Domain 6 - Security
In this course, you'll gain a solid understanding of the key concepts for Domain Six of the AWS Solutions Architect Professional certification: Security.
By the end of this course, you'll have the tools and knowledge you need to successfully accomplish the following requirements for this domain, including:
- Design information security management systems and compliance controls
- Design security controls with the AWS shared responsibility model and global infrastructure
- Design identity and access management controls
- Design protection of Data at Rest controls
- Design protection of Data in Flight and Network Perimeter controls
This course is intended for students seeking to acquire the AWS Solutions Architect Professional certification. It is necessary to have acquired the Associate level of this certification. You should also have at least two years of real-world experience developing AWS architectures.
As stated previously, you will need to have completed the AWS Solutions Architect Associate certification, and we recommend reviewing the relevant learning path in order to be well-prepared for the material in this one.
This Course Includes
- Expert-led instruction and exploration of important concepts.
- Complete coverage of critical Domain Six concepts for the AWS Solutions Architect - Professional certification exam.
What You Will Learn
- Designing ISMS systems and compliance controls
- Designing security controls
- Designing IAM management controls
- Identity and Access Management
- Designing protection of Data at Rest controls
- Designing protection of Data in Flight and Network Perimeter controls
The AWS, Well Architected Framework, provides architectural based practices across four pillars for designing reliable, secure, efficient, and cost effective systems in the cloud. The Framework provides a set of questions that'll allow you to assist in existing or proposed architecture, and also, a set of AWS based practices for each pillar. Security, reliability, performance efficiency, and cost optimization. Under security, we talk about the ability to protect information, systems, and assets, while delivering business value through risk assessments, and mitigation strategies. Under reliability, it's the ability of the system to recover from infrastructure or service failures, dynamically acquire computing resources to meet demand, and to mitigate disruptions such as, misconfigurations or transient network issues. For performance efficiency, we're looking for the ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes, and technologies evolve. Cost optimization, and really we are looking at the ability to avoid, or eliminate unneeded cost, or suboptimal resources. Under the security pillar, we apply security at all layers. Rather than just running security appliances, e.g. firewalls, at the edge of your infrastructure, use firewalls and other security controls on all of your resources. Enable traceability, log and audit all actions, and changes to your environment. Automate responses to security events, monitor and automatically trigger responses to event-driven, or condition-driven alerts. And you really need to focus on securing your system. With the AWS Shared Responsibility Model, you can focus on securing your application, your data, and your operating systems, while AWS provides secure infrastructure and services. It's key to look for ways to automate your security as a best practice. Software-based security mechanisms improve your ability to securely scale more rapidly and more cost effectively. Creating and saving a custom baseline image of a virtual server, and then using that image automatically on each new server you launch, to reduce issues and ensure durability. Having an Information Security Management Strategy system, is an important part of maintaining a secure environment. An ISMS strategy will include a threat model, risk management use cases, and having clearly defined criteria is an important part of an ISMS strategy. Now, AWS provides tool to help organizations define an Information Security Management System. The Well-Architected Framework, and the AWS Security Center provide templates for defining an ISMS. Platform compliance, data encryption at risk and in transient, and the auditing tools such as, Amazon Cloudwatch, Amazon CloudTrail, and AWS Config enable really detailed tips to take the controls. AWS Cloudwatch is the cornerstone monitoring tool for AWS. Data is captured in five minute intervals for basic monitoring, and one minute intervals where detailed monitoring is enabled. CloudWatch is very useful if both the dev, and security teams need a common way to monitor, and be alerted to changes in the environment. You can include third party data as a custom metric, or integrate third party tools and services. With Amazon ClouthTrail, you have a web service that logs API calls. And in those logs we are including the identity of the call, the time of the call, the source IP address, the parameters, and the response elements. So, it's a really good way of being able to audit what's been coming, and going from your environment. Now, AWS Config is an inventory, and configuration history service that provides information about the configurations, and more importantly, the changes to the configurations in your infrastructure over time
About the Author
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.