Amazon AWS Certified SysOps Administrator Associate – Security and Compliance for SysOps

1. [CCP/SAA] Shared Responsibility Model

Welcome to this section on security and compliance. We’re going to start right away with the shared responsibility model. So this is something we’ve seen all along this course, but now it is time for us to formally introduce it. So a list responsibility is the security of the cloud. That means that all the infrastructure that they provide to you, that includes the hardware, the software, facilities, networking, they have to protect it. Because this infrastructure will run all these services that you are using on AWS. On top of it, any service that is managed by AWS, such as S Three DynamoDB, RDS is the responsibility of AWS. But once they provide a service to you, then how you use that service is your responsibility. So for example, as a customer you are responsible for the security in the cloud.

So in the instance of Nt two instance, your customer, so you is responsible for the management of all the operating system. That includes patching the operating system and making updates to it. You must configure their firewall. So that means that you must reconfigure, for example, the network ACL and the security group. And also you need to make sure that your EC two instance has the correct I am permissions through the use of Im instance role. Then we also need to ensure that we encrypt the application data accordingly to our compliance requirements.

Then there are some controls that are shared. For example patch management, configuration management, awareness and training are both shared between you and AWS. For example, for patch management, if you’re using something like RDS, then AWS will do the patch management for us. And if we’re using something like EC Two, then we have to patch our operating system. So the shared control is here. For example, for awareness and training, AWS has to train their employees to use their physical facilities correctly and to make sure they adhere to their security guidelines.

And you have to make sure to train your employees correctly to use the cloud. And doing this training is one of these ways, obviously. Next, let’s look at a detailed technology, for example, so for RDS, the responsibility of AWS is to manage the underlying ECU instance and to disable SSH access, to automate the database patching, to automate the operating system patching, and to edit the underlying instance and disk to guarantee that it functions over time. Your responsibility as a user of RDS is to check that the ports, IP security groups, inbound rules in your database security group are set up correctly.

It’s also to make sure that the in database user creation and the permission of these users is done the way you want. And also you need to make sure that if you want to create a database with or without public access and if you wanted to configure the database, you could use passenger groups, for example, to force only encrypted connections. Finally, if you wanted to encrypt the data within the database, it is again your responsibility to enable Next for Amazon s three, the responsibility of AWS is to guarantee you to get unlimited storage, to guarantee you to get encryption when you enable it, and to ensure the separation of data between all the different customers of AWS.

As well, they need to make sure that all the employees of AWS cannot access your data. Your responsibility is to configure your bucket the way you want to make sure the bucket policy adheres to your standards, and also to use im users and roles accordingly. And finally, if you want to encrypt the data, it is your responsibility to enable it and to use the encryption scheme that works for you. So hopefully that makes sense. Here is a diagram from the website of AWS which shows the responsibility in the cloud is the customer and the representation responsibility of the cloud is for AWS.

So as a customer, your data, the applications, the platform identity and access management is up to you operating system network and file configuration as well. Then your client side data encryption, your service side encryption and your network traffic protection is all yours. AWS instead is responsible for their software.

So their services also making sure that the compute, storage database and networking are working correctly when they provided to you and they’re responsible for their hardware and the global infrastructure. So the regions, the AZ and the edge locations, hopefully that makes sense because the shared responsibility comes up at at least two to three questions in your exam. So understanding what is your responsibility and what is the responsibility of AWS is very important. I hope that was helpful and I will see you in the next lecture.

 [CCP] DDoS, AWS Shield and AWS WAF

Now let’s talk about how we can protect ourselves from a DDoS attack. A DDoS attack is a distributed denial of service attack on our infrastructure. And we’ll see how this works. So say there’s an attacker that’s a hacker and they want to do a DDoS attack against our application server. In this case, they’re going to launch multiple master servers and these servers are going to launch but.

A lot of buts and all these butts are going to stand request to our application server. Now, our server is not meant to handle this many requests. So it will be overwhelmed and it will not be working anymore. It will be denied service and therefore any normal user trying to connect to our application server will see that our server is not accessible or not responsive, effectively making our application down. So a DDoS attack is quite scary when you think about it. But on AWS you can protect yourself from it. The first way is to use AWS Shield Standard and that’s enabled for all customers at no additional cost.

And it will protect you against a DDoS attack for your websites and application. If you want a premium DDoS protection, you have to use AWS Shield Advanced, which is going to give you 24/7. So 24 hours a day, seven days a week protection on DDoS. Then you have WAF to filter specific request based on rules. This is the Web application Firewall CloudFront and route 53 that we’ve already seen to give us protection by using the Global Edge network. And so when it’s combined with Shield, it will provide attack mitigation at the edge locations.

And finally, you need to be ready to scale if you’re under attack, maybe by leveraging auto scaling on AWS. So here is what the sample reference architecture looks like for DDoS protection. So, we have our users and they will be routed through the DNS on Route 53, which is protected by Shield. So your DNS is safe from DDoS attack. Then you should use a cloud from distribution to make sure your content is cached at the edge and then it is also protected by Shield. And in case you need to filter and protect from an attack, you can use the Web application Firewall. Then to serve that application, you can use a load balancer in the public subnet that will scale for you.

And finally, behind the load balancer you should use EC, two instances in an auto scaling group to be able to scale to the higher demand. So all of this will give you a really good DDoS protection against these type of attacks. Now, let’s do a deep dive into the services I just mentioned. So Shield is made of two components. We have Shield standard which is a free service that is activated for every AWS customer. And this will provide you protection against the common attacks for DDoS. They’re called Sin UDP, Reflection Floods, reflection attacks and other layer three or layer four attacks. Then you have Shield Advanced, which is an optional service that costs you about $3,000 per month per organization and they will give you protection against more sophisticated attacks on your EC two ELD Cloud Front, Global Accelerator and Route 53.

You also get access to Response Team when you need it to help you protect yourself during these DDoS attacks. And in case you are incurring some cost on these attacks, then any fees that is incurred during this attack is on AWS. So Shield from an exam perspective, remember that the free version is activated by default for every customer. And if you need that Response Team, if you need to be having a higher level of defense, then Shield events is something that you enable yourself and it costs about $3,000 per month. Next we have the web application Firewall So WAF and this is to protect your web applications from common web exploits. For example on layer seven. Layer seven as you remember maybe is Http, whereas layer four was for TCP.

So because it is layer seven, it can be deployed only on Http friendly devices, so it can be deployed on your application load balancer your API gateway. We haven’t seen it, it’s out of scope of the exam and cloud fronts on your web application firewall, you can define Web ACL so Web Access Control lists and these rules on this ACL can include filtering for example based on the IP addresses, the headers of Http, the body, some strings. It can protect you against common attacks such as a SQL injection or a cross site scripting. You can have size constraints to make sure the requests are not too big and also block certain countries using a GeoMatch.

Finally, for DDoS protection you can use right base rules to count the occurrences of events, therefore saying that a user cannot do more than five requests per second and that would help to be protected against a DDoS attack. So that’s it just at a high level. Remember that it is a combination of Shield, WAFF, Cloud Front, Route 53 that will give you an entire DDoS protection. And again, all these services need to know them at a high level. So I hope that was helpful and I will see you in the next lecture.