SCS-C01 Amazon AWS Certified Security Specialty – Important points for Exams part 2

4. Important Pointers – Domain 4

Hey everyone and welcome back. In today’s video we will be discussing about some of the important pointers. For exam for the domain. For now the first and the very important part that you need to remember is the identity and access management. You should expect that there will be a lot of questions related to troubleshooting the im policies. So be very familiar about writing I am policies. You should be familiar with that. Also be aware about the IAM policy evaluation logic. So you should be aware about what is a default denied versus what is the explicit denial and what is the precedence with that will take. So all of these we already have good amount of videos for that. So I would just recommend you to go through them. Now in terms of S three again understanding the presigned URL is very important.

So basically pre signed URL allow us to create a time expiry URL for the objects which are within the private SD bucket. So let’s assume that you have an object within the private SD bucket which you want the user from the internet to be able to download. So you’ll not give them the access and secret key to do that. So what you’ll do is you’ll create a presigned URL. You will send that presigned URL and when user clicks on that he’ll be able to download or access the object which is present. Now along with that you should be able to read the S three bucket policies. Again there will be a few troubleshooting questions that you can expect specifically related to the cross account bucket policy use case. Now if you remember the bucket owner full control, this is extremely important.

Do know what this is? If you do not know, I would really encourage you go ahead and go through the video of cross account bucket policy. Once again it is very important to understand that before you sit for example along with that, do remember that there are three ways to assign the permissions in SC. One is through IAM, second is through the S three ACS and third is through the bucket policies. Now in terms of the important pointer number two, you need to understand cross account IAM role. So basically you should be aware about each and every step which allows you to create a cross account I am role. In exams you might get questions related to say a user has created a cross account time role but there are some issues and they’ll give you the policy.

So make sure you know on what the policy should contain. In cross account I am rule as well as step by step process. Now in terms of federation, again you need to understand step by step process and the exact flow on how federation is established. Now specifically for the beta exams which were launched way before, federation was one of the very important topics. You used to have a lot of questions in federation. So very important part to remember do know what federation is and the step by step process here. Along with that you should be very familiar with the federation components like identity broker, service provider, identity provider. In exams you might get the terminology like this. So you should be able to understand what each of these component is. Now along with that you should be able to understand what web identity federation is.

This is very important. We can make use of AWS cognitive for Web Identity federation. Basically if someone wants to let’s say someone wants to log in from a public identity provider like Facebook, Google, Amazon, then the web identity federation is the right option for you. Now basically this is used when say your mobile application wants to store the data like the quiz reviews or something like that. In DynamoDB or s three, you will not be hard coding the data or hardcoding the access secret key within the mobile application. You can make use of web Identity Federation, where the user will sign into your web app through the public identity provider like Facebook, Google, Amazon and others, and then whatever credentials that they receive through the web Identity federation, they can use that to store or your mobile application can use that to store the data in DynamoDB or S Three.

Now coming to the AWS directory service you should understand the difference between simple ad, Microsoft ad and ad connector. This is very important part to remember. Also you should be prepared with the troubleshooting related to the ad integration. Like when you integrate your ad with your EC to instance specifically for authentication, you should be knowing the troubleshooting steps. Now among the troubleshooting, one specific troubleshooting step is something that you must remember that typically when you integrate an EC two instance with the active directory, you should make sure that the DNS of that EC two instance should point to the IP address of the ad server.

This is one important pointer that you must remember. Now many times in exams you might get that even though the integration from EC to instance to Ads, then still the logging is not happening. What might be the issue? The issue might be the DNS that the system administrator has not pointed the DNS to ad IP. Last but not least, AWS organization is also an important do know that it provides two options while we enable it. One is consolidated billing and second is all features. So when it comes to all features you will be able to restrict lot of things of the child accounts by implementing centralized policy within your AWS organization’s parent account.

5. Important Pointers – Domain 5

Hey everyone, and welcome back. In today’s video, we will be discussing about some of the important pointers for the domain five of the security specialty certification exam. Now, important pointer one is the AWS certificate Manager. Now, basically, you need to understand the two ways in which the certificates in ACN can be issued. First is through the email verification, and second is through the DNS verification. Now, along with that, but you also need to remember that if you get a certificate issued, for example. com, domain, that certificate will not work for test example. com, or for the matter of, say, any subdomain within the example. Now, if you want to have a certificate which works for the sub domain, it is recommended to get a wildcard certificate, which is a strict example. So basically, there will be two certificates.

One is for the example. com or the root domain, whichever you have. And second is for the sub domain, which is the wildcard certificate over here. Now, the second important pointer to remember is about the cloud HSM. Now, cloud HSM is a single tenanted, which basically means that it is a single physical device only for you or only for a specific customer who is using it. Now, that device needs to be used within the VPC. Now we can integrate Cloud HSM with redshift. Even RDS for Oracle. Now, for fault tolerant, if we just use single cloud HSM, and if that HSM goes down to some reason, then whatever secrets that you have, it will stop or you will not be able to access it till the time HSM is back up. So it is necessary that if you’re using HSM, there should be a fault tolerance. So, in order for fault tolerance to work, you need to build a cluster which would require at least two cloud HSM appliance.

Now, AWS basically uses SafeNet luna SS 700 SSN for the cloud HSN. So you need to remember this SafeNet Luna SS 700. Now, coming to the important pointer number three is the container security. Now, a container security is not really covered in detail for the security specialty. It’s not really observed that the candidate who will be attending for the exam knows much about container. But you need to know at a very high level overview the generic steps which are recommended for the container security. Now, the first step is you should run container in protected network to prevent unauthorized access. Second is you should sanitize the logs and output files for any retrieved secrets. Now, many times what happens is that applications which are dealing with sensitive data, if you look into the log file, their log file will also have some of the sensitive data.

So it is very important that you sanitize the logs for any secrets. Third is modification of containers should not be allowed in production. Basically, whatever container image that you have, let’s say that you have a hardened container image that you have in your repo and you pull that image and you modify that image locally in production. That is something that should not be done. And the last and the important point here is that you should make use of parameterized code. So containers should not have the secrets inside it. You can store the secrets in S three or parameter store. And whenever the container gets deployed, it can pull the secrets from S Three or parameter store. Now, coming back to the next important area, which is the DynamoDB security, you need to remember that you can make use of the DynamoDB Encryption Client Library to encrypt the data at origin before it is stored in DynamoDB.

So this is important. So whenever you have a question where you want to encrypt the data at origin, then DynamoDB Encryption Client Library is the right answer for you. Whenever you have an option where you want to encrypt the data at the rest, then DynamoDB supports the server side encryption. And during that time, the DynamoDB Encryption Client Library is not a very valid option there. Now, coming back to the important pointer number four, which is the cloud trail encryption. So basically, by default, the log files which are delivered by cloud trail to S three bucket are encrypted with the help of the server side encryption. But you can make use of SSE Kms also. So, let me quickly show you this. So, I’m in my cloud trail dashboard, and if I go to trails, and if I quickly create a new trail within the advance. So within the advance, you have the option of encrypting the log files with the SSE Kms.

And if you enable this, you can specify if there are any existing Kms key, or you can even create a new Kms key. So this is the option that you have. Now, the next is the Kindnesses encryption. So basically, earlier what used to happen was the InTransit traffic used to get encrypted, because it is an Https connection. However, whatever data which was stored at rest in kinases, it was not encrypted. So ada this came up with a feature of encrypting the data at rest with the help of serverside encryption in Kinesis. So just remember this specific aspect. Now, in the important pointer number five is kms, kms and Kms. Now, if you would ask me what is one of the one important topic in exam, which is extremely important, my answer would be Kms. So be thorough with all the videos that we have created for Kms. We have gone in great detail for the Kms section.

Also, be very thorough with the Kms key policies. We in fact have three videos specific to various use cases covering the Kms policy. So make sure you understand about the Kms key policies and how it would work. Now, the important pointer number six is the Glacier vault. Specifically, remember the vault lock feature of Glacier and whatever policies that you create in vault lock they are immutable. That means you cannot edit it further and it helps during the compliance a lot. Now, one more important pointer that you must remember is the elastic load balancer. So you need to understand the difference between various ELB listener types. So how TCPs and listeners are different from http https listeners. So, this is one important point that you need to remember. Again, we have a separate video totally for that. So just go above and you can go through that.

You should also remember that elastic load balancer supports the perfect forward secrecy and we need to enable the ECDHE key exchange for that. Also understand the high level overview about the proxy protocol as well as the back end authentication in ELB. Now, the important pointer number seven is the classic EBS use case. You need to understand this use case before you sit, for exam. So what this basically means is that let’s say that you have an EBS which is encrypted with Kms key and the EBS is running, it is attached to the EC to instance, and everything is working correctly. Now someone goes ahead and delete the Kms key through which the EBS was encrypted with. Now, what will happen and how can you go about that? And the answer to this is, since EBS is already mounted, you will still be able to access the data.

So make sure you do not unmount the EBS volume, back up your data quickly and restore it in the new EBS volume. So make sure the EBS does not get unmounted. Because if the EBS gets unmounted and you mount it again, then it will stop working. And again, I guess we have one more section of elastic load balancer. I think this is a repeat, but the last pointer is something which is important, which is ELB can be used for SSL offloading. Now, let’s say that you have an ELB here and you have an EC two instance here. Now. It’s a SSL connection. So what you want is SSL connections. Entire SSL connections should be terminated and managed at the ELB level, so that is supported by ELB. So basically from ELB to the back end EC to instance, that traffic would be nonencrypted, but in the ELB and whatever public internet you have, the traffic will be encrypted. So that is also referred as SSL offloading. This can be done when you send the ELV listener as https and backend protocol is https.