Security and Compliance#
Well architected framework#
- 5 pillars:
- Operational excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
Operational excellence#
- script operations as code
- plan for and anticipate failure
- deploy smaller reversible changes
- learn from failure and refine
Security#
- automate security tasks
- encrypt data in transit and at rest
- assign only the least priviledges required
- track who did what and when
- ensure security at all application layers
Reliability#
- recover from failure automatically
- reduce idle resources
- scale horizontally for resilience
- manage change through automation
- test recovery procedures
Performance Efficiency#
- use serverless first
- delegate tasts to a cloud vendor
- use multi region deployements
- experiment with virtual resources
Cost Optimization#
- utilize consumption based pricing
- implement cloud financial management
- measure overall efficiency
- pay only for resources your application requires
Security#
IAM - Identity & Access Management#
- Authentication -> Who
- Authorization -> What
- Users are created in IAM to represent users or applications
- new users have no access
- you can leverage IAM to give them access to what they need based on the principle of least privilege
- access is assigned to users and groups using policy and roles
- groups - place users in groups, give accesses to groups
- roles - define access permissions and are temporarilly assumed to IAM users or services
- policy - json - assign roles to users and groups
- credential report - lists all the users in your account and the status of their various credentials
WAF - Web Application Firewall#
- protects against web attacks by matching patterns
- protects against SQLi
- protects against XXS
- WAS can stand in front of CloudFront, or in front of an LB
Shield#
- protects against DDoS
- Shield standard is free - common and frequently occuring attacks
- Shield advanced is a payed service - advanced protection and 24/7 access to AWS experts for a fee
Macie#
- helps you discover and protect sensitive data
- machine learning based secret and PII scan for S3
Config#
- tracks configuration changes over time
- delivers history configuration files to S3
Guard Duty#
- threat detection tool based on machine learning
- annomaly detection over all API calls
Inspector#
- Agent installed on EC2 instances
- reports vulns found and vulnerable software versions installed
- checks access from the internet, root logins and so on
Artifact#
- on demand access to AWS security and compliance reports
- get reports for things like PCI, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA, SOX, HIPAA and so on
Cognito#
- access control for web and mobile apps
- assist with users sign up/sign in
- provides authentication and authorization
Encryption#
KMS - Key Management Service#
- allows you to generate and store encryption keys
- key generator
- store and control keys
- AWS manages the encryption keys
- automatically enabled for certain services
Cloud HSM - Hardware Security Module#
- dedicated hardware for encryption keys
- generate and manage your own keys
- AWS doesn't have access to your keys
Secrets Manager#
- Manage retrieve rotate secrets
- you can encrypt secrets at rest
- integrates with RedShift, RDS and DocumentDB