AWS Security Specialty

Service that offers ML baselining and anomaly detection

GuardDuty is an AWS threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads.

GuardDuty input data sources

• VPC Flow Logs

• CloudTrail logs

• DNS logs

Notifications in GuardDuty

EventBridge is used to send alerts and notifications based on findings, often with SNS.

Which AWS service has a dedicated rule to protect against CryptoCurrency attacks?

Amazon GuardDuty

Optional GuardDuty input data sources

• S3 Data Events

• EBS Volume Events

• Lambda Network Activity

• RDS and Aurora Login Activity

• EKS Audit Logs and Runtime Monitoring

T/F: You can manage multiple accounts in GuardDuty

True, you can manage multiple accounts in GuardDuty using AWS Organizations.

Amazon GuardDuty Findings naming conventions

ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artfiact

• ThreatPurpose - primary purpose of the threat (ex: Backdoor, CryptoCurrency)

• ResourceTypeAffected - which AWS resource is the target (ex: EC2, S3)

• ThreatFamilyName - describes the potential malicious activity (ex: NetworkPortUnusual)

• DetectionMechanism - means by which GuardDuty detected the finding (ex: TCP, UDP)

AWS service used as central security tool to manage security across multiple AWS accounts and automate security checks

AWS Security Hub

AWS Security Hub depends on enabling which other AWS service?

AWS Config

AWS Security Hub data sources

• Macie

• GuardDuty

• Inspector

• Config

• Firewall Manager

• IAM Access Analyzer

• Systems Manager

• AWS Health

T/F: AWS Security Hub can aggregate findings across regions

True, AWS Security Hub can aggregate findings across multiple regions, providing a centralized view of security alerts.

AWS Security Hub supports the following security standards

• CIS AWS Foundations

• PCI DSS

• AWS Foundational Security Best Practices

Format that GuardDuty uses to communicate findings to Security Hub

AWS Security Finding Format (ASFF)

T/F: Security Hub supports custom actions

True

AWS service that provides root cause analysis in response to a finding in GuardDuty

Amazon Detective

AWS services that you can penetration test without prior approval from AWS

• EC2 instances, NAT Gateways, and ELBs

• RDS

• CloudFront

• Aurora

• API Gateways

• Lambda and Lambda Edge Functions

• Lightsail resources

• Elastic Beanstalk environments

Prohibited penetration testing activities

• DNS zone walking via Route 53 hosted zones

• DDoS

• Port flooding

• Protocol flooding

• Request flooding

Can you perform DDoS against your own AWS infrastructure?

No, DDoS must be performed by an approved AWS DDoS Test Partner.

• Attacks MUST NOT originate from AWS resources

• Attacks MUST NOT exceed 20 GB/s

• Attacks must NOT exceed 5 million packets/second for CloudFront and 50,000 packets/second for any other service

Steps to address compromised EC2 instance

• Capture instance’s metadata

• Enable Termination Protection

• Isolate the instance (replace instance’s SG - no outbound traffic authorized)

• Detach instance from any ASGs (suspend ASG processes)

• Deregister instance from any ELB

• Snapshot EBS volumes for deeper analysis

• Tag EC2 instance with investigation ticket number if applicable

• Automate this isolation with Lambda

• Automate memory capture with SSM Run Command

Steps to address compromised S3 bucket

• Identify compromised S3 bucket using GuardDuty

• Identify the source of the malicious activity (ex: IAM user, role) and the API calls using CloudTrail or Amazon Detective

• Identify whether the source was authorized to make those API calls

• Secure S3 bucket with recommended settings:

  • S3 block public access settings

  • S3 bucket policies and user policies

  • VPC endpoints for S3

  • S3 pre-signed URLs

  • S3 Access Points

Steps to address compromised ECS cluster

• Identify the affected ECS Cluster using GuardDuty

• Identify the source of the malicious activity (ex: container image, tasks)

• Isolate the impacted tasks

  • Deny all ingress/egress traffic using security groups

• Evaluate the presence of malicious activity such as malware

Steps to address compromised RDS database instance

• Identify the affected DB instance and DB user using GuardDuty

• If it is NOT legitimate behavior:

  • Restrict network access (SGs and NACLs)

  • Restrict DB access for the suspected DB user

  • Rotate the suspected DB user’s passwords

  • Review DB Audit Logs to identify leaked data

  • Secure your RDS DB instance

    • Use Secrets Manager to rotate DB passwords

    • Use IAM DB Authentication to manage DB users’ access without passwords

Steps to address compromised AWS credentials

• Identify the affected IAM user using GuardDuty

• Rotate the exposed AWS credentials

• Invalidate temporary credentials by attaching an explicit Deny policy to the affected IAM user with an STS date condition

• Check CloudTrail logs for other unauthorized activity with the credentials

Steps to address compromised IAM role

• Identify the affected IAM role using GuardDuty

• Invalidate temporary credentials by attaching an explicit Deny policy to the affected IAM user with an STS date condition

• Revoke access for the identity to the linked AD if any

• Check CloudTrail logs for other unauthorized activity with the role

Steps to address compromised AWS account

• Rotate and delete exposed AWS access keys

• Rotate and delete any unauthorized IAM user credentials (rotate existing IAM users’ passwords)

• Rotate and delete all EC2 key pairs

• Check CloudTrail logs for other unauthorized activity

T/F: Deleting an EC2 key pair from the EC2 console automatically deletes that key pair from the running instance

False, key remains on running instance’s root volume

Steps to address compromised EC2 key pairs

• Remove all public keys in ~/.ssh/authorized_keys on EC2 instances

• Create a new key pair and add its public key to all EC2 instances

• Automate this with SSM Run Command

Agent-based means of connecting to an EC2 instance via browser session

EC2 Instance Connect

How does EC2 Instance Connect facilitate a secure connection?

The EC2 Instance Connect API pushes a temporary public key to the instance metadata that is valid for 60 seconds

EC2 instance’s security group must also have a rule to allow inbound SSH traffic (TCP port 22) from Instance Connect’s IP range

Tool for troubleshooting EC2 issues such as boot, reboots, or network configuration

EC2 Serial Console

• Functions as if you have access directly to the instance’s serial port with a mouse/keyboard

• Does NOT require network capabilities

• Supported by Nitro-based EC2 instances

• Must setup OS user and password

• Disabled by default

• Only one active session per EC2 instance

EC2Rescue Tool for Windows Server use cases

• Instance connectivity issues

• OS boot issues

• Gather OS logs and configuration files

• Common OS issues

• Perform a restore

EC2Rescue Tool for Linux use cases

• Collect system utilization reports

  • vmstate, iostat, mpstat

• Collect logs and details

  • syslog, dmesg, application error logs, SSM logs

• Detect system problems

  • Asymmetric routing or duplicate root device labels

• Automatically remediate system problems

Activities prohibited by AWS Acceptable Use Policy

• Illegal or fraudulent activity

• Violate the rights of others

• Threaten terrorism, violence, or other harm

• Child sexual abuse content or activity

• Violate the security, integrity, or availability for other networks and computers

Form used to report unacceptable use of AWS resources by others

AWS Abuse Report

IAM security auditing features

IAM Credentials Report (account-level)

• Lists all of your account’s users and the status of their various credentials

IAM Access Advisor (user-level)

• Access advisor shows the service permissions granted to a user and when those services were last accessed

• You can use this information to revise your policies

Service that helps list resources that are shared externally

IAM Access Analyzer

IAM Access Analyzer data sources

• S3 buckets

• IAM roles

• KMS keys

• Lambda functions and layers

• SQS queues

• Secrets Manager Secrets

AWS service capable of running automated security assessments on EC2 instances via installed agent

Amazon Inspector

• Pipes findings to Security Hub and EventBridge

Amazon Inspector use cases for EC2

• Leveraging the AWS System Manager agent

• Analyze against unintended network access

• Analyze the running OS against known vulnerabilities

Amazon Inspector data source services

EC2, ECR, and Lambda

Common AWS service logs for troubleshooting

• CloudTrail trails - trace all API calls

• Config Rules - config changes and compliance over time

• CloudWatch logs - for service metrics

• VPC Flow logs - all IP traffic within a VPC

• ELB Access logs - metadata of requests made to load balancers

• CloudFront logs - Web distribution access logs

  • WAF logs - logging of all requests analyzed by the WAF service

AWS service capable of managing a fleet of EC2s and On-Premise systems at scale

AWS Systems Manager

AWS service capable of collecting metadata from all of your managed instances

AWS SSM Inventory

metadata includes:

• installed software

• OS drivers

• installed updates

• configurations

• running services

AWS service that automates the process of keeping your managed instances in a desired state

AWS SSM State Manager

• bootstrap instances with software

• patch OS / software

AWS service that facilitates a secure shell with EC2 instances or on-premise servers

AWS SSM Session Manager

• No need for SSH access, bastion hosts, or SSH key methods

CloudWatch Logs data sources

• SDK, CloudWatch Logs Agent, CloudWatch Unified Agent

• Elastic Beanstalk

• ECS

• Lambda

• VPC Flow logs

• API Gateway

• CloudTrail (based on filter)

  • Route53: Log DNS queries

Feature that allows you to configure an alert based on multiple CloudWatch metrics

CloudWatch Composite alarms

Supported Amazon Athena formats

• CSV

• JSON

• ORC

• Avro

  • Parquet

Feature to adapt Amazon Athena to other data sources

Federated Query

• Uses Data Source Connectors that run on Lambda to run federated queries (ex: CloudWatch Logs, DynamoDB, RDS)

Feature of CloudTrail that allows you to ensure that a log file hasn’t been tampered with

Log File Integrity Validation

AWS service capable of identifying sensitive data and PII in raw datasets

Amazon Macie

Types of traffic not captured by VPC Flow logs

• Traffic to Amazon DNS server

• Traffic for Amazon Windows license activation

• Traffic to and from 169.254.169.254 for EC2 instance metadata

• Traffic to and from 169.254.169.254 for Amazon Time Sync service

• DHCP traffic

• Mirrored traffic

• Traffic to the VPC router reserved IP address (ex: 10.0.0.1)

  • Traffic between VPC Endpoint ENI and Network Load Balancer ENI

Feature for observing network traffic in your VPC with minimal overhead

VPC Traffic Mirroring

• Selectively forward desired packets to a second destination for analysis without impacting performance of base application

AWS service designed to help you understand potential network paths to/from your resources

VPC Network Access Analyzer

AWS service used in conjunction with other data sources to allow for advanced querying of any fields, as well as partial matches

Amazon OpenSearch Service

• Often integrated with data sources via Lambda (realtime) and Kinesis Firehose (near realtime)

AWS feature commonly used to SSH into private subnet instances

Bastion Hosts

Site-to-Site VPN exam notes

• Configure Virtual Private Gateway at edge of VPC

• Configure Customer Gateway at edge of on-prem with public IP

• Point VPG to the public IP of the Customer Gateway

• IF it’s behind a NAT Traversal-enabled device, use the public IP address of the NAT device instead of the public IP of the Customer Gateway

AWS service that enables you to connect to your private AWS and on-prem network using OpenVPN from your computer

AWS Client VPN (depends on AWS Site-to-Site VPN)

AWS Client VPN authentication types

• Active Directory authentication

• Mutual authentication (certificate-based)

• Single Sign-On (SAML based identity providers)

DNS Resolution in VPC exam notes

DNS Resolution (enabledDnsSupport)

• Decides if DNS resolution from Route 53 Resolver server is supported for the given VPC

• True by default

DNS Hostnames (enabnledDnsHostnames)

• Assigns public hostname to an EC2 instance if it has a public IPv4

• True by default

Feature for connecting a private network to AWS services without using the public internet

VPC Endpoints

• Endpoint Gateway - used for S3 and DynamoDB

• Endpoint Interface - all services

• Exists as an ENI in the VPC

• VPC Endpoint Policies can be applied to restrict specific API calls on specific resources

VPC Gateway Endpoint exam notes

• Only works for S3 and DynamoDB

• Must create ONE gateway per VPC

• Depends on route table entries (no security groups)

• DNS resolution must be enabled in the VPC

• Cannot be extended outside of VPC

  • no VPNs

  • no Direct Connect

  • no Transit Gateway

  • no peering

VPC Interface Endpoint exam notes

• Leverages security groups

• Uses private DNS

  • Can be accessed from Direct Connect and Site-to-Site VPN unlike Endpoint Gateways

AWS PrivateLink exam notes

• What VPC Endpoint services are built upon

• Does not require VPC peering, internet gateway, NAT, route tables, etc..

• Requires an NLB or Gateway Load Balancer in service VPC

• Requires an ENI in customer VPC with consuming application

T/F: Updated security group rules are applied to existing connection

False: security groups will maintain existing connections until they time out

Only service in AWS that supports IP Multicast

AWS Transit Gateway

Is CloudFront Geo Restriction country-based or location-based?

Country-based

Feature that enables you to encrypt sensitive traffic at the edge close to the user

CloudFront Field Level Encryption

example: Encrypt a credit card number in a payload so that only the EC2 processing it at the very end has the means to decrypt and read it (requires custom application logic)

CloudFront OAI vs OAC

Origin Access Identity (deprecated)

• doesn’t natively support SSE-KMS, only SSE-S3

• Uses Lambda@Edge to sign requests from CloudFront to S3

Origin Access Control (modern)

• Natively support SSE-KMS integration

  • Just add a statement for the OAC to the MKS key policy

AWS WAF exam notes

• Protects your web app from layer 7 attacks

• Deploy on ALBs, API Gateway, CloudFront, or AppSync

  • WAF is NOT for DDoS protection

AWS Shield exam notes

AWS Shield Standard

• Free service

• Protects again layer 3/4 attacks (SYN/UDP Floods, Reflection attacks, etc..)

AWS Shield Advanced

• $3000/month

• Protects against more sophisticated attacks on

  • EC2, ELB, CloudFront, Global Accelerator, and Route 53

• 24/7 access to the AWS DDoS response team

• Protects against higher fees due to usage spikes from DDoS

• Automatically creates, evaluates, and deploys WAF rules to mitigate layer 7 attacks

AWS Firewall Manager exam notes

Manage rules in all accounts of an AWS organization

• Policies are applied at the region level

• Rules are automatically applied to new resources as they’re created in the Organization

• $100 per policy per month

Commonly managed rules:

• WAF

• AWS Shield Advanced

• Security Groups for EC2

• ALBs and ENIs for VPC resources

• AWS Network Firewalls (VPC level)

  • Route 53 Resolver DNS Firewall

Shield Advanced CloudWatch metrics

• DDoSDetected

• DDoSAttackBitsPerSecond

• DDoSAttackPacketsPerSecond

API Gateway endpoint types

• Edge Optimized (default)

  • For global clients

  • Requests are routed through CloudFront edge locations

  • API Gateway still lives in only one region

• Regional

  • For clients within the same region

  • Could manually combine with CloudFront for more control over caching and distribution strategies

API Gateway throttling limit

10,000 requests/second across all APIs

• This is a soft limit that can be increased upon request

AWS Artifact exam notes

Portal that provides you with on-demand access to AWS compliance documentation

• AWS ISO certifications

• Payment Card Industry (PCI)

• System and Organization Control

• Business Association Addendum agreements

• HIPAA

Route 53 DNSSEC exam notes

• Protocol for securing DNS by verifying DNS data integrity and origin

• Works only with public Hosted Zones

• Involves 2 keys

  • Key-signing key (KSK) managed by YOU

  • Zone-signing key (ZSK) managed by R53

Steps to enabled DNSSEC on a hosted zone

Step 1 - Prepare for DNSSEC signing

• Lower TTL for records (recommended 1 hour)

• Lower SOA minimum for 5 minutes

Step 2 - Enabled DNSSEC signing and create a KSK

• Enabled DNSSEC in R53 for your hosted zone

• Create a R53 KSK in the console and link it to a Customer managed CMK

Step 3 - Establish chain of trust

• Create a chain of trust between the hosted zone and the parent hosted zone

• By creating a Delegation Signer (DS) record in the parent zone

• The DS record contains a hash of the public key used to sign DNS records

• Your registrar can be R53 or a 3rd party registrar

Step 4 - Monitor for errors using CloudWatch Alarms

• Create CloudWatch alarms for DNSSECInternalFailure and DNSSECKeySigningKeyNeedingActions

AWS Network Firewall exam notes

• Protect your entire VPC

• From layer 3 to layer 7

• Any direction, you can inspect

  • VPC to VPC traffic

  • Outbound to internet

  • Inbound from internet

  • To / from Direct Connect and Site-to-Site VPN

IAM feature used to restrict which permissions can even be granted to a user or role

IAM Permission Boundaries

• Often used in combination with Organizations SCPs

• Good for allowing developers to self-assign certain permissions as needed without over-privileging themselves

IAM Credentials Report exam notes

• Report of IAM users and the status of their passwords, access keys, and MFA devices

• Download using IAM Console, AWS API, AWS CLI, ow AWS SDK

• Helps with auditing and compliance tasks

• Generated as often as once every 4 hours

Managing aged access keys through AWS Config Remediations

• Configure AWS Config access-keys-rotated rule to trigger key rotation for keys older than 90 days

• Config SSM automation to actually rotate the access keys

AWS service capable of granting temporary security tokens to access AWS resources

Security Token Service (STS)

• Tokens are valid for up to 1 hour and then must be refreshed

• AssumeRole

• AssumeRoleWithSAML - returns credentials for users logged in with SAML

• AssumeRoleWithWebIdentity - Returns credentials for users logged in with an IdP

  • AWS recommends using Cognito over this though

STS v1 vs v2

STS v1 is a global construct where all requests are made to https://sts.amazonaws.com

• Only supports AWS regions that are enabled by default

• Option to enable “All Regions”

STS v2 has an endpoint in each AWS region, including regions that aren’t enabled by default

• This comes with the benefits of:

  • reduced latency

  • built-in redundancy

• Tokens fetched from 1 region are still valid in other regions

IMDSv1 vs IMDSv2

IMDSv1 is the typical instance metadata accessed on an EC2 instance at http://169.254.169.254/latest/meta-data

IMDSv2 is more secure:

• get Session Token by PUTing a request to http://169.254.169.254/latest/api/token

• use this Session Token in IMDSv2 calls using headers

• IMDSv2 can be made required via IAM policy or SCP

How to regain access to locked S3 buckets?

Use your AWS account root user to delete the bucket policy

Feature that allows you to define access to a subset or view of a bucket

S3 Access Points

• Can also be used to define private access from a specific VPC via VPC Endpoint (Gateway or Interface)

  • Can be configured as multi-region

CORS exam notes

Cross-Origin Resource Sharing (CORS)

• Origin = protocol + domain + port
  example: https://www.example.com:443

• CORS is a mechanism to allow requests to other origins while visiting the main origin

Amazon S3 CORS exam notes

If a client needs to make a cross-origin request to our S3 bucket, then we must enable CORS headers on the S3 bucket

Cognito User Pools (CUP) exam notes

• Serverless database of users for web and mobile apps

• Simple username/email and password logins

• MFA support

• Support federated identities via Facebook, Google, SAML, etc

  • Has a feature to automatically block users if their credentials are found to be compromised elsewhere

• User Pool Groups can be used to logically group users within a pool

  • Users can be in multiple groups

  • IAM roles can be applied to groups

    • NO NESTED GROUPS

Cognito Identity Pools (Federated Identities) exam notes

• Get identities for users so they obtain temporary AWS credentials

AWS IAM Identity Center exam notes

• Successor to AWS Single Sign-On

• One login (single sign-on) for all your

  • AWS accounts AWS Organizations

  • External cloud applications (Salesforce, MS365)

  • Any SAML 2.0 enable application

• Identities can be stored in IAM Identity Center

  • OR a 3rd party like Active Directory or Okta

AWS Directory Services exam notes

AWS Managed Microsoft AD

• Create your own AD in AWS

• Deployed into a VPC

• Multi-AZ deployment

• Automated multi-region replication of your directory

• Automated backups

AD Connector

• Proxy to redirect to on-premises AD

• Supports MFA

• Users are managed on the on-premise AD

• Dependent on Direct Connect or VPN connection

• Supports replication from on-prem to AWS

  • By deploying Microsoft AD on an EC2 and replicating to that

Simple AD

• AD-compatible managed directory on AWS

• Cannot be join with on-premise AD

• Does NOT support MFA

• Cheaper

Encryption exam notes

Encryption in flight

• depends on HTTPS, which depends on TLS/SSL certificates

Server-side encryption at rest

• Data is encrypted after being received by the server

• It’s stored in an encrypted form

• Keys must be managed somewhere that server can access them

Client-side encryption

• Data is encrypted by the client and never decrypted by the server

CloudHSM exam notes

When using KMS, AWS managed the software for encryption

When using CloudHSM, AWS provisions encryption hardware

• Manage your own keys entirely

• HSM device is FIPS 140-2 Level 3 compliant

• Supports both symmetric and asymmetric encryption

• Integrates with Redshift for database encryption and key management

• Good option for use with SSE-C encryption

Common KMS encryption use cases

• Amazon EBS - encrypt volumes

• Amazon S3 - server side encryption of objects

• Amazon Redshift - encryption of data

• Amazon RDS - encryption of data

  • Amazon SSM - parameter store

KMS Encryption Types

Symmetric (AES-256 keys)

• First offering of KMS

• Single key is used for both encryption and decryption

• Necessary for envelope encryption

• You never get access to the actual key, you can only interact with it via the KMS API

Asymmetric (RSA and ECC key pairs)

• Public (encrypt) and private key (decrypt) pair

• Used for Encrypt/Decrypt, or Sign/Verify operations

• The public key is downloadable, but you can’t access the Private Key unencrypted

  • Use Case: enables encryption outside of AWS by users who can’t call the KMS API

KMS Key Types

Customer Managed Keys

• Still capable of rotation policy (new key generated every year, old key preserved)

• Can still add a Key Policy (resource policy) and audit in CloudTrail

• Leverage for envelope encryption

AWS Managed Keys

• Used by AWS services like S3, EBS, and Redshift

• Managed by AWS and automatically rotated every year

• Does NOT support on-demand rotation

AWS Owned Keys

• Created and managed by AWS, used by some AWS services to protect your resources

  • Basically entirely abstracted away from the user

KMS Key Material Origins

• Identifies the source of the key material in the MKS key

• CANNOT be changed after creation

KMS (AWS_KMS) - deafult

• AWS MKS created and manages the key material in its own key store

External (EXTERNAL)

• You import the key material in to the KMS key

• You’re responsible for securing and managing this key material outside of AWS
  

Custom Key Store (AWS_CLOUDHSM)

• AWS KMS created the key material in a customer key store within your CloudHSM cluster

KMS Multi-Region Keys exam notes

• Set of identical KMS keys in different AWS regions

• Can be used interchangeable

• Can encrypt in one region and decrypt in another

• KMS Multi-Region keys are NOT global, they use a ‘primary + replicas’ pattern

• Only one primary key at a time, but replicas can be promoted to primary

• Common use case for DynamoDB Global Tables and Global Aurora