SAA - C03 Certification: Security & Encryption
I am a dedicated software engineer with a deep passion for security and a commitment to developing robust and scalable solutions. With over three years of hands-on experience in the .NET ecosystem, I have built, maintained, and optimized various software applications, demonstrating my ability to adapt to diverse project needs. In addition to my expertise in .NET, I have six months of specialized experience working with Spring Boot and ReactJS, further broadening my skill set to include full-stack development and modern web technologies. My professional journey includes deploying small to medium-sized systems to cloud platforms and on-premises environments, where I have ensured reliability, scalability, and efficient resource utilization. This combination of skills and experience reflects my versatility and commitment to staying at the forefront of the ever-evolving tech landscape.
KMS Service
Manages encryption keys
Able to audit KMS usage using CloudTrail
Having three kinds of Keys:
KMS Keys
Symmetric
Asymmetric
KMS Keys
Types of KMS Keys:
AWS Owned Keys (free): SSE-S3, SSE-SQS,…
AWS Managed Keys (free): aws/service-name, ex: aws/rds
Customer-managed keys created in KMS: $1 per month
Customer-managed keys imported: $1 per month
- pay for the API call to KMS ($0.03/10.000 calls)
Automatic Key rotation:
AWS Managed Keys: automatic every 1 year
Customer-managed keys: (must be enabled) automatic & on-demand
Imported KMS key: only manual rotation possible using alias
KMS Multi-Region Keys
Identical KMS Keys in different regions that can be used interchangeably (you can encrypt in one Region and decrypt in Other Regions)
Multi-region keys have the same key ID, key material, and automatic rotation….
KMS multi regions are NOT global (Primary + Replicas)
Use cases: global client-side encryption, encryption on Global DynamoDB, Global Aurora
S3 Replication Encryption Considerations
Unencrypted objects and objects encrypted with SSE-S3 are replicated by default.
Objects encrypted with SSE-C (Customer Key) can be replicated
For objects encrypted with SSE-KMS, you need to enable the option
Specify which KMS key to encrypt the objects
Adapt the KMS Key Policy for the target key
An IAM Role with kms:Decrypt for the source KMS Key and km:Encrypt for the target KMS Key
You might get KMS throttling errors, so you can request a Service Quotas increase.
AMI Sharing Process Encrypted via KMS
Must modify the image attribute to add a Launch Permission
Must share the KMS Keys
The IAM Role/User in the target account must have permission to DescribeKey, ReEncrypted, CreateGrant, and Decrypt.
When launching an EC2 Instance from the AMI, the target account can optionally specify a new KMS Key to re-encrypt the volumes.
SSM Parameter Store
Secure storage for configuration and secrets
Optional Seamless Encryption using KMS
Serverless, scalable, durable, easy SDK
Version tracking
Security through IAM
Notifications with EventBridge
Integration with CloudFormation
Parameters Policies
Allow to assign a TTL to a parameter to force updating or deleting
Can assign multiple policies at a time
AWS Secrets Manager
Overview
Capability to force rotation of secrets every X days
Integration with RDS (MySQL, PostgreSQL, Aurora)
Secrets are encrypted using KMS
Mostly meant for RDS integration
Multi-region Secrets
Secrets Manager keeps reading replicas in sync with the primary Secret
Ability to promote a read replica Secret to a standalone Secret
Use cases: multi-region apps, disaster recovery, multi-region DB,…
AWS Certificate Manager (ACM)
Easily provision, manage, and deploy TLS Certificates
Provision in-flight encryption to for websites (HTTPS)
Supports both public and private TLS Certificates
Free of charge for public TLS Certificates
Automatic TLS certificate renewal
Integration with (load TLS certificates on)
Elastic Load Balancers
CloudFront Distributions
APIs on API Gateway
Cannot use ACM with EC2
Requesting Public Certificates
List domain names to be included in the certificate
Fully Qualified Domain Name (FQDN): corp.example.com
Wildcard Domain: *.example.com
Select Validation Method: DNS Validation or Email Validation
DNS Validation is preferred for automation purposes
Email validation will send emails to contact addressed in the WHOIS database
DNS Validation will leverage a CNAME record to DNS config
It will take a few hours to get verified
The Public Cerfificated will be enrolled for automatic renewal
- ACM automatically renews ACM-generated certificates 60 days before expiry
Importing Public Certificates
No automatic renewal, must import a new certificate before expiry
ACM sends daily expiration events starting 45 days prior to expiration
The # of days can be configured
Events are appearing in EventBridge
AWS Config has a managed rule named acm-certificate-expiration-check to check for expiring certificates
Integration with API Gateway
Create a Custom Domain Name in API Gateway
Edge-Optimized (default): For global clients
Requests are routed through the CloudFront Edge locations (improves latency)
The API Gateway still lives in only one region
The TLS Certificate must be in the same region as CloudFront
Then setup CNAME or (better) A-Alias record in Route53
Regional
For clients in the same region
The TLS Certificates must be imported on API Gateway, in the same region as the API Stage
Then setup CNAME or (better) A-Alias record in Route53
Web Application Firewall (WAF)
Protects web application from common web exploit (Layer 7)
Layer 7 is HTTP (vs Layer 4 is TCP/UDP - WAF does not support this layer)
Deploy on
Application Load Balancer
API Gateway
CloudFront
Cognito User Pool
AppSync GraphSQL API
Define Web ACL Rules: IP Sets, Rate-based rules,…
Web ACL are Regional except for CloudFront
A rule group is a reusable set of rules that you can add to a web ACL
Fixed IP while using WAF with a LB
WAF does not support the Network Load Balancer (Layer 4)
We can use Global Accelerator which provides fixed IPv4 for fixed IP and WAF on the ALB
Shield - DDOS Protection
AWS Shield Standard
Free service that is active for every AWS customer
Provides protection form attacks such as SYN/UDP Floods, Refection attacks and other layer 3/payer 4 attacks
AWS Shield Advanced
Optional DDoS mitigation service ($3000 per month per organization)
Protect against more sophisticated attack on EC2, ELB, CloudFront, AWS Global Accelerator, Route53
24/7 access to AWS DDoS response team
Firewall Manager
Manage rules in all accounts of an AWS Organization
Security policy: common set of security rules
WAF rules
AWS Shield Advanced
Security Group for EC2, ALB
AWS Network Firewall (VPC Level)
Route53 Resolver DNS Firewall
Policies are created at the region level
Rules are applied to new resources as they are created across all and future accounts in Organization
Amazon GuardDuty
Intelligent Threat discovery to protect AWS Account
Uses ML algorithms, anomaly detection, 3rd party data
Input data includes: CloudTrail Events Logs, VPC Flow Logs, DNS Logs,…
Can be setup EventBridgu rules to be notified in case of findings
Can protect against CryptoCurrency attacks
Amazon Inspector
Automated Security Assessments
Used for EC2, Container Images, Lambda
Reporting & Integration with AWS Security Hub
Send findings to EventBridge
Amazon Macie
- Helps identify and alert to sensitive data such as personally identifiable information (PII)