AWS_Security

[rainit2006]

[rainit2006]

[rainit2006]

KMS

KMS 的key不是跨region的。

• Solution for encrypted data on other region: Use AWS services that replicate data across regions, and re-wrap the data encryption key created in the source region by using the CMK in the target region so that the target regionג€™s CMK can decrypt the database encryption key.

Principal

• Principal – (Required) The principal is the identity that gets the permissions specified in the policy statement.
• You can specify AWS accounts (root), IAM users, IAM roles, and some AWS services as principals in a key policy.
• IAM groups are not valid principals.

CMK for EC2 and EBS

Deleting CMK has no immediate effect on the EC2 instance or the EBS volume. The reason is that Amazon EC2 is using the plaintext data key—not the CMK—to encrypt all disk I/O while the volume is attached to the instance.

However, when the encrypted EBS volume is detached from the EC2 instance, Amazon EBS removes the plaintext key from memory. The next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because Amazon EBS cannot use the CMK to decrypt the volume's encrypted data key

EC2 and Encrypted EBS Volumes

Solution:

• Option 1: Allow the IAM role/user to access the KMS key

  

• Option 2: Allow the IAM role/user to execute kms:CreateGrant This policy will allow the IAM role/user to grant permission to AWS to use the KMS key.

Details： EC2 must be granted access to the CMK in order to use it. That access is granted by your users implicitly when launching instances that require the key. Therefore, your IAM users must have permission for the key.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "kms:CreateGrant" ],
      "Resource": [      
        "arn:aws:kms:REGION:123456789012:key/key-id"
      ],
      "Condition": {
        "Bool": { "kms:GrantIsForAWSResource": true }
      }
    }
  ]
}

This policy allows the user to delegate access to other AWS resources, such as EC2.

KMS grants

• grant： 授权者

• grantee: 被赋予者

• create_grant(**kwargs) Adds a grant to a customer master key (CMK). The grant allows the grantee principal to use the CMK when the conditions specified in the grant are met. When setting permissions, grants are an alternative to key policies.

  Response Syntax
  {
  'GrantToken': 'string',
  'GrantId': 'string'
  }

grant： For example, the following command calls the GenerateDataKey operation.

aws kms generate-data-key \
        --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
        --key-spec AES_256 \
        --grant-token $token

AWS KMS supports two grant constraints, EncryptionContextEquals and EncryptionContextSubset, both of which involve the encryption context in a request for a cryptographic operation.

Revoking and retiring a grant both delete the grant. But retiring is done by a principal specified in the grant. Revoking is typically done by a key administrator.

key management best practices

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.

Connecting to AWS KMS through a VPC endpoint

When you use a VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.

Exam

• To create an automated process to disable IAM user access keys that are more than three months old. A: Create an Amazon CloudWatch alarm to detect aged access keys and use an AWS Lambda function to disable the keys older than 90 days.

• To allow the team to manage AWS KMS permissions in IAM without the complexity of editing individual key policies A: Newly created CMKs must allow the root principal to perform the kms CreateGrant API operation.

• The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys. A: Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.

• Which steps must be taken if the CMK has been deleted and CMK was used for EBS. A: Copy the data directly from the EBS encrypted volume before the volume is detached from the EC2 instance.

• Use additional authenticated data (AAD) to prevent tampering with ciphertext by CMK A: Use kms:EncryptionContext as a condition when defining IAM policies for the CMK.

• The Security policy states that communications between the company's VPC and KMS must travel entirely within the AWS network and not use public service endpoints. A: (1) Add the aws:sourceVpce condition to the AWS KMS key policy referencing the company's VPC endpoint ID. (2) Create a VPC endpoint for AWS KMS with private DNS enabled.

• Requires encrypting each file using a different key instead of a single key. Using a different key would limit the security impact of a single exposed key. A: Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.

• A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application. A：Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key.

[rainit2006]

CloudWatch

alarms

• metric alarm
• composite alarm ： a rule expression。ALARM only if all conditions of the rule are met.

  Treat Missing Data

  Three categories:

• Not breaching (within the threshold)
• Breaching (violating the threshold)
• Missing

Treat missing data points as any of the following:

• notBreaching – Missing data points are treated as "good" and within the threshold,
• breaching – Missing data points are treated as "bad" and breaching the threshold
• ignore – The current alarm state is maintained
• missing – If all data points in the alarm evaluation range are missing, the alarm transitions to INSUFFICIENT_DATA.

Evaluating an Alarm

• Period
• Evaluation Periods
• Datapoints to Alarm

EC2 and CloudWatch

• IAM Role or User for CloudWatch Logs （Role --> EC2 instance）
• Install and Configure CloudWatch Logs on an Existing Amazon EC2 Instance
• Start "awslogs" service

Using CloudWatch Logs with Interface VPC Endpoints

• You can establish a private connection between your VPC and CloudWatch Logs. You can use this connection to send logs to CloudWatch Logs without sending them through the internet.
• To start using CloudWatch Logs with your VPC, create an interface VPC endpoint for CloudWatch Logs. The service to choose is com.amazonaws.Region.logs.

file modification monitoring

• Install host-based IDS software to check for file integrity

Statement on the IAM policy

• logs:putLogEvents and logs:createLogStream
• cloudwatch:putMetricData

Troubleshooting

• Logs stop being delivered after the associated log stream has been active for a specific number of hours. A: 1. Ensure that file permissions for monitored files that allow the CloudWatch Logs agent to read the file have not been modified. 2. Verify that the OS Log rotation rules are compatible with the configuration requirements for agent streaming.

[rainit2006]

Lambda

Lambda@Edge

Amazon CloudFrontの機能。CloudFrontのエッジロケーションにおいて、Lambdaを使って細かいルールを自由に設定できるサービスです。 Lambda@Edge lets you run Node.js and Python Lambda functions to customize content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. You can use Lambda functions to change CloudFront requests and responses at the following points: 1， After CloudFront receives a request from a viewer (viewer request) 2，Before CloudFront forwards the request to the origin (origin request)

3. After CloudFront receives the response from the origin (origin response)
4. Before CloudFront forwards the response to the viewer (viewer response)

You can also generate responses to viewers without ever sending the request to the origin.

[rainit2006]

AWS Config

• Add rules to detect 0.0.0.0/0, and invoke an AWS Lambda function to update the security group with the organization's firewall IP.
• Compliance: Deploy AWS Config rules and check all running instances for compliance.

[rainit2006]

S3

Metadata

1. System-defined object metadata
2. User-defined object metadata When you upload objects using the REST API, the optional user-defined metadata names must begin with "x-amz-meta-" to distinguish them from other HTTP headers. When you upload objects using the SOAP API, the prefix is not required.

Solution：

• Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.

S3 permission

Whenever an AWS principal issues a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

Amazon S3 Lifecycle

An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects. There are two types of actions:

1. Transition actions
2. Expiration actions: Amazon S3 deletes expired objects on your behalf.

[rainit2006]

Data encryption

DynamoDB Encryption Client

• The Amazon DynamoDB Encryption Client is a software library that helps you to protect your table data before you send it to Amazon DynamoDB.
• You can use the DynamoDB Encryption Client with encryption keys from any source, including your custom implementation or a cryptography service, such as AWS Key Management Service (AWS KMS) or AWS CloudHSM.

[rainit2006]

Explict allow

Basic rule: to allow access there must be a explict allow and no explict deny in either S3 Bucket Policy, S3 ACL, Key Policy and IAM policy.

Penetration test

Customer Service Policy for Penetration Testing

• Permitted Services
• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• Amazon Aurora
• Amazon API Gateways
• AWS Lambda and Lambda Edge functions
• Amazon Lightsail resources
• Amazon Elastic Beanstalk environments

CIS benchmark

CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyberdefense capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.

• Trusted advisor does not support scanning for CIS benchmark compliance
• Security Hub supports the CIS AWS Foundations Benchmark standard.

Note： Security Hub requires AWS Config to be enabled. AWS Config must be enabled in the same account where you enabled AWS Security Hub.

[rainit2006]

database credentials

• Solution: Store database passwords in AWS Systems Manager Parameter Store by using SecureString parameters. Set the IAM role for the EC2 instance profile to allow access to the parameters.

[rainit2006]

CloudTrail

A trail can only send events to either S3 or CloudWatch

Create your tail

For Storage location, choose Create new S3 bucket to create a bucket. When you create a bucket, CloudTrail creates and applies the required bucket policies. Give your bucket a name, such as my-bucket-for-storing-cloudtrail-logs.

CloudTrail provides 90 days of event history information for management events in the CloudTrail console without creating a trail, it is not a permanent record, and it does not provide information about all possible types of events. For an ongoing record, and for a record that contains all the event types you specify, you must create a trail, which delivers log files to an Amazon S3 bucket that you specify.

CloudTrail with S3

• Bucket policy： CloudTrail automatically attaches the required permissions to a bucket when you create an Amazon S3 bucket as part of creating or updating a trail in the CloudTrail console.
• Bucket exist：Either create a new bucket or select an existing bucket for cloudtrail logs. If the bucket was deleted, then the cloudtrail log will not deliver successfully.

CloudTrail events

CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

There are three types of events that can be logged in CloudTrail:

1. management events (that provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations.)
2. data events (information about the resource operations performed on or in a resource. These are also known as data plane operations. )
3. CloudTrail Insights events (such as the associated API, incident time, and statistics, that help you understand and act on unusual activity)

When you create a trail, you enable ongoing delivery of events as log files to an Amazon S3 bucket that you specify.

Monitoring CloudTrail Log Files with Amazon CloudWatch Logs

You can configure CloudTrail with CloudWatch Logs to monitor your trail logs and be notified when specific activity occurs.

• Configure your trail to send log events to CloudWatch Logs.
• Define CloudWatch Logs metric filters to evaluate log events for matches in terms, phrases, or values.

Organization trail

you can create a trail that will log all events for all AWS accounts in that organization. This is sometimes referred to as an organization trail. When you create an organization trail, a trail with the name that you give it will be created in every AWS account that belongs to your organization.

Precondition:

1. Your organization must have all features enabled.
2. The management account must have the AWSServiceRoleForOrganizations role.
3. The IAM user or role that will be used to create the organization trail in the management account must have sufficient permissions to create an organization trail. At a minimum, to create an organization trail, you must have the AWSCloudTrail_FullAccess policy or equivalent permissions applied.

By default, when you create a trail in the console, the trail logs all regions. Logging all regions in your account is a recommended best practice.

Organizations と連携した 組織レベルの CloudTrail有効化を試してみました。 - マルチアカウントの情報を 1バケットに集約できる - 組織に新しいアカウントが追加されたときの CloudTrail設定が省ける 上記メリットがあり、便利に感じました。 ### Prefix - prefix is optional, without prefix the top-level (inside bucket) will be AWSLogs (e.g. bucket_name/AWSLogs). If specified, it will be bucket_name/prefix_name/AWSLogs - A bucket policy with an incorrect prefix can prevent your trail from delivering logs to the bucket. To resolve this issue, use the Amazon S3 console to update the prefix in the bucket policy, and then use the CloudTrail console to specify the same prefix for the bucket in the trail. ### Digest file in S3 Each digest file contains the names of the log files that were delivered to your Amazon S3 bucket during the last hour, the hash values for those log files, and the digital signature of the previous digest file. The signature for the current digest file is stored in the metadata properties of the digest file object. Enabling server-side encryption encrypts the log files but not the digest files with SSE-KMS. Digest files are encrypted with Amazon S3-managed encryption keys (SSE-S3). ### CloudTrail console - View the last 90 days of recorded API activity (management events) in Event history - Event history does not show data events. To view data events, create a trail. - View trails on CloudTrail console within 90 days. (To identify AWS API activity older than 90 days use Athena on S3) ### CloudTrail userIdentity Element - type： Root，IAMUser， AssumedRole， FederatedUser - sessionContext：mfaAuthenticated ### Sending events to Amazon CloudWatch Logs When you configure your trail to send events to your CloudWatch Logs log group, CloudTrail sends only the events that you specify in your trail. ### logs encryption - By default, CloudTrail will encrypt log files delivered to your Amazon S3 bucket using Amazon S3 server-side encryption. - CloudTrail log file encryption using SSE-KMS allows you to add an additional layer of security to CloudTrail log files delivered to an Amazon S3 bucket by encrypting the log files with a KMS key. ### Troubleshoot - Two of the production accounts have trails that are not logging anything to the S3 bucket. 1. Verify that the S3 bucket policy allows access for CloudTrail from the production AWS account IDs. 2. Confirm in the CloudTrail Console that each trail is active and healthy. 3. Confirm in the CloudTrail Console that the S3 bucket name is set correctly. - Most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS A： Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.

[rainit2006]

AWS Cognito

Cognito group

### password length policy - Update the password length policy in the Amazon Cognito configuration. - Adding User Pool Password Requirements：Minimum length，Require numbers， Require a special character，Require uppercase letters，Require lowercase letters.

[rainit2006]

GuardDuty

It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.

Data sources:

• VPC Flow Logs
• AWS CloudTrail management event logs,
• Cloudtrail S3 data event logs,
• DNS logs

DNS logs:

• If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers.
• If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.

Trusted IP list and Threat lists

• You can customize this monitoring scope by configuring GuardDuty to stop alerts for trusted IPs from your own trusted IP lists and alert on known malicious IPs from your own threat lists.
• Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with AWS infrastructure and applications.

Exam

• GuardDuty will detect suspicious behavior, such as disabling CloudTrail.

[rainit2006]

AWS WAF

• CloudFront
• Application Load Balancer Note: Not Route 53.

WAF vs Shield

• AWS Shield: protects DDoS on L3, L4. Target: Amazon EC2、Elastic Load Balancing (ELB)、Amazon CloudFront、AWS Global Accelerator、Route 53.
• AWS Shield Advance: Protects on Layer 3, 4, 7.
• AWS WAF: L7 protection. Target: CloudFront, Application Load Balancer

AWS Firewall Manager

AWS Firewall Manager を使用すると、AWS WAF ルール、AWS Shield Advanced 保護、Amazon VPC セキュリティグループで管理およびメンテナンスタスクを簡略化できます。

Use AWS Firewall Manager to create a security group policy, enable the policy feature to identify and revert local changes, and enable automatic remediation.

WAF -- web ACL

A web access control list (web ACL) gives you fine-grained control over the web requests that your protected resource responds to. After you create your web ACL, you can associate it with one or more AWS resources.

Logging: You can enable logging to get detailed information about traffic that is analyzed by your web ACL. You send logs from your web ACL to an Amazon Kinesis Data Firehose with a configured storage destination. After you enable logging, AWS WAF delivers logs to your storage destination through the HTTPS endpoint of Kinesis Data Firehose.

Another ways

• No additional cost: Use the operating system built-in, host-based firewall to implement the required rules.

[rainit2006]

S3

Data encryption

1. In-transit （1）Using Secure Socket Layer/Transport Layer Security (SSL/TLS) OR （2）client-side encryption.
2. At rest （1）Server-Side Encryption -- When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. -- SSE-KMS is similar to SSE-S3. but with some additional benefits and charges for using this service

（2） Client-Side Encryption

Default

• By default, all S3 buckets are private and can be accessed only by users that are explicitly granted access.
• S3 bucket does not need to explicitly allow. There is no explicit deny either.

[rainit2006]

AWS Certificate Manager (ACM)

Using a custom SSL certificate for my CloudFront distribution

https://aws.amazon.com/premiumsupport/knowledge-center/custom-ssl-certificate-cloudfront/

1. To assign an ACM certificate to a CloudFront distribution, must request or import the certificate in the US East (N. Virginia) Region.
2. be sure that the status of the certificate is Issued.
3. The certificate must be a 2048-bit RSA certificate or smaller
4. Prerequisites for importing certificates,including cryptographic algorithm and a key size, SSL/TLS X.509 version 3 certificate, the private key must be unencrypted, Private Key is .pem encoded.

Using a certificate imported to IAM

1. must provide the correct path so that CloudFront can use the certificate.

   aws iam upload-server-certificate --server-certificate-name CertificateName
   --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem 
   --certificate-chain file://certificate_chain_file --path /cloudfront/DistributionName/

HTTPS traffic

• If you want to require HTTPS between viewers and CloudFront, you must change the AWS Region to US East (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate.
• If you want to require HTTPS between CloudFront and your origin, and you're using an ELB load balancer as your origin, you can request or import a certificate in any Region.

[rainit2006]

AWS Organization

SCP （service control policy）

• SCPs affect only IAM users and roles that are managed by accounts that are part of the organization.
• SCPs don't affect resource-based policies directly.
• Don't affect users or roles from accounts outside the organization.
• デフォルトではすべてのルート、OU、アカウントに FullAWSAccess という ポリシーがアタッチされています。
• Principal is not supported in SCP.

Solution for restrict usage of member root user accounts：

• Create an organizational unit (OU) in Organizations with a service control policy that controls usage of the root user.

[rainit2006]

AWS Systems Manager Session Manager

Shell Access to EC2 Instances

• You don’t have to manually set up user accounts, passwords, or SSH keys on the instances and you don’t have to open up any inbound ports.

• Session Manager communicates with the instances via the SSM Agent across an encrypted tunnel that originates on the instance, and does not require a bastion host.

• You use IAM policies and users to control access to your instances, and don’t need to distribute SSH keys.

• The SSM Agent running on the EC2 instances must be able to connect to Session Manager’s public endpoint.

• You can also set up a PrivateLink connection to allow instances running in private VPCs (without Internet access or a public IP address) to connect to Session Manager.

SSM parameter store

• there is no charges for keeping password in SSM parameter store.

[rainit2006]

VPC

Issue：Unable to connect to an Amazon EC2

Reason：

1. The NACL denies inbound/outbound traffic
2. SG don't allow inbound traffic
3. The route table is missing a route to the internet gateway.
4. The host-based firewall is denying xxx protocl

Issue：EC2 instances in different subnets cannot connect to each other

Check：

1. Security groups have valid ALLOW rules in place to permit this traffic.
2. Check inbound and outbound Network ACL rules, looking for DENY rules

ACL:

An outbound rule must be added to the network ACL to allow the response to be sent to the client on the ephemeral port range.

[rainit2006]

CloudFront

CloudFront key pair

1. Signed URL: for individual file
2. Signed Cookies: for all files like video.

origin access identity (OAI)

• Create an origin access identity (OAI) in CloudFront. Modify the S3 bucket policy to allow only the new OAI to access the bucket contents.
  1. Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution.
  2. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.

Requiring HTTPS for Communication Between Viewers and CloudFront

• change the Viewer Protocol Policy setting for one or more cache behaviors to require HTTPS communication. In that configuration, CloudFront provides the SSL/TLS certificate.
• Viewer Protocol Policy: Redirect HTTP to HTTPS, HTTPS Only

Requiring HTTPS for Communication Between CloudFront and Your Custom Origin

1. Use the default CloudFront domain name
   • Change the Origin Protocol Policy setting for specific origins in your distribution
   • Install an SSL/TLS certificate on your custom origin server (this isn't required when you use an Amazon S3 origin)
   • Origin Protocol Policy: HTTPS Only , Match Viewer
2. Use an alternate domain name

[rainit2006]

IAM：

• Resource-based policies can provide additional permissions to the user.

  

• Organizations SCPs

  

• Session policies – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user.

  

[rainit2006]

AWS Trusted Advisor

Trusted Advisor for Best practices. AWS Trusted Advisor is an AWS tool that provides you real-time assistance to help you provision your resources following AWS best practices.

Four categories: Cost Optimization, Performance, Security, Fault Tolerance, Trusted Advisor は無料で使えます。

Trusted Advisor, Security Hub, Config

• Trusted Advisor :: 「コスト最適化」、「パフォーマンス」、 「セキュリティ」 、「フォールトトレランス」、「サービスの制限」 の観点から、AWS環境を自動チェック。Trusted Advisor は無料で使えます。
• Security Hub :: AWS GuardDutyや, Amazon Inspector, Amazon Macie などのAWSサービスのアラートを集中管理。 セキュリティ基準を使った コンプライアンスチェック 。
• Config (適合パック) AWSリソースの構成・設定履歴を管理。 Configルール、Config 適合パックを使ったコンプライアンスチェック 。

Organization with GuardDuty, Security Hub

it's like Security hub , guarduty in organization, you send an invitation if the account isn't member of guarduty.

• You can help simplify management of GuardDuty by using Organizations to manage GuardDuty across all of the accounts in your organization.
• Multi-account, multi-region data aggregation in AWS Config enables you to aggregate AWS Config data from multiple accounts and AWS Regions into a single account. An aggregator is a resource type in AWS Config that collects AWS Config data from multiple source accounts and Regions. Create an aggregator in the Region where you want to see the aggregated AWS Config data. While creating an aggregator, you can choose to add either individual account IDs or your organization.
• Organization trails are automatically applied to all member accounts in the organization.

[rainit2006]

Application Load Balancer (ALB)

• ALB asociate to public subnet (NOT private subnet)
• The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones.

Target group + Router

• Each target group is used to route requests to one or more registered targets. When you create each listener rule, you specify a target group and conditions. When a rule condition is met, traffic is forwarded to the corresponding target group.
• By default, a load balancer routes requests to its targets using the protocol and port number that you specified when you created the target group.
• Target groups support the following protocols and ports: Protocols: HTTP, HTTPS Ports: 1-65535
• If a target group is configured with the HTTPS protocol or uses HTTPS health checks, the TLS connections to the targets use the security settings from the ELBSecurityPolicy-2016-08 policy. The load balancer establishes TLS connections with the targets using certificates that you install on the targets.
• Target type：instance，IP，Lambda

[rainit2006]

SSL certificates

• Default CloudFront certificate
• Custom SSL certificate stored in AWS Certificate Manager
• Custom SSL certificate stored in AWS IAM Note: There is no "Default AWS Certificate Manager certificate"

[rainit2006]

EC2

If SSH key was comprimised...

You can't launch a new instance using a deleted key pair, but you can continue to connect to any instances that you launched using a deleted key pair, as long as you still have the private key (.pem) file. (Even if you delete the key pair the backup key will remain in EC2)

You should use the EC2 RunCommand to modify the authorized_keys file on any EC2 instance that is using the key. Modify authorized_keys with new key. It will save lot of time and there will be no need to stop the running instance.

Storage

• Use separate Amazon EBS volumes for the operating system versus your data.
• Use the instance store available for your instance to store temporary data. Remember that the data stored in instance store is deleted when you stop, hibernate, or terminate your instance.

[rainit2006]

IAM

Troubleshooting

• Assess the impact of the key exposure and ensure that the credentials were not misused A: (1). Analyze AWS CloudTrail for activity. (2). Download and analyze a credential report from IAM.

• Leverage their existing on-premises Active Directory as an identity provider for AWS. A: (1). Create IAM roles with permissions corresponding to each Active Directory group. (2). Configure Active Directory to add relying party trust between Active Directory and AWS.

A2: （1）Create IAM roles with permissions corresponding to each Active Directory group. （2）Create a SAML provider with IAM. （3）Configure AWS as a trusted relying party for the Active Directory。

Relying party trust （証明書利用者信頼)）

Relying party trust is a term used in Microsoft Windows Server system to identify service providers that can communicate with an AD FS endpoint.

[rainit2006]

Troubleshooting

• [EC2][CloudWatch]Issues：some Amazon EC2 instances have not been sending Amazon CloudWatch logs. A： （1）Connect to the EC2 instances that are not sending the appropriate logs and verify that the CloudWatch Logs agent is running. （2）Verify that the EC2 instances have a route to the public AWS API endpoints. If you use Amazon Virtual Private Cloud (Amazon VPC) to host your AWS resources, you can establish a private connection between your VPC and CloudWatch Logs. You can use this connection to send logs to CloudWatch Logs without sending them through the internet." Hence, without a private connection through a interface VPC endpoint, even though CloudWatch is native service you still have to route it through internet API call via an internet gateway.

• [CloudTrail][CloudWatch]Issues：making a configuration change to the security group but did not receive any alerts from Cloudwatch that is for AWS CloudTrail log events. A：Verify that a metric filter was created and then mapped to an alarm. Check the alarm notification action.

• [EC2]Issues: The system must then alert the Security Engineer of the modification of file on EC2 host. A: Install host-based IDS software to check for file integrity. Export the logs to Amazon CloudWatch Logs for monitoring and alerting. Note: CloudWatch Log is not suitable to detect granular file system change. It will require system tools such as IDS or use an OS audit package to do so.

• Issues: It wants to be alerted when any resources are launched in unapproved regions. A: Develop an alerting mechanism based on processing AWS CloudTrail logs.

• Issues: Concerned about attacking other AWS account resources by using the EC2 instance metadata service. A: Implement iptables-based restrictions on the instances.

• [LB][EC2]Issue: It is suspected that the EC2 instance has been compromised. A: (1)Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance. (2) De-register the EC2 instance from the ALB and detach it from the Auto Scaling group. (3) Attach a security group that has restrictive ingress and egress rules to the EC2 instance.

• [Lamdba][CloudWatch]Issue: Cannot find any logs created by the Lambda function in Amazon CloudWatch Logs. A: The execution role for the Lambda function did not grant permissions to write log data to CloudWatch Logs. (X) The execution role for the Lambda function did not grant permissions to write to the Amazon S3 bucket where CloudWatch Logs stores the logs. ----> Cloudwatch is the one that writes logs to S3, not the Lambda.

• [GuardDuty]Issue: GuardDuty fail to alert to the behavior that a EC2 instances is attempting to communicate with a known command-and-control server but failing. A: GuardDuty does not see these DNS requests. ---- > If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.

• [IAM] Concerned that one of AnyCompany's other customers might deduce Example Corp.'s role ARN and potentially compromise the company's account. A: Request an external ID from AnyCompany and add a condition with sts:Externald to the role's trust policy.

• [Cognito] Enable users that already exist in a directory to be authenticated into the web application and call APIs. A: (1) Configure a SAML identity provider in Amazon Cognito to map attributes to the Amazon Cognito user pool attributes. (2) Configure the SAML identity provider to add the Amazon Cognito user pool as a relying party. (3) Update API Gateway to use a COGNITO_USER_POOLS authorizer.

• [EC2 key pair] Identify which current Linux EC2 instances were deployed and used the compromised key pair. A: Obtain the list of instances by directly querying Amazon EC2 using: aws ec2 describe-instances --filters "Name=key- name,Values=KEYNAMEHERE".

• [Shell access]Requires that SSH commands used to access its AWS instance be traceable to the user who executed each command. A: Deny inbound access on port 22 at the security group attached to the instance. Use AWS Systems Manager Session Manager for shell access to Amazon EC2 instances with the user tag defined. Enable Amazon CloudWatch logging for Systems Manager sessions.

• [DX][VPN] wants to encrypt the private network between its on-premises environment and AWS. A: VPN over DX connection using public VIF. Create your DX connection. Create a public virtual interface for your DX connection. For Prefixes you want to advertise, enter your customer gateway device’s public IP address and any network prefixes that you want to advertise.

• [EC2][Access key] a malicious actor used API access keys intended for the EC2 instance from a country where the company does not operate. The security engineer needs to deny access to the malicious actor. A: Open the IAM console and revoke all IAM sessions that are associated with the instance profile.

• [launch constraint ]A company is setting up products to deploy in AWS Service Catalog. Management is concerned that when users launch products, elevated IAM privileges will be required to create resources. A: Add a launch constraint to each product in the portfolio.

[rainit2006]

203（不能选A：无法edit既存的VPC flow format）

https://www.examtopics.com/exams/amazon/aws-certified-security-specialty/view/12/ 10，14，16，20，23，33、 42, 51（root does not apply to roles, it applies to IAM users and root user）， 72(You can use this connection to send logs to CloudWatch Logs without sending them through the internet.)， 81，98， 99， 103，104，110, 118, 126, 128, 136(Place all the files in the same S3 bucket. Use server-side encryption with AWS KMS-managed keys (SSE-KMS) to encrypt the data.) 141, 143, 154, ⭐️166（VPN over DX connection using public VIF）， 169（！）， 171（！）， 173， 178（EC2 Auto Scaling groups + KMS）， 179（！）， 181 (没个靠谱的答案)， 183（route table in VPC peering）， 189，191， 201（Edit the existing trail in the Organizations master account and apply it to the organization.）， 208（Systems Manager Agent）， 209（Use AWS Firewall Manager for SG setting and automatic remediation.）， 233（！）， 237，

[rainit2006]

AWS Secrets Manager

Rotating Your AWS Secrets Manager Secrets

• You can configure AWS Secrets Manager to automatically rotate the secret for a secured service or database.
• Secrets Manager natively knows how to rotate secrets for supported Amazon RDS databases.
• Secrets Manager provides a Lambda rotation function for you and populates the function automatically with the Amazon Resource Name (ARN) in the secret.
• When you enable rotation for a secret with Credentials for other database or some Other type of secret, you must provide the code for the Lambda function.