AWS Solutions Architect Certification - Security

Deep dive into the AWS Solutions Architect Certification from a security perspective. Look at each of the security key concepts AWS Security Key Concepts Introduction AWS Security is designed to provide highly secure, scalable, and robust infrastructure. It involves protecting data, managing identities, securing systems, and complying with regulatory requirements. Key concepts include the Shared Responsibility Model, Identity and Access Management (IAM), encryption, monitoring and logging, network security, and compliance frameworks. Shared Responsibility Model Shared Responsibility Model defines security responsibilities between AWS and the customer: AWS Responsibility: AWS is responsible for "security of the cloud." This includes protecting the infrastructure that runs AWS services (hardware, software, networking, and facilities). Customer Responsibility: Customers are responsible for "security in the cloud." This includes securing the data, identity, and access management, configuring the firewall, and managing encryption. Identity and Access Management (IAM) AWS Identity and Access Management (IAM) allows control over who can access AWS resources: Users, Groups, Roles: Define identities for individuals or applications. Policies: JSON documents that define permissions. Policies can be attached to users, groups, or roles. Access Keys and Multi-Factor Authentication (MFA): Secure access to AWS accounts and resources. Data Protection and Encryption Data protection involves securing data at rest and in transit: Encryption at Rest: AWS provides multiple options for encrypting data stored in AWS services (e.g., S3, RDS, EBS). Keys can be managed by AWS or by customers using AWS Key Management Service (KMS). Encryption in Transit: TLS/SSL encryption is used for data in transit to protect data being transferred to and from AWS services. Monitoring and Logging Monitoring and logging provide visibility into the operations and security of AWS resources: AWS CloudTrail: Records API calls made on your account, including details such as the identity of the caller, time of the call, and the response elements. Amazon CloudWatch: Monitors AWS resources and applications, collects and tracks metrics, and sets alarms. AWS Config: Tracks configuration changes and evaluates configurations against desired states. Network Security Network security involves protecting data, applications, and infrastructure: Virtual Private Cloud (VPC): Isolate AWS resources in a virtual network. VPC provides subnet configuration, routing tables, internet gateways, and more. Security Groups: Act as a virtual firewall for instances to control inbound and outbound traffic. Network Access Control Lists (NACLs): Provide an additional layer of security by controlling traffic to and from subnets. Application Security Application security focuses on protecting applications running on AWS: AWS WAF (Web Application Firewall): Protects web applications from common web exploits. AWS Shield: Provides protection against DDoS attacks. Amazon Inspector: Automated security assessment service to improve the security and compliance of applications deployed on AWS. Security Automation and Response Security automation and response streamline security processes and incident response: AWS Security Hub: Centralized view of security alerts and compliance status across AWS accounts. AWS Lambda: Run code in response to triggers such as changes in data or system state, useful for automated incident response. Compliance and Governance Compliance and governance ensure that AWS environments meet regulatory and organizational requirements: AWS Artifact: Access AWS compliance reports and select online agreements. AWS Organizations: Manage multiple AWS accounts centrally. AWS Config Rules: Automatically check the configuration of AWS resources against desired configurations. Security Best Practices and Advanced Security Features