Day 25: AWS Security

Day 25: AWS Security

AWS Cloud Certificate With Neel Patel

Amazon Macie

  • Macie is a fully managed service that continuously monitors S3 data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks.

  • Macie works by uses Machine Learning to Analyze your CloudTrail logs

  • Macie has a variety of alerts

    • Anonymized Access

    • Location Anomaly

    • Config Compliance

    • Open Permissions

    • Credential Loss

    • Privilege Escalation

    • Data Compliance

    • Ransomware

    • File Hosting

    • Service Disruption

    • Identity Enumeration

    • Suspicious Access

    • Information Loss

  • Macie's will identify your most at-risk users which could lead to a compromise

AWS Virtual Private Network (VPN)

  • AWS VPN lets you establish a secure and private tunnel from your network or device to the AWS global network

AWS Site-to-Site VPN

  • securely connect on-premises network or branch office site to VPC

AWS Client VPN

  • securely connect users to AWS or on-premises networks

What is IPSec?

  • Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs


  • AWS Web Application Firewall (WAF) protect your web applications from common web exploits

  • Write your own rules to ALLOW or DENY traffic based on the contents of an HTTP requests

  • Use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace

  • WAF can be attached to either CloudFront or an Application Load Balancer

  • Protect web applications from attacks covered in the OWASP Top 10 most dangerous attacks

  1. Injection

  2. Broken Authentication

  3. Sensitive data exposure

  4. XML External Entities (XXE)

  5. Broken Access control

  6. Security misconfigurations

  7. Cross Site Scripting (XSS)

  8. Insecure Deserialization

  9. Using Components with known vulnerabilities

  10. Insufficient logging and monitoring

Hardware Security Module (HSM)

  • A Hard Security Module (HSM): It is a piece of hardware designed to store encryption keys.

  • HSM hold the key to memory and never writes them into the disk

  • Federal Information Processing Standard (FIPS) US and Canadian government standards that specify the security requirements for cryptographic modules that protect sensitive information.

  • HSMs that are multi-tenant are FIPS 140-2 Level 2 Compliant (multiple customers virtually isolated on an HSM) HSM's that are single-tenant are FIPS 140-2 Level 3 Compliant (single customer on a dedicated HSM)

AWS Key Management Service

  • AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

  • KMS is a multi-tenant HSM ( hardware security module )

  • Many AWS services are integrated to use KMS to encrypt your data with a simple checkbox

Envelope Encryptio

  • When you encrypt your data, your data is protected, but you have to protect your encryption key.

  • When you encrypt your data key with a master key as an additional layer of security.


  • CloudHSM is a single-tenant HSM as a service that automates hardware provisioning, software patching, high availability and backups

  • AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 validated hardware.

  • Built on Open HSM industry standards to integrate with:

    • PKCS#11

    • Java Cryptogrpahy Extensions (JCE)

    • Microsoft CryptoNG (CNG) libraries

  • You can also transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of AWS.

  • Configure AWS KMS to use AWS CloudHSM cluster as a custom key store rather than the default KMS key store.

AWS Config

  • AWS Config is a governance tool for Compliance as Code (CoC).

  • You can create rules that will check to see if resources are configured the way you expect them to be.

  • If a resource drifts from the expected configuration you are notified or AWS Config can auto-remediate (correct) the configuration back to the expected state

AWS AppConfig

  • AWS App Config is used to automat the process of deploying application configuration variable changes to your web-application(s).

  • You can write a validator to ensure the changed variable will not break your web-app

  • You can monitor deployments and automate integrations to catch errors or rollback.

SNS and SQS Connect Apps via Messages

SNS (Simple Notification Services)

  • Pass Along Messages eg. PubSub

  • Send notifications to subscribers of topics via multiple protocol. eg, HTTP, Email, SQS, SMS

  • SNS is generally used for sending plain text emails which is triggered via other AWS Services. The best example of this is billing alarms.

  • Can retry sending in case of failure for HTTPS

  • Really good for webhooks, simple internal emails, triggering lambda functions

SQS( Simple Queue Services )

  • Queue Up Messages, Guaranteed Delivery

  • Places messages into a queue. Applications pull queue using AWS SDK

  • Can retain a message for up to 14 days

  • Can send them in sequential order or in parallel

  • Can ensure only one message is sent

  • Can ensure messages are delivered at least once

  • Really good for delayed tasks, queueing up emails

SNS vs SES vs PinPoint vs Workmail

They All Send Emails

SNS( Simple Notification Service)Simple Email ServicesAmazon PinPointAmazon Workmail
Practical and Internal EmailsTransactional EmailsPromotional EmailsEmail web Clients
Send notifications to subscribers of topics via multiple protocol, eg, HTTP, Email, SQS, SMSEmails that should be triggered based on in- app actions: Signup, Reset Password, Invoices.Emails for marketing
Similar to Gmail and Outlook. Create company emails, read, write and send emails from a Web Client within AWS Management Console
SNS is generally used for sending plain text emails which is triggered via other AWS Services. The best example of this is billing alarms.A cloud based email service, eg. SendGridCreate email campaigns
Most exam questions are going to be talking about SNS because lots of services can trigger SNS for notifications.
SES sends html emails, SNS cannot.Segment your contacts
You Need to Know what are Topics and Subscriptions regarding SNSSES can receives inbound emailsCreate customer journeys via emails
SES can create Email Templates
A/B emailing testing
Custom domain name email
Monitor your email reputation

Amazon Inspector vs AWS Trusted Advisor

  • Both are security tools and they both perform audits
Amazon InspectorTrusted Advisor
Audits a single EC2 Instance that you are selectedTrusted advisor does not generate out a PDF reports
Generates a reports from a long security checks e.g 699 checksGives you a holistic view of recommendations across multiple services and best practices
e.g- You have open ports on these security groups
You should enable MFA on your root account when using trusted advisor

Connect Names Services

They all have "Connect" in the name but they are not related or similar in functionality

Direct Connect

  • A Dedicated Fiber Optics Connection from your DataCenter to AWS

  • Intended for large enterprises with their own datacenter and they need an insanely fast and private connection directly AWS.

  • If you need a secure connection you need apply a AWS VPN connection on-top of Direct Connect

Amazon Connect

  • Call Center as a Service

  • Get a toll free number, accept inbound and outbound calls, setup automated phone systems.

  • Interactive Voice System (IVS)

Media Connect

  • New Version of Elastic Transcoder, Converts Videos to Different Video Types

  • You have 1000 of videos you and you need to transcode them into different videos format, maybe you need to apply watermarks, or insert introduction video in front of every video

Elastic Transcoder vs MediaConvert

Both services transcodes videos

Elastic Transcoder The Old WayAWS Elemental Mediacovert The New Way
Elastic Transcoder was the original transcoding service. It may have programmatic APIs or workflows not available in MediaConvert.
Mediacovert is a more robust transcoding service that can perform various operations during transcoding
It’s exists due to legacy customers still using the platform
Transcodes videos to streaming formats
Transcodes videos to streaming formatsOverlays videos to streaming formats
Insert video llinks
extracts caption data
Robust UI

AWS Artifact vs Amazon Inspector

AWS ArtifactAmazon Inspector
Why should an enterprise trust AWS?How do we know this EC2 instance is Secure? Prove It?
Generates a security report that's based on global compliance frameworks such as:

- Service Organization Control (SOC)
- Payment Card Industry (PCI) | Runs a script that analyzes your EC2 instance, then generates a PDF report telling you which security checks passed. | | | Audit tool for security of EC2 instances | | | |


Elastic Load Balancer (ELB) has 4 different types of possible load balancer

Application Load Balancer (ALB)Network Load Balancer (NLB)Gateway Load Balancer (GWLB)Classic Load Balancer (CLB)
Layer 7-HTTP/S Routing RulesLayer 3 and 4-TCP and UDPWhen you need to deploy a fleet of third-party virtual appliances that support GENEVELayer 3,4 and 7
Routing Rules:

-create rules to change routing based on information found in a HTTP/S request
Can attach an AWS WAF | Where extreme performance is required for TCP and TLS traffic | | Intended for applications that were built within the EC2-Classic network | | Can attach an AWS WAF | Capable of handling millions of requests per second while maintaining ultra-low latencies | | Doesn't use Target Groups | | | Optimized for sudden and volatile traffic patterns
while using a single static IP address per Availability Zone | | Retires on Aug 15, 2022 |