V brownbag sept-14-2016

vBrownBagAWS Solutions Architect Associate

ExamDomain 3.0 – Data Security

Sept 5, 2016

Anthony ChowTwitter: @vCloudernBeer

Blog: http://cloudn1n3.blogspot.com/

https://aws.amazon.com/certification/certified-solutions-architect-associate/

Exam Objectives

Domain 3.0: Data Security

3.1 :Recognize and implement secure practices for optimum cloud deployment and maintenance

3.2 :Recognize critical disaster recovery techniques and their implementation

Domain 3.1

vBrownBag A Cloud Guru (https://acloud.guru/) Cloud Academy (https://cloudacademy.com/) Linux Academy (https://linuxacademy.com/) Amazon Web Services:

https://aws.amazon.com/security/AWS channel on YouTube

(https://www.youtube.com/user/AmazonWebServices)Whitepaper from AWS

(https://aws.amazon.com/whitepapers/)

Study Resources for Domain 3

https://aws.amazon.com/whitepapers/ Introduction to AWS Security Process Introduction to AWS Security AWS Security Best Practices Overview of Security Processes Overview of AWS Security – Compute Services Overview of AWS Security – Storage Services AWS Risk and Compliance Whitepaper

Whitepapers from AWS

Protection of data and system - CIA Triad:ConfidentialityIntegrityAvailability

Security best practices:Data in useData in transitData at rest

Security Basics

Image source: https://d0.awsstatic.com/logos/compliance/shared_responsibility.jpg

AWS Shared Security Responsibilities

Image source: image.slidesharecdn.com/awscsaassociate-06-07-141204234102-conversion-gate01/95/aws-csa-associate-0607-19-638.jpg?cb=1417736585

AWS Built-in Security Features

AWS – Overview of Security Process

https://aws.amazon.com/compliance/ Written approval is a MUST if customer wants to perform

pen test on their instances Image source: https://d0.awsstatic.com/security-center/AwsCompliancePrograms.jpg

AWS Platform Compliance

Image source: http://image.slidesharecdn.com/awsiam-security-150921011122-lva1-app6891/95/aws-iam-and-security-3-638.jpg?cb=1442798167

AWS – Identity and Access Management (IAM)

Image source: http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/ExerciseOverview.html

AWS Virtual Private Cloud (VPC)

By default, security groups allow all outbound traffic.

Security group rules are always permissive; you can't create rules that deny access.

You can add and remove rules at any time. You can't change the outbound rules for EC2-Classic. If you're using the Amazon EC2 console, you can modify existing rules, and you can copy the rules from an existing security group to a new security group.

When you add or remove rules, your changes are automatically applied to the instances associated with the security group after a short period, depending on the connection tracking for the traffic. For more information, see Connection Tracking.

Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. For more information, see Connection Tracking.

AWS VPC– Security Groups(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-

security.html)

Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it.

Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.

[Inbound rules only] The source of the traffic (CIDR range) and the destination (listening) port or port range.

[Outbound rules only] The destination for the traffic (CIDR range) and the destination port or port range.

Choice of ALLOW or DENY for the specified traffic.

AWS VPC Security – ACL(http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html)

Image source: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

Comparison of Security Group and ACL

IP address assignment API Access Subnets and Route Tables Security Groups Network Access Control Lists (NACLS) Virtual Private Gateway Internet Gateway Dedicated Instances Elastic Network Interfaces

AWS EC2 Security

Ways to control access to S3 buckets and objects: IAM policies Access Control Lists (ACLs) Bucket Policies

Encryptions Types: Server Side (Amazon S3 Server Side Encryption - SSE):

• SSE-S3 – S3 managed Key• SSE-KMS – AWS Key Management System• SSE-C – Customer provide key

Client Side:Client Encryption library

AWS S3 Security

Distributed Denial Of Service (DDoS) Attacks. Man in the Middle (MITM) Attacks IP Spoofing. Port Scanning. Packet Sniffing

AWS DoS Mitigation

Encryption Solutions

Image source: http://image.slidesharecdn.com/encryptionkeymanagement-150701220430-lva1-app6891/95/encryption-and-key-management-in-aws-39-638.jpg?cb=1435788383

Image source: http://image.slidesharecdn.com/03cloudtrail-awsconfigbjmedit-150707140327-lva1-app6892/95/transparency-and-control-with-aws-cloudtrail-and-aws-config-5-638.jpg?cb=1436277900

AWS CloudTrail

AWS CloudWatch is a monitoring and alerting service that integrates with most AWS services like EC2 or RDS

Monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, and other sources:Monitor Logs from Amazon EC2 Instances in Real-timeMonitor AWS CloudTrail Logged EventsArchive Log Data

http://cloudacademy.com/blog/centralized-log-management-with-aws-cloudwatch-part-1-of-3/

AWS CloudWatch Logs

Image source: http://image.slidesharecdn.com/awscsaassociate-06-07-141204234102-conversion-gate01/95/aws-csa-associate-0607-36-638.jpg?cb=1417736585

AWS Trusted Advisor

Domain 3.2

Whitepaper: Using Amazon Web Services for Disaster Recovery

Image source: image.slidesharecdn.com/03hybriddisasterrecoveryfinaljwedit-150707141339-lva1-app6891/95/disaster-recovery-of-onpremises-it-infrastructure-with-aws-3-638.jpg?cb=1436278511

Domain 3.2 - Disaster Recovery

OptionsBackup and RestorePilot LightWarm StandbyMulti-site Hot Standby

Data Replication OptionsSynchronous Asynchronous

AWS Disaster Recovery

Good article that covers this topic really well http://www.ecloudgate.com/Doc/

DisasterRecovery_Overview

Study resource for AWS DR

DR – options and comparison

Image source: http://image.slidesharecdn.com/03hybriddisasterrecoveryfinaljwedit-150707141339-lva1-app6891/95/disaster-recovery-of-onpremises-it-infrastructure-with-aws-9-638.jpg?cb=1436278511

Import/ExportDiskSnowball

Storage GatewayGateway-cached volumeGateway-stored volumeGateway-virtual tape library (VTL)

Data Recovery Services

Amazon Elastic Block Store(https://aws.amazon.com/articles/1667)

Routing Policies:Simple Routing PolicyWeighted Routing Policy Latency Routing PolicyFailover Routing Policy (Public Hosted Zones Only)Geolocation Routing Policy

API request are signed with hashing function + AWS Secret Access key

Use IAM to control which operation a user can perform

AWS Route 53 Security