AWS Solution Architect Associate (SAA-C02) Review Material – Security Services/Tools

SSM Parameter Store

• Part of System Manager
• Provides encryption of parameters
• Stores parameter in a hierarchy (e.g. /MyApp/db/connection , /MyApp/db/user )
• Has 3 data types:
  • String (Un-encrypted)
  • SecureString (Encrypted)
  • StringList – a CSV separated string
• Has 2 tiers:
  1. Standard
     • Free (but API calls has a cost)
     • Stores up to 10,000 parameters
     • Max size of the parameter is 4KB
     • Has NO parameter policy
  2. Advanced
     • Charges apply (API calls has a cost)
     • Stores up to 100,000 parameters
     • Max size of the parameter is 8KB
     • Has parameter policy (i.e. ca specify TTL or expiration)

Shield

• Managed DDOS service
• 2 Types:
  • Standard
    • Enabled for all customers
    • Free of charge
    • Receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks when used with AWS Global Accelerator, Route53 and CloudFront
  • Advance
    • With cost
    • Provide higher levels of protection against attack on:
      1. EC2
      2. ELB
      3. Route53
      4. CloudFront
      5. Global Accelerator
    • Can integrate with WAF

Macie

• Fully managed data security and data privacy service 
• Uses machine learning to analyze S3 buckets for sensitive data such as personally identifiable information (PII).
• Can integrate with CloudWatch Event/Event Bridge to notify any findings

WAF

• Protect your web applications or APIs against common web exploits and bots
• Works on Layer 7 only
• Protects only the following AWS Services:
  1. CloudFront
  2. ALB
  3. API Gateway
• Uses WACL (Web Access Control List) for fine-grained control over all of the HTTP(S) web requests. WACL can inspect
  • Country of Origin
  • Source IP
  • HTTP Body, Query String, URI, method
  • XSS
  • SQL injection
  • Occurrence of events (Rate-based rule) – some kind of DDOS protection
  • Can integrate with Firewall Manager to centrally manage all firewall rules.

Inspector

• Automated vulnerability management service
• Only for EC2 and ECR Container Images. It continually scans EC2 OS and container workloads for software vulnerabilities and unintended network exposure.
• Can send assessment report to SNS for notification
• 2 Types of Assessment:
  1. Host Assessment
     • requires an agent to be installed on the EC2.
     • scan from inside (e.g. OS, running application)
     • uses CVE and CIS
  2. Network Assessment
     • agentless
     • probe from outside i.e. network reachability, open ports
• Findings sent to Security Hub or Event Bridge (Risk Score)
• Looks for
  • Package vulns (Database of CVE)
  • Network Reachability

Guard Duty

• A threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
• Uses machine learning.
• Analyzes Logs:
  • DNS logs- e.g. compromised e
  • CloudTrail logs – e.g. unusual API calls
  • VPC Flow logs – e.g. unusual traffic
  • EKS Audit logs – e.g. suspicious activities or EKS cluster compromise
• Can integrate with CloudWatch Event/Event Bride to notify any findings.
• Can protect against CryptoCurrency queries – i.e. an EC2 instance is querying a domain name or IP address that is associated with cryptocurrency-related activity
• Disabling the service will delete all remaining data, including your findings and configurations before relinquishing the service permissions and resetting the service

Secret Manager

• Protect secrets needed to access your applications, services, and IT resources
• Rotate, manage, and retrieve :
  • RDS credentials
  • Document DB credentials
  • Redshift Credentials
  • General Key/Value pair parameter e.g. API Key, OAuth token
• Tight integration with Lambda and RDS