-
作者帖子
-
-
挨踢小茶管理员
本战报来自群友启明,原文发在了Medium,因为国内访问不方便,因此转载到此处。
原文请查看链接:21 Concepts You Should Know Before Going AWS Certified Security — Specialty Certification (2020)
1. How does AWS secure the CMKs that I create?
AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext CMKs from the service. The service uses hardware security modules (HSMs) that have been validated under FIPS 140–2, or are in the process of being validated, to protect the confidentiality and integrity of your keys regardless of whether you use AWS KMS or AWS CloudHSM to create your keys or you import them into the service yourself. Your plaintext CMKs never leave the HSMs, are never written to disk and are only ever used in the volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. AWS KMS keys are never transmitted outside of the AWS regions in which they were created.
Source: AWS KMS FAQ
2. Restricting Access to Amazon S3 Content by Using an Origin Access Identity
Granting Permission to an Amazon CloudFront Origin Identity
The following example bucket policy grants a CloudFront Origin Identity permission to get (list) all objects in your Amazon S3 bucket. The CloudFront Origin Identity is used to enable the CloudFront private content feature. The policy uses the Canonical User prefix, instead of AWS, to specify a Canonical User ID. You must specify the canonical user ID for your CloudFront distribution’s origin access identity.
{
“Version”:”2012–10–17",
“Id”:”PolicyForCloudFrontPrivateContent”,
“Statement”:[
{ “Sid”:” Grant a CloudFront Origin Identity access to support private content”,
“Effect”:”Allow”,
“Principal”:{“CanonicalUser”:”CloudFront Origin Identity Canonical User ID"},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::examplebucket/*"
}
]
}
3. AssumeRoleWithWebIdentity
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
4. DNS Support in Your VPC
enaleDnsSupport
if this attribute is false, the Amazon-provided DNS server that resolves public DNS hostnames to IP addresses is not enabled.
5. Getting Credential Reports for Your AWS Account
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices from IAM.
6. Working with Trusted IP Lists and Threat Lists
Trusted IP lists consist of IP addresses that you have whitelisted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists.
7. abort-vault-lock and initiate-vault-lock
initiate-vault-lock
- Installing a vault lock policy on the specified vault.
- Setting the lock state of vault lock to InProgress state
- Returning a lock ID, which is used to complete the vault locking process.
abort-vault-lock
If the vault lock is in the Locked state when this operation is requested, the operation returns an AccessDeniedException error. Aborting the vault locking process removes the vault lock policy from the specified vault.
8. How to Use an External ID When Granting Access to Your AWS Resources to a Third Party
AWS Document about the External ID
9. CloudTrail log file Integrity
CloudTrail log file integrity validation feature allows you to determine whether a CloudTrail log file was unchanged, deleted, or modified since CloudTrail delivered it to the specified Amazon S3 bucket.
10. Amazon Macie
Amazon Macie is an ML-powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in Amazon S3.
You can use Amazon Macie to protect against security threats by continuously monitoring your data and account credentials. Amazon Macie gives you an automated and low touch way to discover and classify your business data and detect sensitive information such as personally identifiable information (PII) and credential data.
11. IAM Best Practices for Root User
- Do not use your AWS account root user access key.
- Enable AWS multi-factor authentication (MFA) on your AWS account root user account.
- Don’t use your AWS account root user credentials to access AWS. Instead, create individual users for anyone who needs access to your AWS account.
12. VPC Flow Log Record Example
- An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
- A REJECT record for the response ping that the network ACL denied.
2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK13. Control Access to the AWS Services in Single Region using IAM policies
...
"Condition":
{
"StringEquals": {
"aws:RequestedRegion": "eu-central-1"
}
}
...
14. Amazon GuardDuty Data Sources
- VPC Flow Logs
- DNS Logs
- AWS CloudTrail Events
15. IAM Access Key Rotation Using APIs
- GenerateCredentialReport
- GetCredentialReport
- UpdateAccessKey
16. Adding the HTTP Security Headers in Lambda@Edge
‘use strict’;
exports.handler = (event, context, callback) => {
//Get contents of response
const response = event.Records[0].cf.response;
const headers = response.headers;
//Set new headers
headers[‘strict-transport-security’] = [{key: ‘Strict-Transport-Security’, value: ‘max-age=63072000; includeSubdomains; preload’}];
headers[‘content-security-policy’] = [{key: ‘Content-Security-Policy’, value: “default-src ‘none’; img-src ‘self’; script-src ‘self’; style-src ‘self’; object-src ‘none’”}];
headers[‘x-content-type-options’] = [{key: ‘X-Content-Type-Options’, value: ‘nosniff’}];
headers[‘x-frame-options’] = [{key: ‘X-Frame-Options’, value: ‘DENY’}];
headers[‘x-xss-protection’] = [{key: ‘X-XSS-Protection’, value: ‘1; mode=block’}];
headers[‘referrer-policy’] = [{key: ‘Referrer-Policy’, value: ‘same-origin’}];
//Return modified response
callback(null, response);
};Source: Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront
17. Rotating Customer Master Keys in KMS
Unsupported CMK types for Automatic key rotation
- Asymmetric CMKs
- CMKs in custom key stores
- CMKs that have imported key material
18. AWS Trusted Advisor
What Trusted Advisor checks and features are available to all AWS customers?
- S3 Bucket Permissions
- Security Groups — Specific Ports Unrestricted
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
How does the Trusted Advisor notification feature work?
The notification email includes the summary of saving estimates and your check status, especially highlighting changes of check status.
19. What is AWS Config?
AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
20. Additional Authenticated Data in KMS
EncryptionContext provides three benefits:
- Additional authenticated data (AAD)
- Audit trail
- Authorization context
21. S3 ACL
As a general rule, AWS recommends using S3 bucket policies or IAM policies for access control. S3 ACLs is a legacy access control mechanism that predates IAM. However, if you already use S3 ACLs and you find them sufficient, there is no need to change.
Source: IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
-
-
作者帖子
哎呀,回复话题必需登录。 Login here