Skip to content

Minor changes #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Minor changes #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions 01-Value_Of_AWS_Cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ The following cloud terminology is important for the exam:
1. Durability
* AWS provides data services that offer long-term data protection and storage.
1. Latency
* Time elapsed between a user request and reponse. Low latency is a good thing.
* Time elapsed between a user request and response. Low latency is a good thing.
### Cloud Computing Models

1. IaaS: Infrastructure as a Service e.g.EC2
Expand All @@ -37,7 +37,7 @@ The following cloud terminology is important for the exam:
[Click Here for details](https://aws.amazon.com/what-is-cloud-computing/?pg=TOCC)
## Cloud Hosting Models

1. Private Cloud: On-prem virtualization as well as off-prem fully managed private cloud, also with Amazone Outpost
1. Private Cloud: On-prem virtualization as well as off-prem fully managed private cloud, also with Outpost
1. Public Cloud: Fully publicly hosted and managed cloud.
1. Hybrid Cloud: AWS Direct Connect service connects customer's data center with Amazon.

Expand All @@ -55,12 +55,12 @@ Amazon EC2 is hosted in multiple locations world-wide. These locations are compo
* All AZs in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZs.
* All traffic between AZs is encrypted.
* The network performance is sufficient to accomplish synchronous replication between AZs.
* If applications are distrbuted - deploy to multiple AZs with load balancing.
* If applications are distributed - deploy to multiple AZs with load balancing.
1. [Data Center](https://aws.amazon.com/compliance/data-center/data-centers/)
* Two or more data centers together are part of an AZ.
* Each data center has protections across 4 layers:
* Perimeter - secured perimeter for physical access.
* Infrastrucutre - HVAC, power, fire suppression.
* Infrastructure - HVAC, power, fire suppression.
* Data - servers within the building, racked and stacked.
* Environment - site location, seismic data, flooding etc.
1. [Local Zones](https://aws.amazon.com/about-aws/global-infrastructure/localzones/)
Expand All @@ -74,7 +74,7 @@ Amazon EC2 is hosted in multiple locations world-wide. These locations are compo
1. [Global Edge Network](https://aws.amazon.com/cloudfront/features/?p=ugi&l=na&whats-new-cloudfront.sort-by=item.additionalFields.postDateTime&whats-new-cloudfront.sort-order=desc)
* Amazon CloudFront peers with thousands of Tier 1/2/3 telecom carriers globally.
* CloudFront is well connected with all major access networks for optimal performance, and has hundreds of terabits of deployed capacity.
* CloudFront edge locations are connected to the AWS Regions through the AWS network backbone - fully redundant, multiple 100GbE parallel fiber that circles the globe and links with tens of thousands of networks for improved origin fetches and dynamic content acceleration.these are cached closest to audience.
* CloudFront edge locations are connected to the AWS Regions through the AWS network backbone - fully redundant, multiple 100GbE parallel fiber that circles the globe and links with tens of thousands of networks for improved origin fetches and dynamic content acceleration.these are cached closest to the audience.
* Mini-data centers created for low latency between applications and users.
* There are many more edge locations than AZs or regions.

Expand Down Expand Up @@ -106,7 +106,7 @@ Amazon EC2 is hosted in multiple locations world-wide. These locations are compo
* Use serverless architectures first.
* Use multi-region deployments.
* Delegate tasks to a cloud vendor.
* Experiement with virtual resources.
* Experiment with virtual resources.
* Use Case: Lambda to run serverless compute workloads.
1. Cost Optimization
* Utilize consumption-based pricing.
Expand Down
8 changes: 4 additions & 4 deletions 02-AWS_Shared_Responsibility_Model.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# AWS Shared Responsibility Model

### "AWS has the responsibilty OF the cloud. Customer has the responsibility IN the cloud."
### "AWS has the responsibility OF the cloud. Customer has the responsibility IN the cloud."

<img src="https://d1.awsstatic.com/security-center/Shared_Responsibility_Model_V2.59d1eccec334b366627e9295b304202faf7b899b.jpg" width="800px">
Source: https://aws.amazon.com/compliance/shared-responsibility-model/

As a customer of AWS - you are not responsible for the hardware, software, networking, and facilities that run AWS Cloud services across its regions, AZs, data centers and edge locations.

Depending on the Cloud Model - AWS and it's customer share responsibilities for different layers. However, the customer is Never responsible for the virtualization or the underlying physical infrastructure.
Depending on the Cloud Model - AWS and its customers share responsibilities for different layers. However, the customer is Never responsible for the virtualization or the underlying physical infrastructure.

1. Inherited Controls (AWS only)
* Controls which a customer fully inherits from AWS.
Expand All @@ -24,9 +24,9 @@ Depending on the Cloud Model - AWS and it's customer share responsibilities for
<img src="https://img.alicdn.com/tfs/TB1WyglO7voK1RjSZFwXXciCFXa-2305-1450.png" width="800px">


AWS is responsible for protecting and securing their infrastructure like whatever is in their data centers. Physical security of AWS data center. AWS maintains UPS, CRAC, fire suppression systems and more. AWS is responisble for any managed service and underlying software, operating system.
AWS is responsible for protecting and securing their infrastructure like whatever is in their data centers. Physical security of AWS data center. AWS maintains UPS, CRAC, fire suppression systems and more. AWS is responsible for any managed service and underlying software, operating system.

You are responsible for your data and applications. Application Data including encryption options. Security configuration - rotating credentials, APIs, VPC access etc. Patching guest operating system of EC2 instances. IAM - application security, identity and access management for systems. Network traffice - you are responsible for it including group firewall configuration.
You are responsible for your data and applications. Application Data including encryption options. Security configuration - rotating credentials, APIs, VPC access etc. Patching guest operating system of EC2 instances. IAM - application security, identity and access management for systems. Network traffic - you are responsible for it including group firewall configuration.


### Report AWS abuse resource
Expand Down
39 changes: 20 additions & 19 deletions 03-AWS_Security_Best_Practices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
# AWS Security Best Practices

_This is 25% of the weight of the exam_
~~This is 25% of the weight of the exam~~
*update 22/02/2024*: _according to [this](https://aws.amazon.com/blogs/training-and-certification/coming-soon-updates-to-aws-certified-cloud-practitioner-exam/) AWS blogpost, Security and compliance is now **30%** weight of the exams instead of 25%_

## Root User
* Automatically created when you create an AWS account.
* Only root user can delete the account.
* Only the **ROOT USER** can **DELETE** the account.
* There is just one root user that can exclusively:
* Change your account settings. This includes the account name, email address, root user password, and root user access keys.
* Restore IAM user permissions. If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
Expand All @@ -19,7 +20,7 @@ _This is 25% of the weight of the exam_

_Best Practice:_ Identity and Access Management - create a new user and provide a role. Never use the root user unless absolutely required. Protect root account with MFA (Multi-factor authentication).

VPC - Vitual Private Cloud. Default VPC will always be created for you.
VPC - Virtual Private Cloud. Default VPC will always be created for you.
* AWS Management Console
* Easy to navigate via web-browser.
* Good for non-technical roles.
Expand All @@ -35,7 +36,7 @@ Use the search feature for easy access.
* An identity that is verified.
* Credentials such as username and password.
1. Authorization
* Determines which services and resources the idenitity has access to.
* Determines which services and resources the identity has access to.
* Permissions are granted via a policy.
1. Least Privilege
* Give a user the minimum access required to get the job done.
Expand All @@ -55,14 +56,14 @@ Use the search feature for easy access.
* Roles define access permissions and are temporarily assumed by an IAM user or service.
* DevOps role, Lambda-Execution role are examples.
* Access is assigned using policies.
* You grant users in one AWS account access to resources in another AWS acccount using roles.
* You grant users in one AWS account access to resources in another AWS account using roles.
* Attach a role to an EC2 instance for access to S3. Applications running on that instance will have access to S3 via roles. This is useful because the application will not need credentials or access keys. This is most secure.
1. Policies
* You manage persmissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it. The policy itself is decoupled from IAM identitieis.
* You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it. The policy itself is decoupled from IAM identities.
* User - {Policy:Access} - Resource
* Developer Group = {Policy: Resource Access} - Resource
* Role - {Policy:Allow-S3-Access} - S3
* How to limit access to an Amazeon S3 to specific users only? You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users accesss. I wonder if there is another way, create a special bucket access group with policy to the group, and then add users to the group. Or add users to the policy directly.
* How to limit access to an Amazon S3 to specific users only? You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users access. I wonder if there is another way, create a special bucket access group with policy to the group, and then add users to the group. Or add users to the policy directly.
1. IAM Credentials Report
* Assistance with compliance and auditing by offering a downloadable report that lists all your IAM users in this account and the status of their various credentials including MFA devices in your account.

Expand All @@ -71,17 +72,17 @@ Use the search feature for easy access.
1. [WAF](https://aws.amazon.com/waf/) : XSS SQL-Injection
* WAF is a Web Application Firewall that can protect against common attacks such as XSS or SQL injection.
1. [Shield](https://aws.amazon.com/shield/) DDOS
* AWS Shielf is a managed DDOS protection service. Sheild standard is free but Sheild Advanced provides access to AWS experts for a fee.
* AWS Shield is a managed DDOS protection service. Shield standard is free but Shield Advanced provides access to AWS experts for a fee.
* DDOS protections from CloudFront, Route53, Elastic Load Balancing, and AWS Global Accelerator.
* Receive real-time notifications of suspected DDoS incidents via CloudWatch metrics and assistance from AWS during the attack.
* Automatically scrub bad traffic at specific layers: layer 3,4 and 7. Minimize application downtime and latency. Monitor and protect up to 1000 resource types.
1. [Macie](https://aws.amazon.com/macie/) Sensitive Data
* Helps you discover and protect sensitive data. Uses maching learning, evaluates S3 environment, uncovers PII information.
* Helps you discover and protect sensitive data. Uses Machine Learning, evaluates S3 environment, uncovers PII information.
* Use cases: discover passport numbers stored on S3 using Macie. Find SSNs in S3 files.
1. [Config](https://aws.amazon.com/config/) Audit config
* Assess, audit, and evaluate configurations of your resources.
* Record and altert by storing in S3.
* Use cases: Streamline operational troubleshooting and change management. Deploy a complicant-as-code framework. Continually audit security monitoring and analysis.
* Record and alert by storing in S3.
* Use cases: Streamline operational troubleshooting and change management. Deploy a compliance-as-code framework. Continually audit security monitoring and analysis.
1. [GuardDuty](https://aws.amazon.com/guardduty/) Threat detection
* Protect your AWS accounts with intelligent threat detection.
* Continuously monitors workload for malicious activity and delivers detailed security findings for visibility and remediation. Network and API calls.
Expand All @@ -92,29 +93,29 @@ Use the search feature for easy access.
* Use cases: Quickly discover vulnerabilities in compute workloads. Prioritize patch remediation. Meet compliance requirements. Identify zero-day vulnerabilities sooner.
1. [Artifact](https://aws.amazon.com/artifact/) Compliance Report
* Access Independent Software Vendor compliance report.
* Use artifact to SOC and PCI compliance reports. You can generate the report. Access to the report can be provided. Self-service portal.
* Use Artifact to SOC and PCI compliance reports. You can generate the report. Access to the report can be provided. Self-service portal.
1. [Cognito](https://aws.amazon.com/cognito/) CIAM
* Customer identity and acess management.
* Delivery frictionless CIAM. Adaptive authentication, support compliance, and data residency requirements. Scale to millions of users with a fully managed, high-performantm and reliable identity store. Federate sign-in using OIDC or SAML 2.0 connect to a broad group of AWS services and products.
* Customer identity and access management.
* Delivery frictionless CIAM. Adaptive authentication, support compliance, and data residency requirements. Scale to millions of users with a fully managed, high-performant and reliable identity store. Federate sign-in using OIDC or SAML 2.0 connects to a broad group of AWS services and products.
* Use-cases: Social media accounts to log in to your application.

# Data Encryption and Secrets Management Services

1. [KMS](https://aws.amazon.com/kms/) Key Management
* Key Management Service is multi-tenant encryption key management service.
* Key Management Service is a multi-tenant encryption key management service.
* Create and control encryption keys managed by AWS used to encrypt or digitally sign your data.
* Centrally manage keys and define policies across integrated services and application from a single point.
* Centrally manage keys and define policies across integrated services and applications from a single point.
* Encrypt data within your applications with the AWS Encryption SDK data encryption library.
* Encrypt EBS volume using KMS.
1. [CloudHSM](https://aws.amazon.com/cloudhsm/) Encryption Key Generator.
* Manage single-tenant hardware security modules (HSMs) on AWS.
* Use case: Generate and use cryptographic keys on dedicated FIPS 140-2 Level 3 single-tenant HSM instances. Deploy workloads with high reliability and low latency, and help meet regulatory compliance. Pay by the hour, and backup and shut down HSMS when they're not needed. Manage HSM capacity and control your costs by adding and removing HSMs from your cluster.
1. [Secrets Manager](https://aws.amazon.com/secrets-manager/) Secrets Management
* Use cases: Store secrets securely, manage acess with fine-grained policies, automate secrets rotation, audit and monitor secrets usage.
* Database credentials, API keys, encrypt secrets at rest, integreates with RDS, DOcumentDB, Redshift.
* Use cases: Store secrets securely, manage access with fine-grained policies, automate secrets rotation, audit and monitor secrets usage.
* Database credentials, API keys, encrypt secrets at rest, integrates with RDS, DOcumentDB, Redshift.
* Retrieve database credentials needed for your application code. Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.
1. [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) Certificate Manager
* Provisiong public and private certificats for free.
* Provision public and private certificates for free.
* SSL/TLS certificates are supported.
* Use key management for certs and get managed certificate renewal.
* Integrates with Elastic Load Balancing, API Gateway and more.
Expand Down
Loading