z

AMAZON WEB
SERVICES
ARCHITECT
ASSOCIATE
CERTIFICATION
How do you protect the
integrity of your
instances?
 By Managing Failure

Use Load Balancers Monitor Resource Health

Automatically respond to
Multiple Availability Zones
Notifications
How are you protecting
your data at rest?
 Available Encryption choices

S3 has built-in encryption RDS encryption

EBS encrypted volumes Client-side encryption

How are you Managing
Users
 By Enforcing Protection

Role-based access using security Clearly defined users, groups, and

groups roles

Design using VPCs Always use minimum privileges

Where will you place your
workload in AWS?
 Workload Considerations

Select region matching your Choose availability zones for

compliance needs application failover
How do applications
respond to component
failures?
 § CloudWatch logs – collect alerts and alarms
Monitoring from service metrics
Performance § Use ElasticSearch to query CloudWatch logs
§ Use Simple Notification Service (SNS) linked
to CloudWatch logs
§ Trusted Advisor for utilization and security
issues
§ Alerts you when perceived issues are found
How do I define My
Compliance Needs?
 § Everything can be enumerated through API
calls

Finding Out § CLI tools – aws ec2 describe-instances

§ AWS Config – Config rules to evaluate
What I Have changes and react
§ Receiving alerts when changes occur

§ Rolling back changes when they occur

§ Inspector – set rules for EC2 fleet using tags;
alert or revert changes
 Security § Trusted advisor - Alerts possible issues as
Compliance they occur
§ CloudWatch logs – Alerts based on metrics
Tools
§ VPC flow logs – Network traffic
§ S3 logs – Data plane control
§ ELB logs – Traffic and health control
§ CloudTrail – Control plane tracking of
infrastructure change via API calls
 Compliance Work

How am I monitoring Who controls

What do I have?
performance? monitoring?

How do changes /
How is it secure? Is it compliant?
updates occur?
How do I Control Access?
Controlling
Access to § Identity and Access (IAM)
Resources § Authentication and authorization
§ Use tags for authorization
§ Integrate your enterprise identity system using
SAML or AD for authentication
§ Use IAM Roles for authorization
How do I Access AWS
Audits?
 Security § Third party audits provide a 360-degree
viewpoint
Compliance
§ PCI audit twice a year
Baseline
§ FedRAMP and ISO 27001 audits
§ Customers have access to these audit reports
and audit materials after signing a Non-
Disclosure agreement with AWS
What Logs are available?
 Capturing Logs

CloudTrail CloudWatch logs ELB logs

Operating system
VPC flow logs S3 bucket logs
logs
Planning Access Control
 Creating IAM Users

Unique Credentials Unique Privileges

Grant Least Privileges Credential Rotation

 Manage
Restrictions § Restrict access further with conditions:
§ Access FROM a specific IP address
§ Database creation using a specific engine
§ Create only specific EC2 instances
Auditing
§ Provides visibility into your user’s activity
§ View CloudTrail to analyze logs of API calls
§ Enable and calls to S3 bucket
Enforce Strong
Passwords § Configure a strong password policy
§ Password expiration?

§ Password strength?

§ Reuse policy?
§ Password policy does not apply to Root user
Credential § Use Credential Reports to identify credentials
that should be rotated, or deleted
Rotation
§ IAM console displays when password was
last used
§ Rotate security credentials on a fixed
schedule
§ IAM roles for EC2 instances rotate credentials
automatically
 § For all IAM users

Enable Multi- § For the Root User

§ Require a one-time code during
Factor authentication
Authentication § Virtual MFA

§ Hardware device

§ SMS code for IAM users

 § Use IAM Roles to share access
Sharing
§ Analyze and implement based on use case:
Access
§ Cross account access

§ Account delegation

§ Federation
 § Assign IAM Roles to Amazon EC2 instances
IAM Roles § Access keys stored on EC2 instances
§ Automatic key rotation by AWS
§ Assigns least privilege to the application
 § Reduce or restrict the root account
Root Account § Remove the potential for misuse of
credentials
 § Designing shared services:
Managing § Account creation and IAM provisioning
Setup and § Federation endpoints
Change § Core networking security

§ Golden images and associated IAM roles

§ Auditing services

§ Incident response
Planning Networks
Planning Your § How many VPCs?
§ What are your present and future needs?
Network
§ Public or Public / Private ?
Architecture
§ Private/HW VPN or Private/SW VPN ?
§ What external connection type is needed?
Planning CIDR § How many IP addresses are needed for
blocks public subnet?
§ How many IP addresses are needed for
private subnet?
§ Do we need connectivity with a external data
center?
§ Does your CIDR range overlap with your on-
premise data center?
 § Separate VPCs for production, staging, and
Isolation development?
§ Create one Amazon VPC with separate
subnets?
§ Create subnets for production, staging, and
development?
§ Deploy VPCs using CloudFormation?
 § Use a virtual appliance firewall you know
VPC Security § Add intrusion prevention virtual appliance to
your VPC
§ Encrypt Root and any additional EBS volumes
§ Use Flow Logs to monitor the VPC
environment
§ Install antivirus software on EC2 instances
hosted in VPC’s
§ Deploy security groups and NACLs
Check VPC § Understand hard and soft limits for your VPCs

Soft Limits § Limitations are in effect for security groups

route tables and subnets, etc.
§ Ensure your long term design will not be
affected by the limitations
§ Request increases in soft limits if limitations
will affect your long-term design at the start
IAM and § Ensure IAM policies are attached only to
groups or roles
VPCs
§ Design with the least access principal
Security § Security groups at the EC2 instance level
Design § Use security groups for white listing
§ Use NACLs for blacklisting
§ Create different security groups for different
tiers of your infrastructure (Web, App, DB)
§ Avoid errors: Standardize security group
naming conventions
§ Enable VPC flow logging in all VPCs
 § Only ELB, NAT or security solutions in public
subnets
Public
§ Design a DMZ in a Public Subnet
Subnets
§ Force all incoming traffic into DMZ

§ Trunk all outgoing traffic from DMZ to

Public subnet where Load Balancer
resides
 Secure § Don’t add IGW to main routing table
Internet § Minimize use of IGW through custom route
tables
Gateway
§ Minimize subnet size utilizing NAT or Internet
Usage facing proxy services
 § Peering allows easy interconnection
VPC Peering § Enterprise running multiple VPCs in single
region with interconnected applications
§ Enterprises with different AWS accounts for
different departments
§ Peering with cloud brokers allowing
monitoring and management of AWS
resources
§ Review that routing tables for VPC peering
are designed for “least access”
Securing Access
 § Monitor the following ELB metrics:
§ Latency
Monitor Load
§ Request count
Balancing
§ Healthy hosts
with § Unhealthy hosts
CloudWatch § Backend response (4xx- 5xx)

§ Elastic load-balancing response (2xx- 4xx)

Perform SSL § Enable SSL termination at the ELB
Termination § Saves time, CPU processing time for your
at the ELB instances
Cross Zone § Instances placed into multiple availability
zones?
Load
§ Enable cross zone load-balancing
Balancing
§ Providing application availability and
resiliency
 § Health checks for Instances
Health
§ Health checks for ELB
Checks
§ Health checks for Route 53
§ ELB outage – requests are routed away from
the unhealthy ELB
§ Instance failure – solved by auto scaling
groups and ELB integration
§ Route 53 health checks results are published
to all DNS Servers
 § Place application behind a load balancer (ELB)
§ ELB only accepts well-formed TCP

Protect your connections

Web § SYN floods or UDP reflection attacks are not

accepted
Applications
§ ELB detection of attacks prompts scaling to
absorb the additional traffic
§ AWS WAF to create additional mitigation strategy
rules
§ Block known IP addresses with rules / actions

§ Create rules with conditions that block

Planning S3 Storage
 § New version created from each object
upload
S3 Versioning
§ Retrieve “deleted objects”

§ Protect from accidental deletion

§ Create lifecycle rule for versioned objects

§ Not enabled by default

§ Versioning can only be suspended after

enabled
MFA Bucket
§ A valid MFA code required for permanently
Protection deleting an object version (MFA Delete)
 § Control data costs
Lifecycle § Transition – Standard to Amazon Glacier;
Policies after defined time
§ Expiration: Delete objects after defined
time
Versioning and
§ Versioning = Recycle bin
Lifecycle
§ Lifecycle policies = Data automation
Policies
 § Replicate all deleted objects to destination
bucket in separate region
§ Both source and destination buckets need
Cross–region to enable versioning
Replication § Uploads into source bucket will then be
replicated
§ For Compliance: Records are stored in
different region
§ Separate Security: Remote replicas managed
by separate AWS accounts
§ Faster access: Lower latency
 § Use IAM roles for S3 control
IAM Roles § Central permission management

§ IAM policies for users, groups, and roles

 § Directly attached to the S3 bucket
Bucket § Access control in the S3 environment
Policies
§ S3 ACLs can control individual objects
within each bucket
Securing Content
 § CloudFront supports HTTPS traffic:
End-to-End
§ From browser to Edge locations
HTTPS
§ From Edge locations to origin
§ Redirect all HTTP traffic to HTTPS traffic
§ Define in CloudFront distribution
§ SSL certificate provided by CloudFront or
custom SLL certificate
Use Amazon § Free data transfer from S3 to CloudFront
S3 for Static § Decrease the load on your web servers
Objects § S3 is highly available and scalable
 § Enable Origin Access Identity (OAI)
Control Access § “Special” user that only has access to your
to S3 Content specific S3 content
§ Stops direct S3 access
§ Content can be only accessed via CloudFront
when OAI is enabled
Route 53 § Route 53 queries CloudFront distributions
ALIAS § All DNS queries using ALIAS records are free!

Records § Create ALIAS record for your zone apex

§ CloudFront will directly translate your ALIAS
record into the CloudFront IP address with no
additional charge
Custom Error § Set a low error caching minimum TTL
Pages § After the TTL has expired CloudFront will
check and see if the requested resource is
now available
§ Create custom error pages to improve
customer experience
§ Deliver error pages from S3 and not your
origin server
CloudFront
§ Create CloudFront logs
Access § Must be manually turned on
Logs § Provide analytics into your content and usage
 § Cache statistics
CloudFront § Popular objects
Reports
§ Top referrers

§ Viewer reports

§ Locations

§ Browsers

§ Operating systems
Auditing and Monitoring
 CloudTrail with CloudWatch

§ All activity based on APIs, and resources can

be monitored
§ Alarms and notifications alert abnormal
account activity
§ CloudTrail logs can be stored forever in S3
bucket
 Restrict Access to CloudTrail Logs

§ Restrict access to CloudTrail logs with IAM or

bucker policies
§ Decrease the risk of unauthorized log access
§ S3 Lifecycle policy on bucket holding your
CloudTrail logs
§ Archive log contents in Glacier matching data
retention policies
 Enable Log File Validation

§ After delivery to S3 bucket, changes made to

logs can be identified
§ Integrity of log files remains intact
 Encrypt CloudTrail logs

§ Define decryption permissions for accessing

CloudTrail logs
§ Ensure access control matches your
compliance requirements
 Enable CloudTrail in all Regions

§ Enable CloudTrail in all regions, even in

regions where you don’t currently operate
§ Be alerted when unexpected activity occurs in
unused regions
§ Activity could indicate security issues
 Log Global API calls

§ Some essential services are global, not bound

by region: IAM, CloudFront, Route 53, or WAF
§ Enable global events in one trail
§ Disable global events from all other trails