Learn about the security tools available within AWS: Identity and Access Management for managing users, Directory Service for getting all the features of Microsoft Active Directory without having to run associated infrastructure, Web Application Firewall for protecting your application from malicious actors, Certificate Manager for managing SSL/TSL certificates, Network Access Control Lists for controlling access within a Virtual Private Cloud (VPC), and Security Groups.
- [Narrator] Let's take a quick look at the palette of security related tools that are available within AWS. Identity and Access Management serves as one of the core tools within the security tool belt. It allows you to configure users, groups, and permissions. AWS also has a Directory Service. This allows you to provide all of the services that Microsoft Active Directory offers, without having to run the associated infrastructure. Suppose you decide to use CloudFront, Amazon's global content delivery network, in front of your web applications.
In order to provide an additional layer of security, you may be interested in the Web Application Firewall, or WAF. WAF allows you to protect your web applications against hackers, by defining rules and filtering malicious traffic. Amazon Certificate Manager takes the pain out of managing SSL/TLS certificates. At this point, Certificate Manager only works with CloudFront and elastic load balancers. With Certificate Manager, you can request and deploy a certificate quite easily, while being comforted by the fact that renewals are automated. Amazon Inspector is a vulnerability scanning tool that you can use to identify potential security issues with applications you operated within a AWS.
Using software agents installed on the EC2 instances you want to scan, Inspector has access to network, operating system, file system, and application processes. Let's look a bit deeper into how Inspector works. Consider this architecture, where you have users hitting route 53 for DNS, directed to an application load balancer with an auto-scaled web tier, which in turn is linked to a load balanced application tier, and is using RDS for storage.
If you want to assess the vulnerabilities of your web and application tiers, you would have to install an inspector agent on each EC2 instance. Since the agent is installed on the instance, it can see above the hypervisor, into the operated system and what's running on it. Inspector uses rule sets to scope the type of scanning it performs. You can use Inspector to scan for common vulnerabilities and exposures, or CVE's, as cataloged by the Mitre Corporation. Another rule set is based on the Center for Internet Security's Operating System Security Configuration Benchmarks.
For things like Windows domain controllers and member servers. A third rule set checks for Security Best Practices. For example, on a Linux system, this rule set will report a finding if any operated system user other than root, has right permissions to system directories. A fourth rule set is called Runtime Behavior Analysis. For example, on both Linux and Windows, Inspector will let you know if any insecure protocols are being used for login.
Inspector can collect data in as short as 15 minutes, or you can let it run for a full day, depending on how much data you want to collect. After an Inspector Run, you can view its assessment in the Web Console. AWS also provides Network Security Tools. When you create virtual private clouds, or VPC's, within AWS, you'll have the ability to apply Network Access Control Lists, or NACL's. Acting as a firewall, NACL's allow you to control inbound and outbound network traffic.
Security Group check controls that apply primarily to EC2 instances. Security Groups act as a virtual firewall, which you can configure to allow network traffic on ports you specify.
Sharif Nijim couples pragmatic advice with practical examples that educate IT pros on how to create a secure infrastructure within Amazon Web Services. Sharif explores the shared responsibility model of security, which splits duties between your company and AWS, and introduces key identity and access management concepts, including users, groups, roles, and policies. Learn how to configure Identity and Access Manager (IAM) and Simple Storage Service (S3) access management, including policies and access control lists. At the end of the course, Sharif helps you prepare for the inevitable audit of your AWS account(s).
This course is also part of a series designed to help you prepare for the AWS Certified SysOps Administrator – Associate certification exam.
- The AWS shared responsibility model and security landscape
- Enabling CloudTrail
- Configuring AWS Identity and Access Management (IAM)
- Configuring IAM users, groups, and policies
- Granting temporary access
- Controlling access to Simple Storage Service (S3)
- Preparing for security audits
- Getting audit help from Trusted Advisor