Domain 2: Security and Compliance
Task Statement 2.1: Understand the AWS Shared Responsibility Model
Focus on differentiating security responsibilities between AWS and the customer.
Recognize when and to what extent customers need to secure AWS resources.
Task Statement 2.2: Understand AWS Cloud Security, Governance, and Compliance Concepts
Emphasis on understanding the key concepts of security, governance, and compliance in AWS.
Task Statement 2.3: Identify AWS Access Management Capabilities
Focus on customer's responsibility for access management in AWS.
Understanding the tools and mechanisms for managing access to AWS environments.
Task Statement 2.4: Identify Components and Resources for Security
Knowledge of various security features available in AWS.
Understanding customer's role in enabling and managing these security features.
Course Structure
Series of videos, each addressing individual task statements.
Aim to prepare for examination on AWS security and compliance concepts.
Upcoming Topics
Detailed exploration of the AWS Shared Responsibility Model.
Examination of security features within AWS and customer's role in their activation.
Analysis of access management and security best practices in AWS.
Task Statement 2.1: Understand the AWS Shared Responsibility Model
Overview of the AWS Shared Responsibility Model
Delineates responsibilities of AWS and the customer regarding system security.
AWS: Responsible for security of the cloud.
Customer: Responsible for security in the cloud (data, applications, etc.).
AWS Responsibilities
Management of global infrastructure: Regions, Availability Zones, edge locations.
Security and management of underlying hardware, network, compute, storage, databases.
Software required to run and manage these services.
Customer Responsibilities
Management of operating system and upwards:
Client-side data encryption, integrity, authentication.
Server-side encryption, network traffic protection (e.g., SSL certificates).
Operating system, network, and firewall configurations.
Application security and identity access management.
Security and backup of customer data.
Variability of Responsibilities Based on Services
Customers' security responsibilities vary depending on whether the service is managed or unmanaged.
Managed Services (e.g., Amazon RDS) : AWS handles more security and management tasks.Unmanaged Services (e.g., Amazon EC2) : Customers have more control and hence more security responsibilities.
Specific Service Responsibility Examples
Amazon RDS : AWS responsible for database engine patching.Amazon EC2 : Customer responsible for patching.
Exam Focus
Differentiating responsibilities between AWS and the customer for various services.
Understanding how responsibilities shift with managed vs. unmanaged services.
Next Steps
Proceed to Task Statement 2.2: Cloud Security, Governance, and Compliance.
Task Statement 2.2: Understand AWS Cloud Security, Governance, and Compliance Concepts
Compliance on AWS
Importance of considering security and compliance in AWS designs.
Awareness of AWS compliance programs and where to find compliance information.
AWS Artifact: On-demand access to AWS security and compliance documents.
Compliance Variability Across Services
Compliance requirements vary from service to service.
Understanding where to find compliance information, not memorization of compliance details for each service.
Security Measures on AWS
Protecting systems and information as the primary goal.
Additional security options beyond security groups and NACLs:
AWS WAF: Web application firewall.
Amazon GuardDuty: Threat detection service.
AWS Shield: DDoS protection.
Encryption Fundamentals
Differentiating between data encryption in transit and at rest.
Understanding responsibility for enabling encryption per service.
Logging, Auditing, and Reporting
Importance of logs for troubleshooting and auditing AWS account activity.
Key services:
Amazon CloudWatch: Monitoring and operational data collection.
AWS CloudTrail: Logging AWS resource creation and management.
AWS Config: Inventory and configuration auditing.
Specific Use Case: Identifying User Actions
AWS CloudTrail for auditing actions like EC2 instance deletion.
AWS Audit Manager for broader audit management.
Least Privilege Access
Following the principle of least privilege for AWS account access.
Next Steps
Proceed to Task Statement 2.3: Access Management in AWS.
Task Statement 2.3: Identify AWS Access Management Capabilities
User and Identity Management
Importance of user access control in AWS.
Principle of least privilege: Granting minimal necessary access.
AWS IAM (Identity and Access Management) for user and access management.
AWS Account Fundamentals
AWS accounts as the basis for provisioning services and logging usage.
Importance of securing the AWS account root user.
Recommendations for root user protection: multi-factor authentication, secure credential storage, access key rotation.
Root User Management
Understanding tasks requiring root user access.
Differentiating between root user and other user types in terms of access and permissions.
Best practices for root user security.
IAM Features
IAM Users: Username/password, access keys, MFA, password policies.
IAM Groups: Organizing users and managing group-level permissions.
IAM Roles: Temporary credentials for various use cases (e.g., cross-account access, AWS service permissions).
Amazon Cognito
Amazon Cognito Identity Pool for temporary AWS credentials.
Use of Amazon Cognito for authenticated and unauthenticated users.
IAM Policies
Managed Policies: Created and managed by AWS.
Regular IAM Policies: Created and managed by customers.
IAM Policy Simulator for policy testing and troubleshooting.
S3 Security
Bucket Policies vs. IAM User Policies for Amazon S3 access control.
Resource-based vs. identity-based policies.
MFA Delete for enhanced S3 object protection.
Next Steps
Proceed to Task Statement 2.4: Components and Resources for Security in AWS.
Task Statement 2.4: Identify Components and Resources for Security Support
Network Security in AWS
Basic functionality of AWS security services: Security Groups, Network ACLs, AWS WAF.
Understanding use cases and differences between these services.
Network Access Control Lists (NACLs)
Function as a firewall at the subnet level in an Amazon VPC.
Stateless: Separate rules for inbound and outbound traffic.
Security Groups
Operate at the resource level (e.g., EC2, RDS).
Stateful: Inbound traffic automatically allows corresponding outbound traffic.
Implicit deny for unspecified traffic.
Can recognize AWS resources and security group IDs.
AWS WAF
Web application firewall to filter web traffic based on specific conditions.
Use cases: Blocking SQL injections, cross-site scripting attacks.
Security Assessments and Penetration Testing
Permission to conduct security assessments for certain AWS services.
Awareness of AWS services like AWS Trusted Advisor and Amazon Inspector for security recommendations.
AWS Marketplace for deploying third-party software in AWS accounts.
Differentiating AWS services from third-party solutions.
AWS Knowledge Center and Security Center for specific queries.
AWS Security Blogs and Forums for community-driven insights.
AWS documentation and whitepapers for best practices and detailed information.
Next Steps
Proceed to third walkthrough question on cloud security and compliance.
Walkthrough Question 3: AWS Shared Responsibility Model
Question Analysis
Topic : AWS Shared Responsibility Model.Keywords : Shared responsibility model, customer responsibility.
Question
"Which task is the responsibility of the customer according to the AWS shared responsibility model?"
Options Analysis
Option A: Install patches on an Amazon RDS database instance Incorrect. AWS manages Amazon RDS engine patches.
Option B: Patch the operating system of Amazon RDS database instances Incorrect. AWS is responsible for the operating system patches in Amazon RDS.
Option C: Determine which services have access to an Amazon DynamoDB table Correct. Customer determines access permissions for services within the cloud.
Option D: Patch the Amazon VPC network devices Incorrect. AWS manages and patches network devices in AWS infrastructure.
Correct Answer
Option C: Determine which services have access to an Amazon DynamoDB table Aligns with customer's responsibility for managing access permissions within their AWS environment.
Takeaways
Understanding of customer-specific responsibilities in the AWS Shared Responsibility Model.
Recognition of the division of responsibilities between AWS and its customers.
Identification of knowledge gaps for further study, particularly in AWS service management responsibilities.
Walkthrough Question 4: AWS Access Management Capabilities
Question Analysis
Topic : Access management for AWS services.Keywords : EC2 instance, private S3 bucket, access requirement.
Question
"A company has an application server that runs on an Amazon EC2 instance. The application server needs to access contents within a private Amazon S3 bucket. What is the recommended approach to meet this requirement?"
Options Analysis
Option A: Create an IAM Role and Associate with EC2 Instance Correct. IAM roles provide temporary, secure access to AWS resources.
Option B: Configure a VPC Peering Connection Incorrect. VPC peering is for networking between VPCs, not for S3 bucket access.
Option C: Create a Shared Access Key Incorrect. Using shared keys reduces security and isn't a recommended practice.
Option D: Configure Application to Read Access Key Incorrect. Embedding long-term access keys is not secure compared to using IAM roles.
Correct Answer
Option A: Create an IAM Role and Associate with EC2 Instance Provides a secure, recommended method for granting EC2 instances access to S3 resources.
Takeaways
Understanding of IAM roles as a secure way to manage access to AWS resources.
Recognition of best practices in AWS access management and security.
Identification of knowledge gaps for further study, particularly in AWS identity and access management.