Domain 6 - Security
In this course, you'll gain a solid understanding of the key concepts for Domain Six of the AWS Solutions Architect Professional certification: Security.
By the end of this course, you'll have the tools and knowledge you need to successfully accomplish the following requirements for this domain, including:
- Design information security management systems and compliance controls
- Design security controls with the AWS shared responsibility model and global infrastructure
- Design identity and access management controls
- Design protection of Data at Rest controls
- Design protection of Data in Flight and Network Perimeter controls
This course is intended for students seeking to acquire the AWS Solutions Architect Professional certification. It is necessary to have acquired the Associate level of this certification. You should also have at least two years of real-world experience developing AWS architectures.
As stated previously, you will need to have completed the AWS Solutions Architect Associate certification, and we recommend reviewing the relevant learning path in order to be well-prepared for the material in this one.
This Course Includes
- Expert-led instruction and exploration of important concepts.
- Complete coverage of critical Domain Six concepts for the AWS Solutions Architect - Professional certification exam.
What You Will Learn
- Designing ISMS systems and compliance controls
- Designing security controls
- Designing IAM management controls
- Identity and Access Management
- Designing protection of Data at Rest controls
- Designing protection of Data in Flight and Network Perimeter controls
All right, a few things to remember with security.
Cloud HSM suits security or requirements where role separation is a priority. With Cloud HSM workflow ideally, only the security officer will have permission to access or manage the keys. So when role separation ids a requirement Cloud HSM, or a hardware security module is going to provide that best level of key management.
Simple token Service uses the assumeRole function when creating temporary credentials.
Generally, you'd use a SAML2 two compliant identity provider to authenticate corporate users into the AWS console.
By default, security groups deny all inbound traffic. Allow all outbound traffic. And allow instances associated with a security group to talk to each other.
Security groups can only allow the word access control lists can allow and deny.
Viable threat mitigation strategies include adding Amazon CloudFront, setting up Amazon CloudWatch alerts. And defining a response strategy.
Using roles is generally always a better option than embedding or passing user credentials.
Resource based tagging can be used in conjunction with roles and for delete to prevent accidental deletion of instances.
DynamoDB fine grain access can be used to control access to DynamoDB data. This works well with web identity feeration. As an example, you might have a user log into a game, using their Facebook or Amazon ID. DynamoDB finegrain access permissions allow you to grant permissions on a table, but restrict access to specific items in that table based on a certain primary key value.
So, you might want to have that user only able to access table rows and data items that they own. So the IAM permissions policy allows the user to access only those items in the table where the partition key value matches the user identifier. And we might limit access based on the IAM substitute variables from that user authentication. You can use the IAM condition element to implement a finegrain access control policy. By adding the condition element to the permissions policy you can then allow or deny access to items and attributes in DynamoDB tables and indexes.
Finegrain access also allows you to hide information so that only a subset of attributes are visible to a user.
About the Author
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.