Created
December 8, 2022 16:10
-
-
Save anthonykasza/973e4abc8fc27af1b59837d60c00b788 to your computer and use it in GitHub Desktop.
The Fundamentals of AWS Cloud Security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Fundamentals of AWS Cloud Security | |
====================================== | |
AWS re:Inforce 2019, Becky Weiss | |
https://www.youtube.com/watch?v=-ObImxw1PmI | |
AWS IAM | |
------- | |
- identity and access | |
- grant entities (services or humans) permission to make API calls on behalf of you or your account | |
- every AWS service uses IAM to authenticate and authorize API calls | |
- IAM is also used for humans to log into the AWS web portal | |
- IAM supports federated identities using roles/principals - AWS IAM uses other credential providers (Active Director, Google, Facebook, Twitter, etc) | |
- IAM roles operate using tokens (short-term, auto-expiring credentials) | |
- IAM roles can also be used across AWS accounts, permissions need adjusted within both accounts (resource-based policies, attached to the resource instead of the principal, allow this) | |
- API calls are signed using the secret portion of IAM credentials | |
- AWS-managed policies are permissions applied to roles which permit the role to do some thing/task | |
- IAM policies include 1 or more Statements which can include: Effect (allow or deny), Actions (can be wildcarded), Resources (what can you take an action again, can also be wildcarded), Conditions (finer grained conditional policies) | |
- AWS Organizations helps to create OU trees and groups | |
AWS KMS | |
------- | |
- data encryption/decryption at rest | |
- integrates with a ton of AWS services (including S3) to handle data encryption/decryption | |
AWS VPC | |
------- | |
- network/subnet/traffic based security | |
- your virtual network for your infrastructure in the cloud | |
- AWS regions are physically isolated regions with multiple zones (fault domains). VPCs can span AZs in a region | |
- VPCs can be subnetted into public and private subnets | |
- security groups are stateful firewalls (ingress/egress rules) that can be applied to subnets within VPCs | |
- routing: public subnets can route to the public Internet, private subnets cannot route to the public Internet. just because a public subnet has a route to the public internet doesn't mean it can reach the Internet (such as in the case where the subnet has a security group applied to it which restricts traffic) | |
- VPC endpoint is the binding of a local IP address in a subnet to an AWS service (which is typically only accessible via a publicly routable IP address). it allows for private subnets to use AWS services which are only reachable via the Internet. A VPC endpoint for CloudWatch, for example, will allow a private subnet in a VPC to send logs to CloudWatch (even overwriting the DNS name in the subnet so CloudWatch's names resolve to the VPC endpoint local IP address) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment