Book Image

AWS Certified Security – Specialty Exam Guide

By : Stuart Scott

Book Image

AWS Certified Security – Specialty Exam Guide

By: Stuart Scott

Overview of this book

AWS Certified Security – Specialty is a certification exam to validate your expertise in advanced cloud security. With an ever-increasing demand for AWS security skills in the cloud market, this certification can help you advance in your career. This book helps you prepare for the exam and gain certification by guiding you through building complex security solutions. From understanding the AWS shared responsibility model and identity and access management to implementing access management best practices, you'll gradually build on your skills. The book will also delve into securing instances and the principles of securing VPC infrastructure. Covering security threats, vulnerabilities, and attacks such as the DDoS attack, you'll discover how to mitigate these at different layers. You'll then cover compliance and learn how to use AWS to audit and govern infrastructure, as well as to focus on monitoring your environment by implementing logging mechanisms and tracking data. Later, you'll explore how to implement data encryption as you get hands-on with securing a live environment. Finally, you'll discover security best practices that will assist you in making critical decisions relating to cost, security,and deployment complexity. By the end of this AWS security book, you'll have the skills to pass the exam and design secure AWS solutions.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Section 1: The Exam and Preparation

Section 1: The Exam and Preparation

Free Chapter

AWS Certified Security - Specialty Exam Coverage

AWS Certified Security - Specialty Exam Coverage

The aim of the certification

Intended audience

Domains assessed

Domain 1 – Incident response

Domain 2 – Logging and monitoring

Domain 3 – Infrastructure security

Domain 4 – Identity and Access Management (IAM)

Domain 5 – Data protection

Further reading

Section 2: Security Responsibility and Access Management

Section 2: Security Responsibility and Access Management

AWS Shared Responsibility Model

AWS Shared Responsibility Model

Technical requirements

Shared responsibility model for infrastructure services

Shared responsibility model for container services

Shared responsibility model for abstract services

Further reading

Access Management

Access Management

Technical requirements

Understanding Identity and Access Management (IAM)

Provisioning users, groups, and roles in IAM

Creating groups

Web identity federated roles

SAML 2.0 federated roles

Configuring Multi-Factor Authentication (MFA)

Further reading

Working with Access Policies

Working with Access Policies

Technical requirements

Understanding the difference between policy types

Identity-based policies

Resource-based policies

Permissions boundaries

Access Control Lists (ACLs)

Organization SCPs

Identifying policy structure and syntax

An example of policy structure

The structure of a resource-based policy

Configuring cross-account access

Creating a cross-account access role

Creating a policy to assume the cross-account role

Assuming the cross-account role

IAM policy management

Policy versions

Policy evaluation

Using bucket policies to control access to S3

Further reading

Federated and Mobile Access

Federated and Mobile Access

Technical requirements

What is AWS federated access?

Using SAML federation

Gaining federated access to the AWS Management Console

Using social federation

Gaining access using user and identity pools

Further reading

Section 3: Security - a Layered Approach

Section 3: Security - a Layered Approach

Securing EC2 Instances

Securing EC2 Instances

Technical requirements

Performing a vulnerability scan using Amazon Inspector

Installing the Amazon Inspector agent

Configuring assessment targets

Configuring an assessment template

Running an assessment

Viewing findings

Creating and securing EC2 key pairs

Creating key pairs

Creating key pairs during EC2 deployment

Creating key pairs within the EC2 console

Deleting a key using the EC2 console

Recovering a lost private key

Connecting to a Linux-based instance with your key pair

Connecting to a Windows-based instance with your key pair

Isolating instances for forensic investigation

AWS monitoring and logging services

Amazon CloudWatch

Using Systems Manager to administer EC2 instances

Creating resource groups in Systems Manager

Built-in insights

Session Manager

Use default patch baselines, or create your own

Organize instances into patch groups (optional)

Automate the patching schedule by using Maintenance Windows

Monitor patch status to ensure compliance

Further reading

Configuring Infrastructure Security

Configuring Infrastructure Security

Technical requirements

Understanding a VPC

Creating a VPC using the wizard

Understanding the VPC components

The Description tab

The Flow Logs tab

The Route Table and Network ACL tabs

Internet gateways

The Summary tab

The Subnet Associations tab

The Route Propagation tab

Network access control lists

The Details tab

The Inbound Rules and Outbound Rules tabs

The Subnet associations tab

Security groups

The Description tab

The Inbound Rules and Outbound Rules tabs

NAT instances and NAT gateways

Virtual private gateways

Building a multi-subnet VPC manually

Creating public and private VPCs

Creating an IGW

Creating a route table

Creating a NAT gateway

Creating security groups in our subnets

Creating a security group for instances in Public_Subnet

Creating a security group for instances in Private_Subnet

Creating EC2 instances in our subnets

Creating E2C instances in Private_Subnet

Creating E2C instances in Public_Subnet

Creating a route table for Private_Subnet

Creating an NACL for our subnets

Creating an NACL for the public subnet

Creating an NACL for the private subnet

Further reading

Implementing Application Security

Implementing Application Security

Technical requirements

Exploring AWS WAF

Creating a web ACL

Step 1 – describing the web ACL and associating it with AWS resources

Step 2 – adding rules and rule groups

Step 3 – setting rule priority

Step 4 – configuring metrics

Step 5 – reviewing and creating the web ACL

Using AWS Firewall Manager

Adding your AWS account to an AWS organization

Selecting your primary account to act as the Firewall Manager administrative account

Enabling AWS Config

Creating and applying an AWS WAF policy to AWS Firewall Manager

Managing the security configuration of your ELBs

Types of AWS ELBs

Managing encrypted requests

Requesting a public certificate using ACM

Securing your AWS API Gateway

Controlling access to APIs

IAM roles and policies

Resource policies

VPC endpoint policies

Lambda authorizers

Amazon Cognito user pools

Further reading

DDoS Protection

DDoS Protection

Technical requirements

Understanding DDoS and its attack patterns

DDoS attack patterns

Ping of death (PoD)

Protecting your environment using AWS Shield

The two tiers of AWS Shield

AWS Shield Standard

AWS Shield Advanced

Activating AWS Shield Advanced

Configuring AWS Shield Advanced

Selecting your resources to protect

Adding rate-based rules

Adding support from the AWS DDoS Response Team (DRT)

Additional services and features

Further reading

Incident Response

Incident Response

Technical requirements

Where to start when implementing effective IR

Making use of AWS features

Threat detection and management

Responding to an incident

A forensic AWS account

Collating log information

Resource isolation

Forensic instances

A common approach to an infrastructure security incident

Further reading

Securing Connections to Your AWS Environment

Securing Connections to Your AWS Environment

Technical requirements

Understanding your connection

Using an AWS VPN

Configuring VPN routing options

Configuring your security groups

Using AWS Direct Connect

Virtual interfaces

Controlling Direct Connect access using policies

Section 4: Monitoring, Logging, and Auditing

Section 4: Monitoring, Logging, and Auditing

Implementing Logging Mechanisms

Implementing Logging Mechanisms

Technical requirements

Implementing logging

Amazon S3 logging

Enabling S3 server access logging

S3 object-level logging

Implementing flow logs

Configuring a VPC flow log for a particular VPC subnet

Understanding the log file format

Understanding log file limitations

VPC Traffic Mirroring

Using AWS CloudTrail logs

Creating a new trail

Configuring CloudWatch integration with your trail

Understanding CloudTrail logs

Consolidating multiple logs from different accounts into a single bucket

Making your logs available to Amazon Athena

Using the CloudWatch logging agent

Creating new roles

Downloading and configuring the agent

Installing the agent on your remaining EC2 instances

Further reading

Auditing and Governance

Auditing and Governance

Technical requirements

What is an audit?

Understanding AWS Artifact

Accessing reports and agreements

Securing AWS using CloudTrail

Encrypting log files with SSE-KMS

Enabling log file validation

Understanding your AWS environment through AWS Config

Configuration items

Configuration streams

Configuration history

Configuration snapshot

Configuration recorder

AWS Config rules

Resource relationships

AWS Config role

The AWS Config process

Maintaining compliance with Amazon Macie

Classifying data using Amazon Macie

Support vector machine-based classifier

Amazon Macie data protection

AWS CloudTrail events

AWS CloudTrail errors

Section 5: Best Practices and Automation

Section 5: Best Practices and Automation

Automating Security Detection and Remediation

Automating Security Detection and Remediation

Technical requirements

Using CloudWatch Events with AWS Lambda and SNS

Detecting events with CloudWatch

Configuring a response to an event

Configuring cross-account events using Amazon CloudWatch

Using Amazon GuardDuty

Enabling Amazon GuardDuty

Performing automatic remediation

Using AWS Security Hub

Enabling AWS Security Hub

Security standards

Performing automatic remediation

Discovering Security Best Practices

Discovering Security Best Practices

Technical requirements

Common security best practices

Using AWS Trusted Advisor

Understanding the availability of AWS Trusted Advisor

Reviewing deviations using AWS Trusted Advisor

Penetration testing in AWS

Section 6: Encryption and Data Security

Section 6: Encryption and Data Security

Managing Key Infrastructure

Managing Key Infrastructure

Technical requirements

A simple overview of encryption

Symmetric encryption versus asymmetric encryption

Exploring AWS Key Management Service (KMS)

Understanding the key components of AWS KMS

Customer master keys

AWS-managed CMKs

Customer-managed CMKs

Data encryption keys (DEKs)

KMS key material

Importing your own key material

Using only key policies to control access

Using key policies in addition to IAM

Using key policies with grants

Exploring AWS CloudHSM

CloudHSM clusters

Creating a CloudHSM cluster

AWS CloudHSM users

Precrypto Office

AWS Secrets Manager

Further reading

Managing Data Security

Managing Data Security

Technical requirements

Amazon EBS encryption

Encrypting an EBS volume

Encrypting a new EBS volume

Encrypting a volume from an unencrypted snapshot

Re-encrypting a volume from an existing snapshot with a new CMK

Applying default encryption to a volume

Encryption at rest

Encryption in transit

Server-side encryption with S3-managed keys (SSE-S3)

Server-side encryption with KMS-managed keys (SSE-KMS)

Server-side encryption with customer-managed keys (SSE-C)

Client-side encryption with KMS-managed keys (CSE-KMS)

Client-side encryption with customer-managed keys (CSE-C)

Encryption at rest

Encryption in transit

Amazon DynamoDB

Encryption at rest

DynamoDB encryption options

Encryption in transit

Mock Tests

Assessments

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Client-side encryption with KMS-managed keys (CSE-KMS)

This diagram shows the six-step encryption process when using CSE-KMS:

Let's understand the process:

The client will use an AWS SDK and, in this example, the Java client, to request data keys from KMS using a specified CMK.
Using the CMK selected in step 1, KMS will then generate two data keys: a plaintext data key and a cipher blob of the first key.
KMS will then send these keys back to the requesting client.
The client will perform the encryption against the object data with the plaintext version of the data key and then store the resulting encrypted object.
The client then uploads the encrypted object data and the cipher blob version of the key created by KMS to S3.
The final stage involves the cipher blob key being stored as metadata against the encrypted object, maintaining a linked association.

This diagram shows the six-step decryption process when using CSE-KMS:

Let's understand the process:

A user...