Table of contents
- → Security Resources
- Protects the following AWS resources
- Rules are defined as web access control lists (web ACL)
- AWS Shield
- AWS Network Firewall
- AWS Inspector
- Amazon Detective
- CloudTrail
- AWS Security Hub
- Security Lake
- Firewall Manager
- Resource Access Manager
- AWS Cognito
- IAM Identity Center
- Secrets Manager
- AWS Certificate Manager (ACM)
- AWS Private Certificate Authority
- Key Management Service (KMS)
- CloudHSM
→ Security Resources
Web Application Firewall (WAF)
Monitors HTTP requests and prevents a variety of attacks like SQL injection and XSS attacks
Protects the following AWS resources
CloudFront distributions
API Gateway
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool
AWS App Runner service
AWS Verified access instance
Rules are defined as web access control lists (web ACL)
The resource you want to monitor
Inspection criteria (IP address, country of origin, size of request, malicious code)
Action (Allow, Block, Count, Captcha) AWS Shield
AWS Shield
AWS Shield detects and mitigates sophisticated distributed denial of service (DDoS) attacks.
A DDoS attack is when a perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to a network.
- Denial of service is typically accomplished by flooding the targeted machine or resource with fake requests to overload systems and prevent some or all legitimate requests from being fulfilled
AWS Network Firewall
It is a stateful managed firewall and intrusion detection and prevention service for VPCs. It monitors traffic going into and out of a VPC
AWS Inspector
AWS inspector scans workloads running on AWS for software vulnerabilities and undesired network exposure.
● It automatically discovers and scans EC2 instances, container images in ECR, and Lambda function.
● It continues to assess your environment throughout the lifecycle of your resources by automatically rescanning resources in response to changes that could introduce new vulnerabilities.
Installing new package
Installing a patch
New common vulnerabilities and Exposures (CVE) are released
● If vulnerabilities are identified, AWS Inspector produces a finding that you can investigate.
Amazon Detective
Amazon Detective helps you quickly analyze and investigate security events across one or more AWS accounts.
It ingests data from VPC flow logs, CloudTrail logs, and GuardDuty findings.
It uses machine learning and statistical analysis to create advanced visualizations that show resource behaviors and interactions over time.
mazon Detective simplifies the process of investigating security incidents by providing interactive dashboards and visualizations.
CloudTrail
CloudTrail tracks user activity with an AWS account. ● It tells us who is doing what. ● Anytime a user performs an action within AWS, an event is logged in CloudTrail, such as:
Logging in
Modifying security policies
Accessing/creating/deleting a service ● It logs actions taken in the console, command line, and AWS SDK/APIs.
AWS Security Hub
t automates security checks and brings security alerts into a central location:
● Ingests data from other services like AWS Config, GuardDuty, Firewall Manager, Inspector, etc.
● Performs validation against AWS/Security best practices
Security Lake
It collects security logs and events from multiple sources including on-premises, AWS services, and third-party services. It transforms the data into storage and query-efficient Parquet format.
Firewall Manager
It helps manage security services (WAF, security groups, network firewall) across multiple AWS accounts. It configures rules just once and has them available across all accounts.
Resource Access Manager
It helps you securely share resources across accounts, organizations, and OUs. So, you can create a resource once and have the Resource Access Manager make that resource usable by other accounts.
AWS Cognito
AWS Cognito helps implement customer identity and access management for mobile and web applications.
● It manages all user credentials.
● It makes adding signup/login functionality easy without social authentication on any app.
IAM Identity Center
It simplifies managing users across multiple AWS accounts. It also allows you to manage sign-in security for your users centrally and grant them access across all AWS accounts and resources.
Secrets Manager
The Secrets Manager helps retrieve and rotate secrets and other sensitive data like credentials and Auth tokens. ● No need to hard code credentials in application source code ● Makes it more difficult to leak or compromise sensitive credentials ● Can configure automatic rotation schedule for your secrets ● Having short-term secrets decreases the risk of compromise
AWS Certificate Manager (ACM)
It handles the complexity of creating, storing, and renewing public and private SSL/TLS certificates and keys that protect AWS websites and applications.
● If users need to communicate with an ELB or API gateway, you now no longer need to purchase a paid certificate from a third party.
● ACM can generate them for you, and end-user traffic will be encrypted.
● You can issue certificates directly from ACM or import third-party certificates.
AWS Private Certificate Authority
t provides users with a private CA that is managed by AWS.
● Issues certificates for authenticating internal users, computers, and applications
● Certificates issued by a private CA are trusted only within your organization and not on the internet
● Saves the hassle of having to set up, configure, and maintain your own internal certificate authority
Key Management Service (KMS)
KMS helps create and manage cryptographic keys used for encrypting/decrypting data.
● It allows you to provide granular control over who has access to the keys
● Key rotation can be configured
CloudHSM
CloudHSM provides customers with a hardware security module in the cloud.
● All cryptographic keys are securely stored on the HSM, and they never exit the device
● Data is sent from the clients to the HSM for encryption/decryption
● Because all keys are securely stored on the HSM in a central location, it helps minimize the risk of keys getting leaked or stolen
Thankyou for reading !!!!!