AWS Security
AWS Security deals with the security of AWS infrastructure.
This competency area includes understanding the shared responsibility model for infrastructure services, managing AWS credentials, managing IAM users, groups, roles & policies, configuring security groups, NACL, WAF, Encryption, Bucket policy, monitoring and alerts to meet the security objectives of the organization
Key competencies:
-
Shared Responsibility Model: Understand the shared responsibility model for infrastructure services when moving applications, data, containers, and workloads to the cloud.
-
Manage AWS Credentials: Delete root credentials and set up MFA for the root user.
-
Manage IAM services: Manage IAM user, group, roles, and policy following the best practices.
-
Manage Security Group: Manage security group and add inbound rules to allow access to only the trusted entities.
-
EBS encryption: Configure an EBS volume with encryption at rest enabled using a KMS key.
-
Cross Account Access: Manage cross-account access using a cross-account role and give another account the permission to securely access the resources in your account.
-
Configure Bastion Host: Configure a bastion host to securely SSH into an instance in the private subnet.
-
S3 Bucket Policy: Write a bucket policy to give S3 access to trusted users and entities, including other AWS accounts.
-
CloudWatch Alert: Setup CloudWatch dashboard, plot graph based on few metrics, and configure alerts to be sent on email via SNS.
-
VPC Flow Logs: Enable VPC flow logs to monitor the incoming and outgoing traffic in the VPC.
-
CloudTrail Set Up: Set up a CloudTrail trail to monitor all the API calls made in the environment.
-
Load-balancer Access Logs: Enable access logs for the load-balancer and send it to S3 for auditing.
-
Server-Side Encryption for S3: Enable server-side encryption for S3 objects in a bucket.
-
AWS Config: Write basic AWS config rules to make sure best security practices are followed across services in the infrastructure.
-
AWS WAF: Set up AWS WAF for the Load balancer and CloudFront with various WAF rules like HTTP Flood traffic rule, blacklist rule, Geobased IP block rule, etc.
-
AWS VPC: Set up a VPC with a minimum of 2 private subnets for critical resources like API and databases.
-
AWS Secrets Manager: Store, rotate, manage, and retrieve secrets using AWS secrets manager.
-
Rotate AWS Access Keys: Use AWS Lambda to rotate AWS access Keys for all the AWS IAM users.