to remember. First off, IAM is the web service that enables us to manage AWS users and AWS user permissions. IAM is not an identity store, or authorization system for your applications, all right? It's not a way to manage permissions within your application. There's three principals with IAM. There's the ROOT user, which is associated with the account, and it cannot be restricted in any way. Then we have our IAM users, and then we have the all-important roles, which provide temporary access with different credentials, which are generally assumed via a temporary token, e.g. the Simple Token Service or STS, that will expire after a set period of time. Now, authentication is via a user name and password if we're logging in via the console, and if we're connecting via an application, access is generally gonna be via using two part access keys, or a temporary token that uses the access key plus a unique session token. Okay, so my exam tip here is that if you do have a question that asks about how you access some sort of resource, it is generally gonna be a role-based one that's correct. Okay? So, look through the question, if there's nothing that trips you up, think, "it's likely to be a role, "that will help you access this thing "with temporary credentials". Now, multi-factor authentication, or MFA, increases the account security by adding a device-specific, one-time password. Now, all IAM policies are in the JSON format, and each policy includes an Effect, a Service Name, an Action, and a Resource. A policy can be associated with an IAM user in two ways. We can use the User Policy, and that only exists in the context of the user. And then we have our managed policies, which exist independently of users, and they're created in the policies tab on the IAM page, or via the command-line interface. Now, a few things to keep in mind with permissions, all right? Permission is denied by default in IAM. So, if an action on a resource has not been explicitly allowed by a policy, access is denied. Now, if two policies contradict each other, the default action is denied. Keep that in mind. Now, a few use cases to think through. If we wanna lock down an account, or reduce vulnerability of an IAM administrator or user account, or even the admin group, we might add multi-factor authentication to the accounts, implement a password policy, and restrict access via IP addresses. Another use case, say our administrator wants to leave the company. Well, first off, we'll change the password, and add multi-factor authentication to the root account. Then we'll rotate the keys and change the passwords for all our IAM user accounts. Then we'll delete the user's personal account, and put IP restrictions on the root account as well. Now, when we're talking about data security, remember that all AWS endpoints use HTTPS to secure data in transit. And when we're looking at what can be done, EC2 instances cannot send spoofed or anonymous network traffic within the VPC.

 So you cannot run an instance in stealth or promiscuous mode in the VPC, all right? AWS CloudFront enables private content to be delivered via signed URLs, signed cookies, and also using a thing called Origin Access Identities. Now, while the signed URLs and the signed cookies control how users access resources through CloudFront, the Origin Access Identity ensures only CloudFront can access your origin files in Amazon S3. Very useful. Port scans are not allowed under the AWS usage policy, so you can't run a port scanner on an instance, and scan all of your neighbors, for example. Penetration testing is allowed, but you need to ask for permission by logging a ticket with the AWS support crew first, and there are rules about what you can and can't do. Now, another A in our triple A is Auditing, and AWS CloudTrail is a vital service for auditing, as it logs all API calls on your account, and it delivers that log to an Amazon S3 Bucket so it can be easily looked at and viewed. Remember that EC2 uses public-key cryptography to encrypt and decrypt your login information. Now, for a Linux instance, there's no password, you use a keypad to log in using SSH, and for Windows instances you use a key pair to obtain the admin password and then you log in using RDP. Now, AWS KMS stands for Key Management Service, and it's a managed service that makes it easy to manage encryption keys. And the benefit of KMS is that it's integrated with your AWS services. You can also use customer-managed keys, and another service available is the AWS CloudHSM, and that's a dedicated key management appliance based on the SafeNet Luna appliances. The benefit of CloudHSM is that it helps you meet corporate or regulatory standards, because your keys are stored in a separate appliance. Okay, one consideration with CloudHSM is that you pay an upfront fee for it, and then an hourly rental fee, so it can be quite an expensive service compared to something like, perhaps, KMS. Now, securing access. The AWS Directory Service is a managed service that enables controlled information about your organization, and some of the access methods that are common are the Microsoft Active Directory, Simple AD, which uses Samba 4, or the AD Connector. And the AD Connector is a proxy service that enables you to connect your on-premise Microsoft Active Directory to the AWS cloud without the need for direct synchronization or the complexity of a hosted federation infrastructure, so it makes it much simpler. Now, you can't set up a trust relationship between Simple AD and another Active Directory domain, all right? And remember that security groups act as your virtual firewall within the VPC. So when you launch an instance, you associate one or more security groups with the instance. Remember that security groups need to have inbound and outbound rules, and security groups can only allow. A security group is our first layer of defense. You can protect your host operating systems using multi-factor authentication, and remember that all access is logged and recorded. Guest operating systems are always controlled by you, the customer. Remember which services offer encryption. Amazon S3, Amazon EBS, Amazon Glacier, AWS Storage Gateway, Amazon RDS, Amazon Redshift, and WorkSpaces. All right? All offer encryption services. Make sure you print these out, these cards out, and stick 'em on your wall, so you're reminding yourself about the great things you need to remember for this exam. One thing I want to stress with IAM security and everything that goes with this domain is that you need to try this out for yourself in the console, okay? Create a user, create roles, set up accounts, learn how every one of the functions works, because it's not something I can give you in a short cut. The only way you're gonna remember this so that you will know how to answer these questions is by trying it out yourself. Okay ninjas, I just want you to pass, so just go and try this out, do it yourself, and let's get into the next domain, all right?