!"# $%&'()&* #)+,&-'.

/)0' $&%+'-+)0
12)+3(-+%45
#',6)(' 7,-6)
8)&0-9( :;<;=
>==?#@$#/$?:<?AB?#7
C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6;

23-0 L9&M F%. (9' H) &)N&96,+)6 9& &)6-0'&-H,')6E -( L394) 9& -( N%&'E
L-'39,' N&-9& L&-'')( N)&F-00-9( J&9F !F%G9( ")H #)&I-+)0E @(+;
O9FF)&+-%4 +9N.-(KE 4)(6-(KE 9& 0)44-(K -0 N&93-H-')6;

O9&&)+'-9(0E J))6H%+ME 9& 9'3)& P,)0'-9(0Q O9('%+' ,0 %'

3''N0*RR0,NN9&';%L0;%F%G9(;+9FRSR+9('%+'0R%L0?'&%-(-(K;

!44 '&%6)F%&M0 %&) '3) N&9N)&'. 9J '3)-& 9L()&0;

!"# 2&%-(-(K %(6 O)&'-J-+%'-9( !"# $%&'()&* #)+,&-'. /)0' $&%+'-+)0 12)+3(-+%45

O9(')('0
T96,4) =* O9,&0) @('&96,+'-9( <

T96,4) :* #)+,&-'. UI)&I-)L :<

T96,4) >* #)+,&-(K '3) B)'L9&M <V

T96,4) D* !F%G9( AO> #)+,&-'. WX

T96,4) <* T9(-'9&-(K %(6 !4)&'-(K :<=

T96,4) V* O9,&0) O9(+4,0-9( :WD

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

AWS Partner: AWS Security Best

Practices (Technical)

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Course Introduction
AWS Partner: AWS Security Best Practices (Technical)

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Course prerequisites
Before attending this course, participants should have completed the
following:
• Security Fundamentals course
• Security Essentials course
• Certifications achieved: A strong background in information security
concepts, techniques, and paradigms in the area of networking,
operating systems, data encryption, and operational controls

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Course agenda (morning)

Module Topic and activity

Module 0 • Course Introduction

Module 1 • Security Overview

• Securing the Network

Module 2
• Lab 1: Controlling the Network

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Course agenda (afternoon)

Module Topic and activity

• Amazon EC2 Security
Module 3
• Lab 2: Securing the Endpoint

Module 4 • Monitoring and Alerting

• Lab 3: Security Monitoring

Module 5 • Course Conclusion

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Logistics
• Breaks and lunch
• Asking questions in a classroom
• Classroom etiquette

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Register for access to guides and lab environments

Make sure you register for AWS Builder Labs.

• Refer to your welcome email for registration information.

Check your inbox for a welcome email from your instructor. In this email, you will find your unique student
registration URL for the class. Use this URL link to create an account or log in to your existing AWS Builder Labs
account. In AWS Builder Labs, you can access your lab environments, Lab Guide, and Student Guide.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Student and lab guides

At this time, you should be logged in to AWS Builder Labs. From here, you can access your Lab Guide and
Student Guide, which are located in eVantage Bookshelf (VitalSource). Buttons to the Lab Guide and Student
Guide are located at the top-right corner of your AWS Builder Labs dashboard. The labs and buttons will be
greyed out until the start of the class.

Once the class starts, select either button to access your guides. You will be prompted to log in with your
existing eVantage Bookshelf (VitalSource) account or to create a new account. Once you log in to
eVantage Bookshelf (VitalSource), you will have access to the student and lab guides for the class. You can
access your guides online or download them. Use these guides to follow along with the course and as a
reference after the training.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Lab requirements
• Computer running: • Reliable internet connection
• Windows able to browse the internet
• macOS
using HTTPS
• Linux: Ubuntu, SUSE, or Red Hat • Register for AWS Builder Labs:
• Recommended web browser: • Turn off ad and script blockers

• Google Chrome
• Mozilla Firefox
• Microsoft Edge

11

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) =* O9,&0) @('&96,+'-9(

Course objectives
After completing this course, you will be able to do the following:
• Design and implement a secure network infrastructure.
• Design and implement compute security.
• Design and implement a logging solution.

12

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Security Overview
AWS Partner: AWS Security Best Practices
(Technical)

Welcome to the AWS Security Best Practices course. The first module in the course is meant to provide an
overview of security. This module covers topics such as the shared responsibility model, compliance, common
frameworks and best practices in the context of security, and relevant Amazon Web Service (AWS) services.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Module By the end of this module, you will be able

objectives & to do the following:
outline • Differentiate security responsibilities according
to the AWS shared responsibility model.
• Identify organizational challenges and threats.
• Describe a standards-based approach to best
practices.

Topics:
• Shared responsibility model
• Frameworks and standards
• Establishing best practices
• Compliance in AWS
2

By the end of this module, you will be able to do the following:

• Differentiate security responsibilities according to the AWS shared responsibility model.
• Identify organizational challenges and threats.
• Describe a standards-based approach to best practices.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Shared
responsibility model
Section 1 of 4

Security and compliance are a shared responsibility between AWS and the customer. This shared model can
help relieve the customer’s operational burden. AWS operates, manages, and controls the components from
the host operating system and virtualization layer, down to the physical security of the facilities in which the
service operates. Let’s take a look at that model now.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Shared responsibility model review

Using a public cloud can provide a safe, secure, and cost-effective environment for organizations. However, one
misconception about moving to the cloud is that it absolves the customer (cloud user) from responsibility over
security of their workload. AWS is responsible for many security controls that reduce the threat surface and
vulnerability of a cloud-hosted workload. However, customer responsibility is still critical to an overall secure
environment.

The two areas of responsibility are typically categorized as security OF the cloud (AWS responsibility), and
security IN the cloud (customer responsibility). This course will focus on how you can best secure the
infrastructure components of your workload and use monitoring and alerting to detect security events.

Security OF the cloud

• AWS manages the global infrastructure providing cloud services.
• AWS undergoes ongoing audit and assurance programs.
• AWS maintains protection of the global infrastructure running AWS services and service endpoints.
• AWS has a culture of security and improvement.

Security IN the cloud

• The customer manages their workload in the AWS Cloud.
• Customers must configure AWS provided network configurations.
• Customers can implement and manage their own controls.
• Customers can choose to deploy additional assurances beyond the already provided AWS controls.
• Customers have access to a mature vendor marketplace.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Customer challenges
Section Topic

Let’s shift focus and discuss challenges that you face as an area of customer responsibility.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Customer challenges
To protect and safeguard data, you must consider the following:
• Technology changes in size and complexity
• Resources and workforce limitations
• Evolving threats and expanding threat surfaces
• Changes to legal and regulatory requirements

Meeting security challenges depends on an organization's resources and capabilities. Security must keep up
with many continuously evolving factors, such as:
• Technology changes in size and complexity
• Resources and workforce limitations
• Evolving threats and expanding threat surfaces
• Changes to legal and regulatory requirements

In general, organizations must use their resources and capabilities to manage risks. Before discussing risk, it is
important to define three related concepts: vulnerabilities, threats, and risks.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Vulnerability, threat, and risk

• A vulnerability is a weakness.
• A threat is a possibility for an event or act to
exploit a vulnerability.
• A risk is the potential for loss, damage, or
destruction of resources due to a threat.

The terms vulnerability, threat, and risk are often used interchangeably or incorrectly. You should understand
how each of these terms is used, what links them, and what sets them apart.

Simply put:
• A vulnerability is a weakness. Some vulnerabilities are in software. Others may be based on an overall system
design. You may even have vulnerabilities based on the processes you use (or don’t use). It is important to
remember that vulnerabilities span technical, operational, and administrative areas.
• A threat is a possibility for an event or act to exploit a vulnerability. Threats are potential negative actions or
events that are facilitated by a vulnerability; the action or event results in an unwanted impact. A threat can
be either intentional (in other words, malicious activity or hacking) or unintentional (for example, a computer
malfunctioning, or a natural disaster).
• A risk is the potential for loss, damage, or destruction of resources due to a threat. Risk is an especially
important concept. A large part of security is based on minimizing risk. Risk is an intersection of your
resources, their weaknesses, threats acting against them, and the potential impact of a threat exploiting a
vulnerability.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Threats in the cloud

• Denial-of-service attacks
• Malware infections
• Unauthorized access or insider threats
• Misconfigurations and poor change control

Some of the threats that are faced in traditional, on-premises data centers and enterprise environments can
also manifest in the cloud. A few of these threats to consider include:
• Denial-of-service attacks
• Malware infections
• Unauthorized access or insider threats
• Misconfigurations and poor change control

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Assessing risk
• Also known as risk analysis
• Based on different experiences or goals
• Point-in-time snapshot
• Use quantitative measurements or qualitative measurements

Risk analysis seeks to identify, measure, and mitigate various risk exposures or hazards facing your workload.
Risk analysis is generally performed one of two ways, either with a quantitative or a qualitative analysis.

• Quantitative risk analysis uses mathematical models and simulations to assign monetary values to risk.
• Qualitative risk analysis relies on a person's subjective judgment to build a theoretical model of risk for a
given scenario. This is often expressed based on two key factors: likelihood and impact of the threat being
assessed.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Addressing threats: Risk management

10

Threats are continuously changing; new vulnerabilities are discovered every day. The increasing volume and
severity of threats presents significant risk to organizations with operations dependent on digital resources.

Managing organizational risk is important for operations, and in some cases is a legal requirement. There are
four basic ways to manage risk:
• Mitigate it by applying controls.
• Avoid the risk altogether (which might mean forgoing benefits or significantly altering operations).
• Accept it, assuming the organization can absorb the potential impacts if the threat is realized.
• Transfer it to another party to manage.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Frameworks and
standards
Section 2 of 4

11

Now we will explore some of the frameworks and standards that are important to reference when determining
how to secure your workload.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ><
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Standards-based approach
Organizations must employ effective security controls to identify, protect, detect,
respond, and recover from destructive security events.

Laws and regulations

Certifications and
AWS Well- attestations
AWS CAF Architected NIST CSF
Framework Alignments and frameworks

Privacy

12

There are many security controls that are available in AWS to be implemented in a variety of ways. It can be
complex and confusing, especially when an organization must comply with multiple regulatory and legal
requirements.

With a standards-based approach, organizations can benefit from the knowledge and experience of a wide
range of industry best practices to secure their workloads. With the right frameworks, you can use these best
practices and map security controls to your requirements. By implementing best practices through applicable
frameworks, you can simplify meeting security requirements and ensure that your organization is protecting the
right resources with the right controls.

Some common frameworks that can help to achieve this include he following:
• The AWS Well-Architected Framework security pillar supports these functions based on a long history of
experience in best practices for cloud environments.
• The AWS CAF identifies stakeholders that are critical to cloud adoption.
• The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is supported by
AWS and AWS Partners through a growing portfolio of services to help customers achieve the security
controls they require.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Referencing NIST CSF

• The CSF is designed to be size,
sector, and country agnostic.
• It references globally accepted
standards, guidelines, and
practices.
• Organizations across the world
can use it to efficiently operate
in a global environment

13

The CSF offers a simple construct consisting of three elements: Core, Tiers, and Profiles. The Core represents a
set of cybersecurity practices, outcomes, and security controls that support five risk management functions:
Identify, Protect, Detect, Respond, and Recover. These are mapped to control categories that can be referenced
in NIST Special Publication (SP) 800-53. AWS Cloud infrastructure and services have been validated by third-
party testing performed against the NIST SP 800-53 Revision 4 controls.

According to the AWS shared responsibility model, AWS manages security OF the cloud; the customer is
responsible for their security IN the cloud. To support your implementation of shared responsibilities, AWS has
created Quick Start solutions powered by AWS CloudFormation. They use a single click to automate your
deployment of important technologies in the AWS Cloud. Each Quick Start launches, configures, and runs the
AWS compute, network, storage, and other services required to deploy a workload addressing compliance
requirements of standards and frameworks such as NIST 800-53.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

CSF core security functions

14

Whether you are a public or commercial sector organization, you can use the NIST CSF to assess your AWS
environment and improve the security measures you implement and operate as part of the shared
responsibility model. The CSF Core consists of five concurrent and continuous functions that provide the basis
for a holistic security program. Explore the control categories here and example outcomes that are associated
to them:
• Identify control categories: Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV),
Risk Assessment (ID.RA) and Risk Management Strategy (ID.RM)
• Example outcome: Identifying physical and software assets to establish an asset management program
• Protect control categories: Identity Management, Authentication, and Access Control (PR.AC), Awareness
and Training (PR.AT), Data Security (PR.DS), Information Protection Processes and Procedures (PR.IP),
Maintenance (PR.MA), and Protective Technology (PR.PT)
• Example outcome: Managing protective technology to ensure the security and resilience of systems and
assets
• Detect control categories: Anomalies and Events (DE.AE), Security Continuous Monitoring (DE.CM), and
Detection Processes (DE.DP)
• Example outcome: Implementing security continuous monitoring capabilities to monitor cybersecurity
events
• Respond control categories: Response Planning (RS.RP), Mitigation (RS.MI), Communications (RS.CO),
Analysis (RS.AN), and Improvements (RS.IM)
• Example outcome: Ensuring response planning processes are run during and after an incident
• Recover control categories: Recovery Planning (RC.RP), Improvements (RC.IM), and Communications (RC.CO)
• Example outcome: Implementing improvements based on lessons learned

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Establishing best
practices
Section 3 of 4

15

Over time, best practices must evolve and change to match modern workflows and evolving technology.
Determining the organization’s requirements, understanding current resources and capabilities, and defining
security goals will help in deciding what frameworks one should follow. This section will explore security threats
and a standards-based approach to security best practices for implementing security controls. First, let's
examine the CIA triad and how this can be used for context as you assess and determine your organization's
unique security needs.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

CIA triad
AWS examples:
• Confidentiality:
Amazon Elastic Block
Storage (EBS) Confidentiality Integrity
encryption
• Integrity: AWS
CloudTrail log file
validation
• Availability: Elastic Availability
Load Balancer (ELB)

16

The three letters in the CIA triad stand for confidentiality, integrity, and availability. The CIA triad is a common
and trusted model used to understand security requirements and develop controls to satisfy them. The model
helps organizations look at business objectives and define the security goals that align best to accomplish them.

Basic examples of these three principles include:

• Confidentiality: Encrypting data so it cannot be accessed by unauthorized entities
• Integrity: Providing non repudiation and assurance of accuracy, often accomplished with hashing or digital
signatures
• Availability: Ensuing availability of systems and data to authorized individuals when it is needed, often
including components of high availability such as redundant network paths for data backups

Ideally, organizations should strive to meet all three standards to achieve a stronger security profile and be
better equipped to handle threat incidents. Remember that your best practices are unique, and the right
balance of these principles will be driven by your goals and requirements.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Layering defense: Castle analogy

17

Frameworks and standards provide a starting point for securing your workload, but your workload is unique.
Keep in mind as you establish your organization's security controls that no single security mechanism or control
by itself is reliable. Layering multiple mechanisms or controls is an important best practice.

The term defense in depth is a widely recognized best practice that refers to the strategy of layering security
controls.

Often an analogy of defending a castle is used. In this analogy, the castle represents a computer, data, or other
important asset. To protect that asset, the defender would employ multiple layers of defense. This serves two
purposes: stopping weaker adversaries and slowing down stronger adversaries.

Multiple layers of defense can slow down adversaries because they must break through these layers of
protection before they are able to compromise the asset. That extra time it takes to reach the target can give
defenders an opportunity to stop or contain and attack.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; D=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Global concerns (the moat)

1. Amazon Route 53 geo routing

• Route based on origin location of Domain
Name System (DNS) query
• Route to static or dynamic resources

2. Amazon CloudFront geo restriction

• Permit approved countries
• Block or deny banned countries
18

Items 1 and 2: Adversaries are met first by the outermost barrier, a moat. This could represent protection
outside the environment's perimeter, such as Amazon Route 53 geo routing restrictions or Amazon CloudFront
geo restrictions blocking of banned areas.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; D:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Global concerns (the outer wall)

3. AWS WAF rules
• Deny (based on IP source)
• SQL injection prevention
• Cross-site scripting prevention
• User-agent blocking
• Bad bot blocking
• Content scraper blocking

19

Item 3: If adversaries make it through the moat, they are met by an outer wall around the castle. This could
represent protection at the edge or perimeter, such as AWS WAF.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; D>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Global concerns (inside the castle)

5. Security groups
• Only allow required ports
4. Network ACL
• Only allow from required
• Deny or block by IP
sources
• Use port blocking
20

Item 4: If adversaries make it through the outer wall, they are met by the very tall inner wall. This could
represent protection at the edge or perimeter, such as a network access control list (ACL).
Item 5: If an adversary makes it through the inner wall, they are met with yet another barrier in the form of a
castle guard. This could represent a security group associated with a load balancer servicing an internet-facing
web application.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; DD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Diversified security layers

• Apply many layers of controls; target distinct layers with distinct
controls.
• Diversify your signature sources and threat intelligence sources.
• Diversify technology.

21

The defense-in-depth methodology involves layering diversified security technologies to ensure that attacks
missed by one technology are caught by another. This can be achieved by different types of controls, applied
with the following principles in mind:
• Apply many layers of controls; target distinct layers with distinct controls.
• Diversify your signature sources and threat intelligence sources.
• Diversify technology.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; D<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Compliance in AWS
Section 4 of 4

22

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; DV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Customer responsibilities
• Understanding what workloads must be regulated by which
applicable standards
• Discovering applicable controls or checklist items that apply to
workloads
• Mitigating risk and applying applicable controls
• Verifying that the applied controls are deployed and functionally
tested against the workload

23

AWS customers are responsible for maintaining adequate governance over their environment. This means you
are responsible for the following:
• Understanding what workloads must be regulated by which applicable standards
• Discovering applicable controls or checklist items that apply to workloads
• Mitigating risk and applying applicable controls
• Verifying that the applied controls are deployed and functionally tested against the workload

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; DX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Compliance by region
• AWS is audited against a variety of global and regional security
frameworks dependent on region and industry.
• Global
• US and North America
• Asia Pacific
• Europe, Middle East, and Africa

24

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; DY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

AWS compliance programs

The IT standards that AWS complies with are broken out by:
• Certifications and attestations
• Laws, regulations, and privacy
• Alignments and frameworks

25

With thousands of controls used to meet internal security requirements, AWS maps internal controls to the
applicable compliance requirement. This approach to compliance can be adopted by AWS users. It is a useful
starting point when considering local laws and regulations.

Note that according to the shared responsibility model, by using AWS, you are not automatically compliant with
all the regulations AWS complies with. But you do inherit some controls such as physical security. You can fulfill
the requirements of other controls though because of the breadth and capabilities of AWS services.

Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a
certification, audit report, or attestation of compliance. These certifications, reports, or attestations are
available to customers as documentation concerning the AWS inherited controls.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; DZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

AWS Artifact • Reports on demand

• Global availability
• Straightforward identification
• Quick assessments
• Continuous monitoring
• Enhanced transparency

26

AWS Artifact is a central resource for compliance-related information, providing on-demand access to AWS
security and compliance reports and select online agreements.

• Reports on demand: Download AWS auditor-issued reports, certifications, accreditations, and other third-
party attestations.
• Global availability: Validate the implementation and operating effectiveness of the AWS security control
environment from any geography or vertical.
• Straightforward identification: Easily identify the scope of each of the audit artifacts, including services,
regions, and applicable audit dates.
• Quick assessments: Perform internal assessments of the security of AWS services more quickly.
• Continuous monitoring: Continuously monitor the security and compliance of AWS with immediate access
when new reports are released.
• Enhanced transparency: Perform due diligence anytime with enhanced transparency into the AWS control
environment.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; DW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Module 1 Remember…
Summary
• The customer is responsible for
everything in the cloud.
• Frameworks that can help:
• AWS Well-Architected Framework
• AWS CAF
• NIST CSF

• Defense-in-depth is a layered approach to

security.
Let’s take a look at what we will cover in
the upcoming modules.
27

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Protecting and detecting with AWS

NIST CSF Function and target Module
Protect network infrastructure Module 2 (Securing the network) explores best
practices for protecting the network from
threats.
Protect compute resources Module 3 (Amazon EC2 Security) explores best
practices for protecting your Amazon EC2
instances from threats.
Detect security events Module 4 (Monitoring and alerting) explores best
practices for detecting threats through
monitoring and alerting in your AWS
environment.

28

The AWS Security Best Practices course addresses two key areas from the NIST Cyber Security Framework:
Protect and Detect. The upcoming modules will cover protecting network infrastructure and compute
resources, followed by a module focused on detecting threats through monitoring and alerting.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Additional resources

29

The following slides provide some additional resources for information covered in this module.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Finding resources
• AWS Marketplace
• AWS security bulletins
• AWS security documentation
• AWS Trusted Advisor

30

AWS maintains a variety of resources to help you secure your environment and workload. You can learn more
about security on AWS with the following resources:
• AWS Marketplace at https://aws.amazon.com/marketplace
• AWS security bulletins at https://aws.amazon.com/security/security-bulletins
• AWS security documentation at https://aws.amazon.com/products/security/resources
• AWS Trusted Advisor at https://console.aws.amazon.com/trustedadvisor

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) :* #)+,&-'. UI)&I-)L

Security deep dive

• For more information about the topics discussed in this lesson, see
the following resources:
• AWS Well-Architected Tool
• AWS re:Inforce 2019: Security Best Practices the Well-Architected
Way
• AWS Well-Architected Framework
• CSF Customer Responsibility Matrix
• Ransomware Risk Management on AWS Using the NIST Cyber
Security Framework (CSF)
31

For more information on the items covered in this lesson, see the following list of links:
• https://aws.amazon.com/well-architected-tool
• https://www.youtube.com/watch?v=u6BCVkXkPnM
• https://aws.amazon.com/architecture/well-architected/
• https://d1.awsstatic.com/whitepapers/compliance/AWS_Services_and_Customer_Responsibility_Matrix_for
_Alignment_to_the_CSF.fca4b7f5c7282cc221dee72732624a0389aa2596.xlsx
• https://d1.awsstatic.com/whitepapers/Security/ransomware-risk-management-on-aws-using-csf.pdf

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Securing the Network

AWS Partner: AWS Security Best Practices
(Technical)

Defense in depth, a layering approach to security, can help you ensure that the following are all in place:
• All interconnected systems only communicate through approved information flow policies
• All interconnected systems can only communicate through essential capabilities, based on functions, ports,
protocols, and services as defined in the configuration management policy

This module will explore a variety of AWS network-based protective and detective features. The module will
also cover specific AWS services customers can take advantage to enhance protection from, and detection of,
threats in their environments.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Module By the end of this module, you will be able to:

objectives & • Design a network for flexibility and security.

outline • Implement network security by controlling traffic at all

layers and automating network protection.
• Select AWS services to secure network traffic and
combat common security threats.
• Understand the benefits of third-party solutions offered
through AWS Marketplace.

Topics:
• Flexible and secure
• Security inside the VPC
• Security services
• Third-party security solutions

In this module, we will explore layering native security mechanisms and services in your network to protect
your workloads.
By the end of this module, you will be able to do the following:
• Design a network for flexibility and security.
• Implement network security by controlling traffic at all layers and automating network protection.
• Select AWS services to secure network traffic and combat common security threats.
• Understand the benefits of third-party solutions offered through AWS Marketplace.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Flexible and secure

Section 1 of 4

Organizations are building complex environments on-premises and in the cloud, where workloads can have a
variety of security requirements. Using security best practices, organizations should strive to design and apply
security at every layer within their workload. A logical starting point in this endeavor is the virtual network and
corresponding infrastructure. Securing this layer generally benefits from segmentation, enforcing security
boundaries, and monitoring of traffic to detect potential anomalies or threats. In this section, you will explore
the design and implementation of your network, with best practice recommendations in mind.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Starting with the virtual private cloud (VPC)

Network architecture is your foundation.
A sound strategy for designing, building, and
maintaining the network architecture
provides the best foundation for scaling and
security.
• A good design builds in security.
• Customers have full control over their VPC.
• Stakeholder input helps develop the strategy.

In security, there is no single perfect answer. The answer is usually: “It depends.” Every company is different, so
understanding the options, benefits, and risks will help you select the right method to build, scale, and secure
your cloud environment.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Security inside your VPC

• Use subnets to group the tiers of your

application (for example, web, application,
and database) within a single VPC.
• Avoid opening Secure Shell (SSH) or Remote
Desktop Protocol (RDP) between or within
AWS Security
Best Practices instances of the production environment
whenever possible.

With Amazon Virtual Private Cloud, you can build a virtual network in the AWS Cloud without having to worry
about physical connectivity. You can define your own network space and control how the network and
resources inside your network are connected.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; <W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Designing a network

Monitor at boundaries Subnet to create isolation Connect through protective devices

Proper design and deployment of networking infrastructure is key to creating a solid foundation for securing
your cloud workload. The key design concepts for designing a network are as follows:
• Monitoring and controlling communications at key boundaries
• Implementing controls to isolate workload subnets
• Connecting to external networks or systems only through monitored interfaces consisting of protection
devices such as firewalls

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; V=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Advantages of segmentation
Controls and filters may limit damage by creating smaller impact areas
Build network segments using the following
access control methods:
• Amazon VPC routing
• Security Groups
• Network Access Control Lists (ACLs)
• Using host-based firewalls
• Creating a threat protection layer in traffic flow
and enforcing all traffic to traverse the zone

A network design must be both flexible and secure. Meeting business objectives includes ensuring
confidentiality, integrity, and availability commensurate with the workload. In the past, many organizations
opted for a flat network, which means that all (or a large number) of resources shared a common broadcast
domain. This was a means of lowering hardware costs and simplifying con=guration and maintenance in an on-
premises environment.

In a physical network, this would mean a pool of resources is connected to a single switching plane. In the
cloud, a >at network would be one that uses one (or few) VPCs and subnets to contain many resources without
regard to diFerentiated connectivity or security needs. Although a >at network is simple to create, it ampli=es
risk for an organization. Network segmentation plays a signi=cant role in security. Not only is it a best practice
recommendation, but it is a compliance requirement for most regulated industries.

On AWS, you can build network segments using the following access control methods:
• Amazon VPC routing
• Security Groups
• Network Access Control Lists (ACLs)
• Using host-based firewalls
• Creating a threat protection layer in traffic flow and enforcing all traffic to traverse the zone

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; V:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

VPC and subnet strategy

When you create a VPC, you will need to choose an address range. This sounds simple, but selecting the right IP
addressing strategy based on your organizational needs can be tricky. You must consider things from an overall
perspective and keep growth in mind. Reconfiguring hundreds of assets within a VPC because of overlaps or IP
address exhaustion can be avoided with thorough planning. Let's examine some basic principles and
considerations for planning and connecting your network.

Larger VPCs and subnets are more >exible. However, they are harder to scale and manage, and they make it
more diLcult to maintain access controls. Smaller VPCs, and possibly subnets, are simpler to secure eFectively,
but may prove less eLcient for some business use cases.

Choosing a VPC address range includes considering all of the following:

• Every VPC has a private IP address space (by default).
• The VPC Classless Inter-Domain Routing (CIDR) block size can be from /16 to /28.
• You can associate additional (secondary) IPv4 address blocks.
• You can associate IPv6 address blocks.

Selecting an IP addressing strategy includes considering all of the following:

• Primary VPC CIDR blocks cannot be modified after they are created, additional space can be added.
• Consider address overlaps and shortages before committing to a CIDR (with on-premises or existing VPCs).
• Do not waste address space, but be careful not to constrain future growth.

Note: When using a default VPC, your default VPC CIDR is 172.31. 0.0/16, and your default subnets will be
created as /20 subnets.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; V>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Design best practices

Inside the VPC: Inside the Availability Zone
• Plan for unique CIDR for each • IP addressing scheme to
VPC. separate subnets per security
• Use RFC 1918 addressing needs.
(class A/B/C). • Implement Route
• Plan for growth and reserve summarization.
spare IP ranges. • Use separate route tables (based
on subnet or security segments).

9 9

Inside the VPC:

• Plan for unique Classless Inter-Domain Routing, or CIDR, for each VPC.
• Use RFC 1918 addressing (class A/B/C).
• Plan for growth and reserve spare IP ranges.

Inside the Availability Zone:

• IP addressing scheme to separate subnets per security needs
• Route summarization
• Using separate route tables (based on subnet or security segments)

As you work on designing a network or network segment, best practices can be categorized into activities
concerning a VPC and activities concerning an Availability Zone.

Designing an IP scheme is important but difficult. This can be one of the first-step items that are implemented.
Generally the rest of an enterprise’s IT cloud infrastructure will depend on it. The design strategy used should be
based on the organization’s current requirements as well as possible future requirements. Although no one can
predict future requirements with certainty, always build a growth plan into a design. It is much better to have
IPs and not need them than to come up short! References for setting up your VPC can be found
at https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html

Additional considerations when designing your environment include:

• Private IP blocks are only reachable by the virtual private gateway. They cannot be accessed over the internet
through the internet gateway.
• AWS does not advertise customer-owned IP address blocks to the internet by default.
• You can allocate an Amazon-provided IPv6 CIDR block to a VPC.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; VD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Discussion point Scenario: Ransomware infiltrates your

cloud network through the upload of a
compromised file to an EC2 instance.
• How does network control, filtering, and
segmentation (or lack of it) impact an
event like a ransomware infection?

10

If malicious code infiltrates your network, threats like ransomware can ravage your critical systems. Network
control is one important way to keep infections from spreading from one system to another. Using filtering and
segmentation to enforce security boundaries can significantly limit the impact if a threat takes hold in your
cloud environment.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; V<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

DNS operations and security

Section Topic

11

A Domain Name System (DNS) service must be highly available and DDoS resilient. AWS offers a DNS service
called Amazon Route 53, but many organizations manage their own DNS services. You can use Route 53 for
DNS, or you run your own DNS service on an Amazon Elastic Compute Cloud (Amazon EC2) instance. Either way,
you should be aware of capabilities, concerns, and best practices for mitigating security threats.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; VV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Amazon Route 53 using DNSSEC

• Domain Name Security Extensions (DNSSEC) helps prevent DNS attacks like
DNS cache poisoning and DNS spoofing.

Sign public hosted zones Store private keys in Use a single key across
or use DNSSEC validation AWS KMS multiple public hosted
zones

12

Domain Name System Security Extensions or DNSSEC is a feature of DNS that can be used to strengthen the
security of the protocol by providing authentication using digital signatures (based on public key cryptography).
Route 53 supports DNSSEC signing for your public hosted zones or DNSSEC validation for an Amazon Route 53
Resolver.

If you choose to use DNSSEC signing on your public hosted zones, you will need to consider the storage of
private keys in AWS Key Management Service (AWS KMS) and using the instances of the keys to sign your DNS
zones. You can also use a single customer-managed AWS KMS key across multiple public hosted zones to help
cut down on the management of multiple keys.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; VX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Route 53 Resolver DNS Firewall

• Define domain name filtering rules to control access to sites and
block DNS-level threats
• Customize the responses for blocked DNS queries
• Filter on a domain names only (not an IP address)
• Filters User Datagram Protocol DNS traffic (not HTTPS, TLS, SSH or,
other protocols)
• Centralize management with AWS Firewall Manager

13

Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from your VPCs. You can define
domain name filtering rules in rule groups to control access to sites and block DNS-level threats. You can also
customize the responses for the DNS queries that you block.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; VY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Self-Managed DNS Solution

14

Customers with self-managed DNS can use AWS Global Accelerator and AWS Shield Advanced to incorporate
some of the same techniques used by Amazon Route 53.

This type of solution includes a DNS canary, which uses Route 53 health checks and Amazon CloudWatch to
monitor if DNS servers and applications stop responding to queries.

1. To begin, create an accelerator and add your existing (customer-managed) DNS servers as endpoints. The
newly created accelerator will receive queries and forward them to your DNS service.
2. Using Amazon CloudWatch, update the status of a Route 53 health check in case your self-managed DNS
service stops responding to queries.
3. Protect your accelerator with Shield Advanced and monitor the health of your application using Amazon
Route 53 health checks (DNS canary).

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; VZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Security inside the

VPC
Section 2 of 4

15

Flexibility is important, but so is security! Amazon VPC is a mature product with numerous features and services
that you can use to improve operations and security inside your environment. We will explore implementation
of some of these security features in more depth to include:

• Network access control lists or ACLs operate as virtual, horizontally scalable, stateless packet =ltering devices
at the subnet level.
• Security groups act as virtual =rewalls at the instance level, allowing stateful traLc =ltering.

In this section, you will learn about ways that you can filter traffic, ensure availability of your resources, and
monitor traffic of interest for potential malicious activity. Filtering methods are based on the best practice
recommendation of using network ACLs and Security Groups for filtering. You will also cover using AWS Global
infrastructure and load balancing for high availability.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; VW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Overall network security guidance

• Layer security groups and network ACLs together.
• Use multiple Availability Zone deployments and Elastic
Load Balancing (ELB) for high availability.
• Use out-of-band management whenever possible.
• Use Amazon CloudWatch to monitor your VPC components
(covered in module 4).
• Use flow logs to capture information about traffic in your
AWS Security
Best Practices
VPC (covered in module 4).
• Always use Identity and Access Management (IAM) to limit
access to your resources, including the VPC and related
components.
16
16

Some of the best practices for overall network security are as follows:
• Layer the security groups and network ACLs together. Use security groups as the primary mechanism for
controlling network access to VPCs. When necessary, use network ACLs sparingly to provide stateless, coarse-
grain network control. Security groups are more versatile than network ACLs because of their ability to
perform stateful packet filtering and create rules that reference other security groups. However, network
ACLs can be effective as a secondary control for denying a specific subset of traffic or providing high-level
subnet guard rails. Also, because network ACLs apply to an entire subnet, they can be used as defense-in-
depth in case an instance is ever launched unintentionally without a correct security group.
• Use multiple Availability Zone deployments and Elastic Load Balancing or ELB for high availability.
• Use out-of-band management whenever possible. A good example of this is using SSM instead of SSH
through the public internet. With SSH, you would need to open a port through a security group rule. Systems
Manager Session Manager utilizes an IAM role to connect with the instance.
• Use Amazon CloudWatch to monitor your VPC components (covered in module 4).
• Use flow logs to capture information about traffic in your VPC (covered in module 4).
• Always use Identity and Access Management (IAM) to limit access to your resources, including the VPC and
related components.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; X=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Network filtering methods

Stateless Stateful
• Focus on the content of • Track and filter all traffic that is
individual packets part of a stateful associated (for
example in the same TCP
• Generally use information from
session)
headers (IP source or
destination, protocol, and so on) • Can identify TCP connection
for filtering stages, packet state, and other
key statuses
• Generally fast and has no issue
with heavy traffic loads • Includes security groups and
firewalls
• Includes network access control
lists
17

Incoming traffic destined for your network is filtered by network ACLs before it is filtered by security groups.
This means that traffic that is permitted by a network ACL can then be filtered by a security group, but traffic
stopped by a network ACL never makes it any further. The opposite is true for outgoing traffic; it is first filtered
by the security group, and if permitted, it will be processed again by the network ACL. Based on the order of
processing, one example for implementing network ACLs and security groups together is using broad rules in
network ACLs and fine-grained rules with security groups. First, you will explore network ACLs, followed by
security groups.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; X:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Network ACL review

• Provide stateless filtering for subnets
• Apply to one or more subnets
• Sequentially process rules
• Specify a traffic source with inbound rules
• Specify a destination with outbound rules
• Create rules using increments
Default mode: explicit deny and implicit allow

18

In AWS, a network ACL controls traffic to or from a subnet. This is accomplished with a set of inbound and
outbound rules in a numbered list. The rules are evaluated in order, starting with the lowest numbered rule.
When a match to the criteria in the rule is made, the list stops processing and determines the actions for the
matching traffic based on the matched rule.

Because network ACLs function at the subnet level of a VPC, each network ACL can be applied to one or more
subnets, but each subnet is required to be associated with only one network ACL. When a VPC is created, AWS
automatically creates a default network ACL for it. You can add and remove rules from the default network ACL,
but you cannot delete the network ACL itself. A custom network ACL can replace the default network ACL and
provide stateless filtering specific to subnets.

The following are some recommendations and considerations when using network ACLs:
• Configure the network ACL to narrow the scope of traffic permitted between layers (define both inbound and
outbound rules).
• Inbound rules can only specify a traffic source (it is implied that the destination is within the VPC or subnet
behind the network ACL).
• Outbound rules have a source and destination (they can apply to one or many IPs destined to broad or
specific destinations).
• Create rules using increments (for example, increments of 10 or 100) so that you can insert new rules where
you need to later.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; X>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Using network ACLs in your VPC

• Remember the default network ACL.

• Monitor and audit network ACLs for
ineffective “deny” rules.
• Consider limitations.
AWS Security
Best Practices • Do not ignore outbound rules on network
ACLs.

19
19

Some of the best practices for network access control lists are as follows:
• VPCs come with a default Network ACL that allows all inbound and outbound rules. For custom network
ACLs, both inbound and outbound rules are denied. Remember that if you have not created a custom
network ACL, any resources in the VPC will be associated with the default network ACL. This will allow all
traffic to into and out of the network, which is often overly permissive.
• Rules meant to deny traffic that are either misconfigured or ineffectual inadvertently promote overly-
permissive access to a VPC. Be mindful of the order of the deny rules within your network ACLs as they are
evaluated in order.
• Know the limitations of applying network ACLs before configuring them. For example, there is a default limit
of 20 rules per list for both inbound and outbound network ACLs. AWS can provide additional rules on
request, but the absolute maximum is 40.
• Configure outbound rules to limit access to the required ports or port ranges.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; XD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Test yourself: Inbound access

REQUIREMENTS:
• The DNS queries, HTTPS and SMTP traffic sourced from your on-premises network 192.0.2.0/28
are allowed to reach subnet A in your VPC.
• All other inbound traffic should be denied.

Rule # Type Protocol Port range Source Allow / Deny

/ ICMP Type
10 UDP DNS 53 192.0.2.0/28 ALLOW
How can you fix
20 TCP HTTPS 443 10.0.0.0/17 ALLOW
this network ACL?
30 TCP SMTP 25 10.0.0.0/17 ALLOW
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic

• VPC subnet A—10.0.0.0/17

• VPC subnet B—10.0.128.0/17
• On-premises network: 192.0.2.0/28
20

Issue:
The network access control list is configured, but you have been notified that subnet A in your VPC is ONLY
receiving DNS traffic from the on-premise network. You must determine why HTTPS and SMTP are not being
received and how to resolve this issue.

Consider network ACL sources for inbound traffic (from the on-premise network, destined to the VPC), and try
to determine what change can be made to correct this issue. When ready, move on to see the solution.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; X<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Solution: Source address misconfiguration

In this scenario, the network ACL is inbound, meaning that the source of traffic is outside the
subnet.
• Rules 20 and 30 have the correct protocol, port number, and action, but their source network
was mistakenly set to 10.0.0.0/17. This is the destination for traffic inbound to the subnet; the
source in the on-premise network at 192.0.2.0/28.

Rule # Type Protocol Port range Source Allow / Deny

/ ICMP Type
10 UDP DNS 53 192.0.2.0/28 ALLOW
20 TCP HTTPS 443 192.0.2.0/28 ALLOW Corrected subnet
30 TCP SMTP 25 192.0.2.0/28 ALLOW Corrected subnet
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic

21

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; XV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Test yourself: Outbound access

REQUIREMENTS:
• SSH and RDP traffic sourced from your VPC must be DENIED to the on-premises network of
192.0.2.0/24.
• All other traffic from your VPC should be permitted through.

Rule # Type Protocol Port range Destination Allow / Deny

/ ICMP Type
10 All IPv4 ALL ALL 192.0.2.0/28 ALLOW
Traffic
How can you fix
20 TCP RDP 3389 192.0.2.0/28 DENY this network ACL?
30 TCP SSH 22 192.0.2.0/28 DENY
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic
• VPC subnet A—10.0.0.0/17
• VPC subnet B—10.0.128.0/17
• On-premises network: 192.0.2.0/28
22

Issue:
The network access list is configured, but you have been notified that your on-premise network can still receive
SSH and RDP traffic from both subnets A and B in your AWS VPC. You must determine why this traffic is still
allowed and how to resolve this issue.

Consider network ACL processing order, and try to determine what change can be made to correct this issue.
When ready, move on to see the solution.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; XX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Solution: Rule order and processing

In this scenario, the first rule (10) allows all traffic, on all ports and protocols from your VPC
outbound to the on-premise network. All traffic (including RDP and SSH) will match the first rule
here, so rules 20 and 30 will not be processed and have no effect.
• You must first deny the specific traffic types you want to stop from reaching the on-premise
network before allowing all other traffic.

Rule # Type Protocol Port range Destination Allow / Deny

/ ICMP Type
10 All IPv4 ALL ALL 192.0.2.0/28 ALLOW Remove Rule #10
Traffic
20 TCP RDP 3389 192.0.2.0/28 DENY
30 TCP SSH 22 192.0.2.0/28 DENY
Move the allow
40 All IPv4 ALL ALL 192.0.2.0/28 ALLOW
statement to the
Traffic
end of the list
* All IPv4 ALL ALL 0.0.0.0/0 DENY
Traffic

23

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; XY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Security group review

Default security group Custom security group

• Permits all inbound traffic from • Permits no inbound traffic (no rule
members of the same security present)
group (rule present) • Permits all outbound traffic (rule
• Permits all outbound traffic (rule present)
present)

24

Essentially, a security group is a stateful firewall configuration for your Amazon Elastic Compute Cloud or
Amazon EC2 instances. Because security groups function at the instance level of a VPC, each security group can
be applied to one or more instances, even across subnets. Each instance is required to be associated with one
or more security groups.

Security groups define which ports on the machine are reachable for incoming traffic (and if configured, what
traffic is permitted outbound from the instance). Much like with network ACLs, when you create a VPC, AWS
automatically creates a default security group for it. Instances are associated with a default security group if you
do not create and select a custom security group for it. You can add and remove rules from a default security
group, but you cannot delete the default security group itself. Security groups only support allow. Many filtering
systems have deny rules or options; security groups block everything unless there is a rule specifically allowing
it through. The default mode for a security groups is explicit allow and implicit deny.

Note: A security group is associated with a network interface that is attached to an instance, but we don’t
discuss that detail for simplicity.

The default state for the default security group is as follows:

• Permits all inbound traffic from members of the same security group (rule present)
• Permits all outbound traffic (rule present)
• Default mode is explicit allow and implicit deny

The default state for a custom security group is as follows:

• Permits no inbound traffic (no rule present)
• Permits all outbound traffic (rule present)
• Security groups only support allow

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; XZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Using security groups in your VPC

• Never keep unattached security groups.

• Track rate of change in production environments.
• Ensure that security groups do not have a large
range of ports open.
• Use security groups with elastic load balancers, to
AWS Security
restrict access to the internet.
Best Practices
• Limit modifications to only certain IAM roles.
• Do not ignore outbound rules of security groups.

25
25

Some of the best practices for security groups are as follows:

• Never keep unattached security group. Unattached security groups could be applied unnoticed or
inadvertently, resulting in security concerns such as an EC2 instance being exposed to the internet.
• Track the rate of change in security groups creation in production environments—security groups that are
created and deleted quickly might indicate suspicious activity. This is something that can be accomplished
with AWS Config, for example.
• Security groups with large ranges of open ports expose resources and may result in exploitation. They also
make attacks on exposed vulnerabilities very difficult to investigate.
• Use elastic load balancers to receive all incoming traffic from the Internet and forward it to your web servers
(or other internet-facing resource), then limit incoming traffic for those web servers (or other resources) to
allow only ELB traffic.
• Limit active security group modifications to only certain IAM roles. You should only authorize specific users to
modify resource-specific security groups according to the principle of least privilege.
• Do not forget about outbound rules of security group; set restrictions. Security groups attached to resource
within a particular layer of your architecture should only allow egress connections to the layers where
connectivity is needed.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; XW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Layering security groups: example topology

26

In this example topology, instances in the private and sensitive subnets will have multiple security groups
applied to them. For simplicity, this example is only discussing and depicting inbound rules for the security
groups.

1. For the first security group, the requirement is that the bastion instance can connect to web and app
instances on port 22. See Security Group 1.
2. For the second security group, the requirement is that web instances can connect to app instances on port
8080. See Security Group 2.
3. For the third security group, the requirement is that app instances must connect to database instances on
port 3306. See Security Group 3.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Y=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Service highlight: AWS Network Firewall is a managed

AWS Network network protection service that provides
Firewall the following:
• Stateful firewall
• Web filtering
• Intrusion protection
• Central management and visibility
• Rule management and customization
• Partner integrations

27

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of
your Amazon Virtual Private Clouds or VPCs. The service can be quickly set up and scales automatically with
your network traffic. You can define firewall rules that give you fine-grained control over network traffic, or
import rules you’ve already written in common open-source rule formats. There are numerous integrations
available that provide managed intelligence feeds sourced by AWS partners. AWS Network Firewall works
together with AWS Firewall Manager for centralized control and visibility, so you can build and apply policies
across your VPCs and accounts.

AWS Network Firewall provides stateful filtering which can incorporate context from traffic flows, like tracking
connections and protocol identification, to enforce policies such as preventing your VPCs from accessing
domains using an unauthorized protocol. It also includes an intrusion prevention system or IPS for active traffic
flow inspection, so you can identify and block vulnerability exploits using signature-based detection. Finally, it
can provide web filtering that stops traffic to known bad URLs and monitor fully qualified domain names.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Y:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Building for availability

Availability is an important part of the C-I-A triad.

28

While it is important that unauthorized users are restricted from your data and systems, systems should be
available to authorized users whenever they require them. Availability is often an overlooked component of
security. Amazon's vast cloud network provides a solid foundation on which you can build a stable and secure
environment. Using a global infrastructure, you can build a highly reliable and available environment to support
your workload.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Y>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Global availability
Regions and Availability
Zones
• AWS Global
Infrastructure spans 99
Availability Zones
within 31 geographic
regions around the
world.
(as of 21 February 2023)

29

The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable public cloud platform available,
offering over 200 fully featured services from data centers globally. AWS customers are in 245 countries and
territories. Additionally, services like Amazon CloudFront and Amazon Route 53 are offered at AWS Edge
locations to help keep your resources available. Building a highly available and resilient workload is an
important part of security that is often overlooked.

(Data as of 21 February 2023)

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; YD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

VPC and AZ availability

• ELB distributes traffic over a group of
resources in one or more Availability Zone.
• Deploy ELB with AWS Application Auto
Scaling, AWS Auto Scaling, or Amazon EC2
Auto Scaling.
• Choose the type of load balancing device
Elastic Load
Balancer you need.
• (Best practice) Use security groups to
protect ELB.
30

It is important that data and services are available when they are needed. Load balancing is another way you
can help to keep resources available during high-demand periods and during distributed denial of service or
DDoS attacks. AWS Elastic Load Balancing or ELB is used with a VPC, distributing traffic over a group of resources
in one or more Availability Zone.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Y<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Management traffic best practices

• Use additional security groups or network interfaces to control
Amazon EC2 instance management traffic separately from regular
application traffic.
• Implement special IAM policies for change control and auditing.

31

Depending on an organization's requirements and resources, there might be situations when an out-of-
band management network is required. Management traffic is sensitive and should be separated from
production or development traffic whenever possible.
This means a network dedicated to traffic used to connect, access, and manage devices or systems. This can
include the following:
• Remote access from or through on-premises connected devices
• Managing network and security appliances (such as third-party or Partner solutions)
• Creating dual-homed instances with workloads and roles in distinct subnets

Consider using additional security groups or network interfaces to control and audit Amazon EC2 instance
management traffic separately from regular application traffic. This approach allows customers to implement
special IAM policies for change control, making it easier to audit changes to security group rules or automated
rule-verification scripts. Multiple network interfaces also provide additional options for controlling network
traffic, including the ability to create host-based routing policies or use different VPC subnet routing rules based
on network interfaces assigned to a subnet.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; YV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Security services
Section 3 of 4

32

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; YX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Threat highlight: Distributed denial of service attack

• DDoS are most common at layers

6-7, and 3-4 in the Open Systems
Interconnection (OSI) model

33

A DDoS attack is a malicious attempt to affect the availability of a targeted system, such as a website or
application, to legitimate end users. Typically, attackers generate large volumes of packets or requests,
ultimately overwhelming the target system. In a DDoS attack, the attacker uses multiple compromised or
controlled sources to generate the attack. DDoS attacks can be segregated by which layer of the OSI model they
attack. DDoS are most common at the following Open Systems Interconnection (OSI) model layers:
• Network (layer 3)
• Transport (layer 4)
• Presentation (layer 6)
• Application (layer 7)

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; YY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

AWS Shield

Standard Protection Advanced Protection

• Available to all AWS Customers at no • Paid service that provides additional
additional cost protection, features, and benefits.
• Automatic detection and mitigation • Includes Shield Response Team
(SRT), AWS WAF for layer 7 DDoS
• Protection from most common DDoS
attack mitigation, and AWS Firewall
attacks
Manager
34

AWS Shield Standard protects against DDoS attacks at layers 3 and 4 which are typically categorized as
infrastructure layer attacks. These are the most common type of DDoS attack, but fortunately, these attacks also
have clear signatures and are easy to detect. AWS Shield Standard provides the following protections:
• Provides always-on network flow monitoring
• Inspects traffic using traffic signatures, anomaly algorithms, and other analysis techniques
• Defends against common, frequently occurring infrastructure attacks
• Provided to all AWS customers at no additional charge

AWS Shield Advanced includes the standard features of AWS Shield, with the addition of tailored detection
based on application traffic patterns, health-based detection, advanced attack mitigation, visibility and attack
notification, DDoS cost protection, and proactive event response. Shield Advanced provides globally available,
centralized protection management and specialized support. In addition to standard protection from L3 and L4
attacks (such as SYN/UDP Floods, Reflection Attacks, etc.), Shield Advanced protection provides specific
monitoring and protection for number of resource types. The entire list of resource types can be found at
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-protected-resources.html.

For resources protected using Shield Advanced, customers get AWS WAF and AWS Firewall Manager, a security
management service, at no additional cost. This combination of services can provide considerable value to you.

You can learn more about AWS Best Practices for DDoS resiliency at
https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/welcome.html.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; YZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Shield Response Team (SRT)

• Shield Advanced includes the option to
receive proactive support from the Shield
Response Team (SRT).
• During a DDoS attack, the SRT will provide
resolution support if necessary.

35

One of the benefits of Shield Advanced is the option to receive proactive support from the Shield Response
Team (SRT). If you experience a potential DDoS attack, you can contact the AWS Support Center. The support
center can escalate your issue to the SRT if necessary.

On contact, the SRT will help you analyze the suspicious activity you are experiencing and assist in mitigating the
issue. This mitigation often involves creating or updating AWS WAF classic rules and web ACLs in your account.
The SRT can inspect your AWS WAF configuration and create or update AWS WAF rules and web ACLs for you,
but the team needs your authorization to do so. We recommend that as part of setting up Shield Advanced, you
proactively provide the SRT with the necessary authorization. Providing authorization ahead of time helps
prevent mitigation delays in the event of an actual attack.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; YW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

AWS Web AWS WAF filters traffic for your web

Application applications based on the following criteria:
Firewall (WAF) • IP address origin of the request
• Country of origin of the request
• String match or regular expression (regex)
match in a part of the request
• Size of a particular part of the request
• Malicious SQL code or scripting
• Provided to customers using AWS Shield
Advanced for no additional cost (adds
additional DDoS protection)

36

DDoS attacks also occur at layers 6 and 7, and although less common than infrastructure DDoS attacks, they
tend to be more sophisticated. This is just one type of attack that the AWS WAF can hep you mitigate. You can
use custom or managed rules to block or count web requests that not only meet the specified conditions, but
also exceed a specified number of requests in any 5-minute period. Although there are many managed rules
available, it is up to you to determine the custom or managed rules you will use and associate them to the
appropriate Web Access Control List.

Note: AWS WAF is included with AWS Shield Advanced.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Z=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

AWS WAF rules and rule groups

37

Managed rules are a set of rules written, curated, and managed by AWS and AWS Marketplace Sellers that can
be used to quickly get started protecting your web application or APIs against common threats. Managed rules
can be used alone, or along with your custom AWS WAF rules. You can create custom rules, use rules
individually or use multiple rules in reusable rule groups. AWS Managed Rules rule groups are available for free
to AWS WAF customers, while AWS Marketplace managed rule groups are available by subscription through
AWS Marketplace.

The example on the slide shows a web ACL containing two custom rules that allow you to manually insert IP
addresses that you want to block (deny list) or allow (allow list). It also contains a managed rule group made of
two rules. The “HTTP flood” rule protects against attacks that consist of many requests from a particular IP
address, such as a web-layer DDoS attack or a brute-force login attempt. The “SQL injection” rule is designed to
protect against common SQL injection patterns in the Uniform Request Identifier or URI, query string, or body of
a request.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Z:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Demonstration: AWS WAF supports many filtering options

AWS WAF for stopping malicious http requests from
reaching your resources. The lack of a User-
Agent header in a request may indicate a
bot or API based request.
The tasks covered in this demonstration
will help you to:
• Create a rule that will block web requests using
regex, or size constraint.

38

By default, AWS WAF filters don't check if HTTP request parameters are present or not. However, you can create
a rule with conditions to check for those parameters.

Using AWS WAF, you may choose one of the two following options to block requests without a User-Agent set
in the header:
• Create a rule with a regex pattern set.
• Create a rule with a size constraint condition.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Z>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

AWS Firewall Manager benefits

Management Compliance Visibility

• Integrated with AWS • Ensure that the entire • Across the Organization:
Organizations organization adheres to a • Central visibility of AWS
• Centrally managed global mandatory set of rules WAF threats
rules and account-specific • Apply protection, even when • Consolidated AWS WAF
rules new accounts or resources operations
are created
• Compliance dashboard for
auditing
39

If you are using multiple AWS accounts and use AWS Organizations, AWS Firewall Manager can be used. This can
streamline and standardize security across your accounts. Firewall Manager is used when you have AWS
Organizations to manage AWS WAF rules, Shield Advanced protections, VPC security groups, AWS Network
Firewalls, and Route 53 Resolver DNS Firewall rules across multiple AWS accounts. Using Firewall Manager also
ensures that new accounts or resources are protected from the time they are created. A best practice
recommendation when implementing AWS Firewall Manager is to locate it in a management account which the
security team has access to, as opposed to a production account.

Firewall Manager is an important feature when managing an entire organization that must adhere to mandatory
rules (such as compliance or regulatory requirements). It includes a Compliance Dashboard where you can view
the compliance status for accounts and resources that are in the scope of a security policy.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ZD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Example solution integration

40

Follow the diagram to explore the steps in this solution to route Amazon GuardDuty matched events to AWS
Lambda, which then performs updates to AWS WAF and VPC network ACLs with protection against new
threats.

1. A GuardDuty finding is raised with suspected malicious activity.

2. An EventBridge Event is configured to filter for GuardDuty finding type.
3. An AWS Lambda function is invoked by the EventBridge Event. Lambda parses the GuardDuty finding.
4. State data for blocked hosts is stored in an Amazon DynamoDB table. The Lambda function checks the state
table for existing host entry.
5. The Lambda function creates a rule inside AWS WAF and in a VPC network ACL.
6. A notification email is sent through Amazon Simple Notification Service (Amazon SNS).

Service Notes:
• GuardDuty provides threat detection service that monitors for malicious activity and unauthorized behavior
to protect accounts, workloads, and data stored in Amazon Simple Storage Service or Amazon S3. GuardDuty
analyzes events across multiple AWS data sources, such as AWS CloudTrail Event logs, Amazon VPC flow log,
and DNS logs.
• Amazon EventBridge Events deliver a near-real-time stream of system events that describe changes in AWS
resources.
• GuardDuty sends notifications based on CloudWatch Events when any change in the findings takes place.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; Z<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

"We saved about a million dollars per year in

triage time for security operations, staffing,
and licensing costs.”

Mark Dorsi
Director of Security, HelloSign

41

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ZV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Use case—HelloSign
The security benefits realized include the following:
• Averted 12 DDoS security events
• Saved roughly 120 hours of work time per week through
automation
• Gained visibility into security posture
• Implemented security best practices
• Customized security tools
• Automated security features within 3 months

42

Cloud-based file storage and smart workspaces company Dropbox acquired the electronic signature and storage
solution, HelloSign, in 2019. HelloSign grew quickly to more than 80,000 customers in 2021, and recognized the
importance of protecting its customers’ personally identifying information or PII and payment card information
data. The company wanted to make its service both secure and highly available, which required protecting its
services from DDoS attacks and other security events.

HelloSign used many AWS security devices including Shield Advanced, AWS WAF, and GuardDuty. Learn more
about this example at https://aws.amazon.com/solutions/case-studies/dropbox-hellosign-security/

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ZX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Third-party security
solutions
Section 4 of 4

43

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ZY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

AWS Marketplace enterprise solutions

Solution categories include the following:

• Network firewalls
• Protection solutions from software as a
service (SaaS) or cloud delivery network
providers
AWS Marketplace
• Network IDS solutions

44

AWS Marketplace is a curated digital catalog that makes it easy to find, test, buy, and deploy the third-party
software you want, with the simplified procurement and controls you need. AWS Marketplace includes
numerous solutions that can strengthen your network security. This service also makes it easy to find a solution
and pay licensing based on use or use the Bring Your Own License model or BYOL.

Considerations
• Consider the threat and risks to individual workloads.
• Search APN security competency to shorten your list.
• Remember that existing relationships, operational experience, or licensing can affect vendor preference.
• Remember that rapid implementation is possible through the AWS Marketplace.

Selection Criteria
• Use cloud-aware or host-based solutions when possible.
• Host-based solutions are preferred for scalable applications.
• Test solutions and consider performance impact, then determine operations and support.
• If using in-line vendor solutions, determine where and why.
• Work with vendor to determine performance and high-availability impact.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ZZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Knowledge check 1
Which statement is true about security groups?

Choice Response

A Each subnet is required to be associated with only one security group.

B A security group can be applied to one or more subnets.

C Security groups allow for "allow" and "deny" rules.

D Security groups are stateful.

45

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ZW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Knowledge check 1 answer

Which statement is true about security groups?

The correct response is D.

A. (Incorrect) This is true of network ACLs, not security groups.
B. (Incorrect) This is true of network ACLs, not security groups.
C. (Incorrect) Security groups can only be configured with "allow" rules.
D. (Correct) Security groups are stateful.

46

a. (Incorrect) This is true of network ACLs, not security groups.

b. (Incorrect) This is true of network ACLs, not security groups.
c. (Incorrect) Security groups can only be configured with "allow" rules.
d. (Correct) Security groups are stateful.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; W=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Knowledge check 2
Which AWS services or features are examples that BEST provide availability for
your resources? (Select TWO.)

Choice Response

A Regions and Availability Zones

B Elastic Load Balancing (ELB)

C Security Groups

D Traffic mirroring

E Network access control lists

47

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; W:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Knowledge check 2 answer

Which AWS services or features are examples that BEST provide availability for your
resources? (Select TWO.)

The correct responses are A and B.

A. (Correct) Regions and Availability Zones can be used to span workloads
and improve availability.
B. (Correct) ELBs distribute network traffic to improve application
scalability and availability.
C. (Incorrect) Security groups are used to filter traffic.
D. (Incorrect) Traffic mirroring supports sending a copy of traffic to a target,
but does not provide availability.
E. (Incorrect) Network ACLs are used to filter traffic.

48

a. (Correct) Regions and Availability Zones can be used to span workloads and improve availability.
b. (Correct) ELBs distribute network traffic to improve application scalability and availability.
c. (Incorrect) Security groups are used to filter traffic.
d. (Incorrect) Traffic mirroring supports sending a copy of traffic to a target, but does not provide availability.
e. (Incorrect) Network ACLs are used to filter traffic.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; W>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Module summary Remember…

Control traffic at all layers using the following:
• Network ACLs, Security Groups, AWS Network Firewall

• Availability is an important part of securing the

VPC.
• AWS services to secure network traffic and
combat common security threats include the
following:
• AWS Shield Standard and Shield Advanced
• AWS WAF
• AWS Firewall Manager

• Third-party solutions offered through AWS

Marketplace are available.
49

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; WD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Lab 1: Lab duration: 45 minutes

Controlling the By the end of this lab, you will be able
Network to do the following:
• Create a three-security zone network
infrastructure
• Implement network segmentation using
security groups, network ACLs, and public
and private subnets
• Monitor network traffic to EC2 instances
using VPC flow logs

50

Overview
You are a network security engineer at AnyCompany. You are responsible for creating a secure network
infrastructure in AWS to prepare for AnyCompany’s upcoming migration to the cloud. AnyCompany currently
has a three-tier network security infrastructure on-premises:
• The Public Access Zone hosts load balancers that serve as the primary connection point to your web servers.
• The Web Server Zone hosts the frontend servers for your website.
• The Database Zone hosts the backend database servers that provide data to your website.

You must ensure that each zone is securely segmented from each other and only certain types of traffic are
allowed to flow between them to support the company’s websites and applications. In this lab, you use public
and private subnets, security groups, and network ACLs to create a three-security zone network infrastructure.
You then use VPC flow logs to monitor the traffic that reaches the resources in each zone to verify only the
required traffic is allowed.

Objectives
By the end of this lab, you will be able to do the following:
• Create a three-security zone network infrastructure
• Implement network segmentation using security groups, network ACLs, and public and private subnets
• Monitor network traffic to EC2 instances using VPC flow logs

Duration
This lab requires approximately 45 minutes to complete.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; W<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) >* #)+,&-(K '3) B)'L9&M

Lab Architecture

51

Environment overview
The diagram shows the basic architecture of the lab environment.

The following list details the major resources in the diagram:

• A VPC with one public subnet and two private subnets in one Availability Zone, and one public subnet in a
second Availability Zone
• A Network Load Balancer with two nodes, one in each public subnet
• An EC2 instance acting as a web server in the first private subnet
• An EC2 instance acting as a database server in the second subnet
• Two security groups, one for each instance based on its purpose

The network traffic flows from an external user, through an internet gateway, to one of the two Network Load
Balancer nodes, to the web server. If the URL of the WordPress blog site running on the web server is
requested, traffic flows to the database server as well.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; WV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Amazon EC2 Security

AWS Partner: AWS Security Best Practices
(Technical)

There are several ways that you can use compute resources in the Amazon Web Service (AWS) Cloud. For the
purpose of this course, we will constrain the scope of compute security to primarily focus on Amazon Elastic
Compute Cloud (Amazon EC2).

Amazon EC2 provides scalable computing capacity in the AWS Cloud. This resource type includes several
attributes and features that are the customer's responsibility to secure. Some of these attributes can include
the following:
• Operating system (OS) version and patching
• Registry settings or kernel settings
• Libraries, software packages, dynamic-link libraries (DLLs), and so on
• Network Transmission Control Protocol/Internet Protocol (TCP/IP) settings

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; WX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Module By the end of this module, you will be able to:

objectives & • Describe common compute security vulnerabilities.

outline • Construct a secure Amazon Elastic Compute Cloud

(Amazon EC2) instance based on industry best practices.

• Use Amazon Elastic Block Store (Amazon EBS) encryption

to secure volume data.

• Perform vulnerability management.

Topics:
• Compute hardening

• Amazon EBS encryption

• Secure management and maintenance

• Detecting vulnerabilities

• Using AWS Marketplace

2

By the end of this module, you will be able to do the following:

• Describe common compute security vulnerabilities.
• Construct a secure Amazon Elastic Compute Cloud (Amazon EC2) instance based on industry best practices.
• Use Amazon Elastic Block Store (Amazon EBS) encryption to secure volume data.
• Perform vulnerability management.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; WY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Compute hardening
Section 1 of 5

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; WZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Common vulnerabilities
Some examples of common vulnerabilities include the following:
• Unintentionally exposing Amazon Elastic Compute Cloud (EC2)
instances to the public
• Sensitive information in metadata
• Unused or unneeded services or software
• Outdated or nonpatched OS or installed software
• Application configuration weaknesses (such as startup and
configuration scripts containing sensitive information)
• Overly permissive identity and access management policies
4

The list here contains just a few common examples of miscon4gurations that can leave compute resources
vulnerable to exploitation. Hardening of compute resources is critical to maintaining a secure environment and
protecting your workload. Next, we will explore hardening and some best practices and resources related to it.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; WW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Hardening your systems

There are many examples of hardening
• Changing default passwords
• Removing or disabling unnecessary software or
services
• Removal of unnecessary user names or logins
• Using AWS Systems Manager Agent (SSM Agent) for
remote access
• Installing anti-malware and host intrusion detection
and prevention systems (HIDS/HIPS)

Hardening refers to the process of securing a system by reducing its surface of vulnerability (also known as
attack surface). This surface grows as the system performs more functions. There are a variety of ways to
reduce an attack surface, which typically include mechanisms that eliminate or mitigate vulnerabilities that an
adversary might seek to exploit. Hardening of systems is dependent on several factors, such as the OS, the
purpose or use of the system, and organization- or system-speci4c requirements. However, there are a few
common guiding principles.

There are also other more difficult tasks that must be undertaken on a continuous basis. Some of these tasks
include patching, ensuring image integrity, encryption, and maintaining systems through secure protocols or
mechanisms.

While organization-specific or system-speci4c requirements must always be considered, using best practices to
harden systems provides a good foundation to build from. Next, you will look at globally recognized best
practices for securing IT systems and data through hardening, provided by the Center for Internet Security (CIS).

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :==
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

“Wait, do I really need endpoint

protection on my cloud resources?”
Consider that:
• Many Operating Systems have built-in
malware protections.
• All systems have vulnerabilities.
• Choose the appropriate software to help layer
security (defense in depth) and protect your
resources.

Most operating systems have built-in malware protections. Any many of the are good. Unfortunately, all systems
have vulnerabilities. It is important that you choose the appropriate software to help layer security (defense in
depth) and protect your resources. This may be a Host Intrusion Detection System (HIDS), Host Intrusion
Prevention System (HIPS), antivirus software, or a combination of capabilities in a software suite.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Hardening with benchmarks

• Create an Amazon Machine Image (AMI) from your

instance to save the configuration as a template
for launching future instances.
-or-
• Use EC2 Image Builder to create and maintain
images.
AWS Security
Best Practices • Use benchmarks (from CIS and others) to harden
common vulnerabilities and help minimize the
attack surface.

Using benchmarks to harden your EC2 instances provides well-de4ned, unbiased, consensus-based industry
best practices to assess and improve your security. CIS Benchmarks are one type of benchmark that you can use
to guide the hardening of your AMIs.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

CIS Benchmarks purpose

Benchmarks something to compare to and can help with the
following.
• Using industry best practices
• Removing the guesswork in hardening
• Consistently evaluating against a known baseline
• Reducing complexity in risk management and auditing for critical,
audited, and regulated systems

The Center for Internet Security (CIS) is a community-driven nonprofit, responsible for the CIS Benchmarks.
These are globally recognized best practices for securing IT systems and data. CIS Benchmarks provide security
benefits across industry sectors. They remove the guesswork for security professionals about how to implement
foundational security measures in their AWS account. Benchmarks in general also help audit teams consistently
evaluate an AWS account against a known baseline. Using benchmarks is a best practice that greatly reduces
complexity when managing risk and auditing the security of AWS for critical, audited, and regulated systems.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

CIS Benchmarks alignment

CIS Benchmarks align closely with, or map to, regulatory frameworks
including the following:
• National Institute of Standards and Technology Cybersecurity Framework
(NIST CSF)
• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• International Organization for Standardization and the International
Electrotechnical Commission (ISO/IEC 2700)

Organizations in industries governed by these regulations can make significant progress toward compliance by
adhering to CIS Benchmarks. In addition, CIS Controls and CIS Hardened Images can help support an
organization's compliance with the European Union's General Data Protection Regulation (GDPR).

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Level 1, Level 2, and STIG pro=les

Level 1 profile Level 2 profile STIG profile
• Practical and • For environments or • Replaced the Level 3
prudent use cases where profile
security is
• Provides clear • Meets all STIG-
paramount
security bene,t specific
• Defense-in-depth recommendations,
• Does not inhibit
measure which overlap
utility or
performance • Can negatively recommendations
inhibit utility or from Level 1 and
• Intended for servers Level 2
performance
• Intended for servers
10

A CIS Benchmark pro4le de4nition describes the con4gurations assigned to benchmark recommendations. The
con4guration pro4les de4ned by CIS for Level 1, Level 2, and Security Technical Implementation Guide (STIG)
profiles are shown here.

What is a STIG?
A STIG) is a configuration standard consisting of cybersecurity requirements for a specific product. STIGs were
originally developed for resources and networks owned by the U.S. Department of Defense (DoD) and networks
that connect to DoD networks, but have been adopted by CIS as an advanced benchmark for securing protocols
within networks, servers, computers, and logical designs. A STIG describes how to minimize network-based
attacks and prevent system access when the attacker is interfacing with the system, either physically at the
machine or over a network. STIGs also describe maintenance processes such as software updates and
vulnerability patching.

STIG documents are published by the DoD Cyber Exchange, sponsored by the Defense Information Systems
Agency (DISA), and are derived from the Security Requirements Guide (SRG). A SRG is a document that contains
high-level security requirements that are translated into con4guration items for a speci4c target, such as OSs
and devices.

Explore the STIG viewer at https://www.stigviewer.com/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Services for securing your workload

AWS Systems Manager Amazon Inspector AWS Config

12

In addition to using frameworks and standards to harden your resources configurations, there are a number of
AWS Services to help make sure your workload is secure. These services will be explored throughout the
remainder of the module, with examples of their use. Layering the features and benefits that these services
offer is an excellent way to approach defense-in-depth and to meet best practice recommendations for your
environment.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Amazon EBS
encryption
Section 2 of 5

13

Data at rest represents any data that persists in nonvolatile storage for any duration in a workload. Protecting
data at rest reduces the risk of unauthorized access when encryption and appropriate access controls are
implemented. Encryption transforms the content in a manner that makes it unreadable without a key necessary
to decrypt the content back into plain text. There are many diKerent types of storage available through AWS.
However, this module will focus on Amazon EBS, because this is an important service used in conjunction with
Amazon EC2.

Amazon EBS encryption is a straightforward encryption solution for Amazon EBS resources associated with your
EC2 instances. You aren't required to build, maintain, and secure your own key management infrastructure.
Amazon EBS encryption uses AWS Key Management Service (AWS KMS) keys when creating encrypted volumes
and snapshots.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Amazon EBS backed instances

• Use separate Amazon EBS volumes for the

OS and your data.
• Encrypt EBS volumes and snapshots.
• Understand the implications of the root
AWS Security
Best Practices
device type for data persistence, backup, and
recovery.

14

When you launch an EC2 instance, the root device volume (root volume) is used to reference the image used
to boot the instance. An EC2 AMI can be backed by either an Amazon EC2 instance store or Amazon EBS. The
instance store is ideal for temporary storage, because the data stored in instance store volumes is not persistent
through instance stops, terminations, or hardware failures. However, to take advantage of security features such
as data availability, snapshots, and encryption, you will need to use an Amazon EBS backed instance. You can
choose between AMIs backed by either, but AMIs backed by Amazon EBS are highly recommended, because
they launch faster and use persistent storage.

Data volumes
Depending on your need, you might choose to attach multiple EBS volumes to a single instance. The EBS
volumes you attach in addition to the root device volume are data volumes. These volumes and the instance
they are mounted to must be in the same Availability Zone. But they are appropriate for data that requires
frequent updates or throughput-intensive applications. Considering that the EBS volume might be storing
sensitive, proprietary, or customer specific information, it is important to protect this resource. Information on
EBS volumes should be encrypted to protect confidentiality in the event of unauthorized exposure or access.

Note: Amazon EBS encryption is available on all current generation instance types and the following previous
generation instance types: A1, C3, cr1.8xlarge, G2, I2, M3, and R3.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Encryption by default
Encryption by default is a best practice
to ensure security of data at rest.
• Encryption by default is a Region-specific
setting.
• You can launch an instance only if the
instance type supports Amazon EBS
encryption.
• When migrating servers using AWS Server
Migration Service (SMS), do not turn on
encryption by default.
15

You can set your account for default encryption, which will enforce the encryption of any new EBS volumes and
snapshot copies that you create. Encryption by default has no effect on existing EBS volumes or snapshots.
Some considerations for setting encryption by default include the following:
• Encryption by default is a Region-specific setting. If you turn it on for a Region, you cannot turn it off for
individual volumes or snapshots in that Region.
• When you turn on encryption by default, you can launch an instance only if the instance type supports
Amazon EBS encryption.
• When migrating servers using AWS Server Migration Service (SMS), do not turn on encryption by default. If
encryption by default is already on and you are experiencing delta replication failures, turn off encryption by
default. Instead, enable AMI encryption when you create the replication job. (See the following
documentation for more information
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)

To check your EBS volumes for the encryption by default setting, use the following steps:
1. Sign in to AWS Management Console.
2. Navigate to the Amazon EC2 console.
3. Select the Region that you want to access from the console navigation bar.
4. In the Account attributes section, under Settings, choose EBS encryption to view the settings available for
EBS volumes within the selected AWS Region.
5. On the Settings page, choose the EBS encryption tab, and view the Always encrypt new EBS
volumes configuration attribute status. If the attribute status is set to Disabled, the encryption of data at
rest by default for new EBS volumes is not enabled in the selected AWS Region.

Learn more with this demonstration on how to turn on encryption by default at

https://www.youtube.com/watch?v=dOGs2jzacbI .
Learn more about Amazon EBS best practices at https://aws.amazon.com/blogs/compute/must-know-best-
practices-for-amazon-ebs-encryption/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :=W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Encryption and snapshot copying

When you copy a snapshot, you can do the following:
• Keep it encrypted with the same KMS key as the original
(incremental snapshot).
• Change the KMS key (full copy).
• Change the encryption status (full copy).
• Full copies can incur greater data transfer and storage charges.

16

You can create point-in-time snapshots of EBS volumes, which are stored for you in Amazon Simple Storage
Service (Amazon S3). After you create a snapshot and it has finished copying to Amazon S3, you can copy it from
one AWS Region to another, or within the same Region. The snapshot copy receives an ID that is different from
the ID of the original snapshot.

When you copy a snapshot, it can remain encrypted with the same KMS key as the original, which results in
an incremental snapshot. You can specify a different KMS key to encrypt the resulting copied
snapshot. Changing the encryption key of a snapshot during a copy operation results in a full (not
incremental) copy, which might incur greater data transfer and storage charges. This is also true if you change
the encryption status (encrypted or unencrypted) during the copy operation.

Note: Be mindful of AWS KMS key considerations when copying snapshots across multiple Regions. For further
information about encrypting EBS volumes, visit
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Demonstration: AWS KMS supports many of the security

AWS KMS best practices discussed in this course,
providing centralized and secure
management of cryptographic keys. This
demo provides a quick look at so important
features within AWS KMS.

• Prerequisites:
• IAM user with appropriate AWS KMS
permissions

17

AWS KMS is not covered in depth in this course. The Security Engineering on AWS course provides more training
on this and other AWS security services. Find a class at https://aws.amazon.com/training/classroom/security-
engineering-on-aws/

Learn about AWS KMS best practices at https://d1.awsstatic.com/whitepapers/aws-kms-best-practices.pdf

You can view the AWS re:invent video covering best practices for implementing AWS Key Management Service
at https://www.youtube.com/watch?v=X1eZjXQ55ec.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :::
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Secure management
and maintenance
Section 3 of 5

18

Visibility and control into your environment are important to being able to maintain a security posture. This
eKort can be aided by various AWS services, including AWS Systems Manager. This section will explore
opportunities to provide secure and automated monitoring, patching, and con4guration of your environment.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Management and maintenance

• Limit access and authorization for connecting to
instances (Session Manager)
• Securely manage instances at scale (using Run
Command).
• Regularly patch and update with defined
maintenance windows (using Patch Manager).
AWS Security • Automate monitoring and remediate of
Best Practices configuration drift (using State Manager).
• Secure, monitor, and rotate secrets (using Secrets
Manager or Parameter Store).
19

AWS Systems Manager (formerly known as SSM) is an AWS service that you can use to view and control your
infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS
services and automate operational tasks across your AWS resources. Systems Manager helps you maintain
security and compliance by scanning your managed nodes and reporting on (or taking corrective action on) any
policy violations it detects.

Note: A managed node is any machine configured for Systems Manager. Systems Manager supports Amazon
EC2 instances, edge devices, and on-premises servers and virtual machines (VMs).

Learn more about use cases and best practices for AWS System Manager at
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-best-practices.html.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Node Mangement
• Session Manager
• Run Command
• State Manager
• Patch Manager
• Parameter Store (compared to AWS Secrets
AWS Systems
Manager
Manager)

20

AWS Systems Manager streamlines resource and application management, shortens the time to detect and
resolve operational problems, and streamlines operating and managing the infrastructure, securely at scale.
Although all the features within Systems Manager can help with governance and security, we will only be
covering a few selected features and how they can be used to achieve security best practices concerning your
EC2 instance maintenance.

Systems Manager is agent-based. This makes it possible for the service to update, manage, and
configure software that runs edge devices and on-premises servers and VMs, in addition to your EC2
instances.

For more information about how to simplify operations, compliance, and governance using Systems Manager,
view this video (about 40 minutes in length): https://www.youtube.com/watch?v=qHRMim32dhk.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Session manager
• Centralized access control
to managed nodes using
IAM policies
• No open inbound ports and
no need to manage bastion
hosts or SSH keys
• Logging and auditing
session activity

21

AWS Systems Manager Session Manager can improve your security posture for instance access with a browser-
based and command line interface (CLI) interactive shell experience. This access requires no open inbound ports
or jump servers, and allows for customer key encryption using AWS KMS.

Overall, Session Manager is a useful tool to control and secure access to instances. AWS System Manager
Session Manager provides several security benefits, including the items highlighted on the diagram:
1. Secure management of Amazon EC2 instances, edge devices, and on-premises servers and VMs.
2. AWS Identity and Access Management (IAM) policies for control over individual users or groups using
Session Manager.
3. Capture of sessions using AWS CloudTrail and output session information to Amazon S3 or Amazon
CloudWatch Logs for auditing.

What is a Session?
A session is a connection made to a managed node using Session Manager. Sessions are based on a secure
bidirectional communication channel between the client (you) and the remote managed node that streams
inputs and outputs for commands. Traffic between a client and a managed node is encrypted using Transport
Layer Security or TLS 1.2, and requests to create the connection are signed using Sigv4. This two-way
communication allows interactive bash and PowerShell access to managed nodes. You can also use an AWS KMS
key to further encrypt data beyond the default TLS encryption.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Run command

22

Run Command provides safe, secure, remote management of EC2 instances at scale without the need for
bastion hosts, SSH, or remote PowerShell. It takes less time than management through SSH-access or
management through bastion hosts. Additionally, all operations are audited in AWS CloudTrail. There are no SSH
keys to manage and it can be used to make automation of various administrative tasks more secure.

Run Command offers the following features:

• Remote management at scale without SSH-access or bastion hosts
• Automatic role-based access control (RBAC) to set who can perform what actions on which set of instances
• Controlled blast radius using rate control for safety at scale
• Audit of what actions were made on which instance
• Ability to run commands from external locations such as public or private GitHub repositories

AWS Systems Manger Documents: A Systems Manager document (SSM document) defines the actions that
Systems Manager performs. SSM document types include Command documents, which are used by State
Manager and Run Command, and Automation runbooks, which are used by Systems Manager Automation.
Systems Manager includes dozens of preconfigured documents that you can use by specifying parameters at
runtime. Documents can be expressed in JSON or YAML, and include steps and parameters that you specify.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Patching best practices

1. Deploy patches at scale.

2. Schedule dedicated maintenance periods.
3. Test patches in a nonproduction environment.
23

Patch Manager, a capability of Systems Manager, provides predefined patch baselines for each of the OSs
supported by Patch Manager. Patch Manager helps you select and deploy OS and software patches
automatically across large groups of EC2 or on-premises instances. Patch Manager can help you automate and
scale security best practices across your fleets, to keep your software up to date and meet compliance
requirements in the following ways:
• Deploy patches at scale to nodes across your fleet, including on-premises, managed nodes.
• Schedule maintenance windows for your patches so that they are only applied during preset times.
• Patch now can help with situations such as zero-day or other critical patching, when you cannot wait for
the scheduled maintenance period.
• Test patches and create custom patch baselines.
• Set rules to auto-approve select categories of patches to be installed, such as OS or high severity patches.
• Specify a list of patches that override these rules and are automatically approved or rejected.

Customization options
• You can use these baselines as they are currently configured (you can't customize them) or you can create
your own custom patch baselines. Custom patch baselines give you greater control over which patches are
approved or rejected for your environment.
• Patch now is an important feature that can help with situations such as zero-day or other critical patching,
when you cannot wait for the scheduled maintenance period.
• Using lifecycle hooks, you can run SSM documents at specific points during the patching operation when you
do manual (patch now) operations. These can be documents that define certain procedures or operations
before patch installation, after installation, or after instance reboot, for example. These hooks are only
applicable to the install operation; scanning does not support any lifecycle hooks.

Best Practices for using Patch Manager include the following:

• Deploying patches at scale and increasing fleet compliance visibility
• Testing patches in a nonproduction environment
• Integrating Patch Manger with AWS Security Hub to receive alerts when nodes are out of compliance
• Recording changes to patch and association compliance statuses with AWS Config

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

State Manager
Usage Best Practices
• Maintain visibility over system • Update SSM Agent using the
states. preconfigured AWS-
UpdateSSMAgent document.
• Apply configurations based on
policies. • Use tags to create groups then
target nodes using the targets
• Create and push alerts when
parameter.
configuration drifts are
detected. • Use a centralized configuration
repository for your SSM
• Query statuses for on-demand
documents, and share it across
visibility into compliance status.
your organization.
24

State Manager provides configuration management to help maintain consistent configuration of your EC2 or on-
premises instances. With Systems Manager, you can control configuration details such as server configurations,
antivirus definitions, firewall settings, and more.

• Define configuration policies for your servers using the following:

• The AWS Management Console
• PowerShell modules
• Ansible playbooks
• GitHub
• Amazon S3 buckets
• Apply configurations across your instances at the time and frequency you define.
• Use Amazon CloudWatch and Amazon Simple Notification Service (Amazon SNS) to create and push alerts
when configuration drifts are detected.
• Query the status of your instance configurations for on-demand visibility into compliance status.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

State Manager example

25

Your organization is in the process of upgrading from an older OS on servers hosting a custom application for
your business. Because these existing servers have an older OS currently installed, it is imperative that the
servers have antivirus software installed and updated. You would like to ensure that the EC2 instances in your
environment tagged as prod and Win2016 have antivirus software installed and this state is monitored at an
interval of every 30 minutes.

1. Determine the state to apply to your managed instances.

2. Determine if a preconfigured SSM document can help with the State Manager association.
• An AWS-InstallApplication Document is needed.
3. Create the association.
• Specify the parameters, targets, and schedule.
4. Monitor and update.
• Automatically reapply policies if state drift is detected.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; ::W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Parameter Store and Secrets Manager

Parameter Store AWS Secrets Manager
• Can notify you of expiring secrets but • Provides full key rotation integration
cannot rotate them for you with Amazon RDS
• Can be referenced from AWS • Randomly generates passwords in
CloudFormation templates CloudFormation and stores the
password in Secrets Manager
• Supports storing values under a name
or key, encryption of secrets, and • Shares secrets across different AWS
versioning accounts
• Exceeds storage capacity of
Parameter Store, but costs are
associated to storage and API calls

26

Keeping secrets secure is important, but there is more than one way to do this in AWS. You might wonder which
is better for you, Parameter Store of AWS Secrets Manager. Although these two services do share some
similarities, there are some key benefits that Secrets Manager can offer. Take a look at the similarities and
difference between these two methods for securing secrets:

Similarities
Managed key-value store:
• With both services, you can store values under a name or key.
Encryption:
• With both, you can use AWS KMS to encrypt values.
AWS CloudFormation integration:
• Both can be referenced in an AWS CloudFormation template.
Versioning:
• With both, you can view or restore older versions of your parameter or secret.

Differences
Automatic secret rotation with Amazon Relational Database Service (Amazon RDS):
• Parameter Store can notify you of expiring secrets but cannot rotate them for you,
• Secrets Manager provides full key rotation integration with Amazon RDS.
Random secret generation:
• Secrets Manager can randomly generate passwords in CloudFormation and store the password in Secrets
Manager.
Sharing secrets:
• Secrets Manager can share secrets across AWS accounts.
Cost:
• Parameter Store comes with no additional cost with a limit of 10,000 parameters.
• Secrets Manager can exceed this number but has costs associated to storage of secrets and API calls.

Learn more about managing secrets with this AWS video at https://www.youtube.com/watch?v=6oPHw7rT9OI.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Exploring AWS Systems Manager

You explored just a few of the node management capabilities of AWS
Systems Manager. There are many other features available that can
help to operate and maintain your environment securely:
• Distributor
• Fleet Manager
• Many more…

27

Using Systems Manager and associated features can help to improve visibility and control in the cloud and on-
premises environments. The various features of Systems Manager offer opportunities to automate the
monitoring, patching, and configuration of the environment while removing the potential for human error and
streamlining access control and auditing. There are also many more types of capabilities provided through AWS
Systems Manager such as change management, incident management, application management, and
operations management.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Detecting
vulnerabilities
Section 4 of 5

28

Hardening, security benchmarks, and actively managing your resources provide preventative controls against
potential compromises. But how do you ensure that your resources are staying compliant? And how can you be
sure that you have captured and secured all your sensitive resources? There are several AWS services that you
can use, such as Amazon Inspector and AWS Config.

This section will cover using these services as detective controls, to help ensure that you can identify your
resources, verify their compliance, and take action when necessary.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Amazon • Amazon Inspector continuously scans

Inspector your resources including the following:
• Amazon EC2 instances
• Container images in Amazon Elastic Container
Registry
• AWS Lambda functions

• Amazon Inspector integrates with AWS

Organizations, AWS Security Hub, and
Amazon EventBridge.

29

Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software
vulnerabilities and unintended network exposure. Amazon Inspector can also be used across all accounts in an
organization, automatically discovering running EC2 instances and container images. Remember that Amazon
Inspector is a passive tool. This means that although it can detect vulnerabilities, it will not remediate them for
you.

Amazon Inspector is a Regional service. Any con4guration procedures that you complete on it must be repeated
in each Region that you want to monitor with Amazon Inspector.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Amazon Inspector findings

Package vulnerability Network reachability
• Identify software packages in • Indicate that there are allowed
your environment that are network paths to EC2 instances
exposed to common in your environment.
vulnerabilities and exposures
• Indicate overly permissive paths
(CVEs).
over TCP or User Datagram
• Findings can lead to Protocol (UDP) ports at virtual
compromise of the private cloud (VPC) edges that
con,dentiality, integrity, or allow for potentially malicious
availability of data or systems. access.

30

Amazon Inspector calculates a highly contextualized risk score for each 4nding by correlating common
vulnerabilities and exposures (CVEs) information with factors such as network access and exploitability. This
score is used to prioritize the most critical vulnerabilities to improve remediation response ePciency. You can
generate either a Findings or a Full report from any assessment, in either HTML or PDF format.

Additional security best practices can be found at https://aws.amazon.com/blogs/security/announcing-industry-

best-practices-for-securing-aws-resources/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :><
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Amazon Inspector Dashboards

• Each section of the Amazon Inspector dashboard provides insight into key
metrics or active findings data that can help you understand the vulnerability
posture of your AWS resources in the current AWS Region.
31

The Amazon Inspector dashboard provides a snapshot of aggregated statistics for your AWS resources in the
current AWS Region. These statistics include key metrics for resource coverage and active vulnerabilities. The
dashboard also displays groups of aggregated findings data for your account, such as Amazon Elastic Compute
Cloud (Amazon EC2) instances, Amazon Elastic Container Registry (Amazon ECR) and AWS Lambda functions
with most critical findings. To perform deeper analysis, you can view the supporting data for dashboard items.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

AWS Config • Automatically discover and record state

and configuration resources.
• Track changes; collect a historical record
of the changes .
• Evaluate configuration changes against
compliance policies.
• Automate remediation activities.
• Create real-time alerts using Amazon SNS
and Amazon EventBridge.

32

AWS Config is a native AWS service and doesn't require the installation of an agent. It provides several
important benefits:
• Automatic resource discovery
• Recording of the current state of resource configurations
• Tracking changes for a full historical record of the changes (for 7 years, by default)
• Evaluation of configuration changes against compliance policies
• Automated remediation activities (this can include patching with Patch Manger, as discussed in the previous
section)
• Real-time alerts for compliance violations using Amazon SNS and EventBridge

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

AWS Config best practices

Configuration Recording Compliance evaluation
• Enable AWS Config in all accounts and Regions. • Use Conformance Packs.

• Record configuration changes to all resource types. • Leverage the sample templates for conformance packs
as a starting point to quickly bootstrap your accounts.
• Record global resources (such as IAM resources) only in
one Region. • Use the AWS Config Rule Development Kit (RDK) for
authoring custom rules.
• Ensure that you have a secure Amazon S3 bucket to
collect the configuration history and snapshot files. • Create change-triggered custom rules for resource
types supported in AWS Config.
• Use Amazon EventBridge Events to filter AWS Config
• Create periodic custom rules for resource types not
notifications and take action.
supported in AWS Config.
• Turn on periodic snapshots (minimum frequency of once
• Use the AWS Config Rules repository, a community-
per day).
based source of custom AWS Config rules.
• Identify resources that are undergoing the most
• Deploy rules and conformance packs with global
configuration changes to control costs.
resources in one Region to avoid costs and API
throttling.

33

AWS Config is a powerful tool for maintaining a configuration history of your AWS resources. It can also be used
to evaluate configurations against best practices and your internal policies. You can use this information for
operational troubleshooting, audit, and compliance use cases.

The slide lists a few best practices to consider for using AWS Config, but a full list and details about these
practices can be seen at https://aws.amazon.com/blogs/mt/aws-config-best-practices/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

AWS Config at scale

• Use the multi-account, multi-Region data aggregation feature in AWS Config.
• Aggregate based on your organization or invite individual AWS accounts.
• Provides aggregate resource configurations and AWS Config rule compliance
data.

34

For multi-account environments, AWS Config can simplify monitoring compliance by providing an aggregated
view of all selected Regions and accounts. To use this feature, you will need to do the following:

1. Add an aggregator.
Create an aggregator account and an aggregator (resource) to collect configuration and compliance data from
multiple accounts or Regions. Select the source accounts and Regions from where you want to collect AWS
Config data.

2. Authorize the aggregator account.

Authorization is required when your source accounts are individual accounts. Authorization is not required if
you are aggregating source accounts that are part of AWS Organizations. The aggregator account is commonly
used or owned by an organization's security team or a managed service provider.

3. Monitor in an aggregated view.

The dashboard on the aggregators page displays the configuration data for AWS resources in scope, provides an
overview of your rules and conformance packs, and displays their compliance states.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Using AWS
Marketplace
Section 5 of 5

35

AWS Marketplace is a curated digital catalog that customers can use to 4nd, buy, deploy, and manage third-
party software, data, and services to build solutions and run their businesses. Many of the solutions on the AWS
Marketplace can help you to standardize your environment and enhance security.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :>W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Using AWS Marketplace AMI products

Ways to use:
1. AMI subscriptions
2. AMI products with contract pricing
3. Metering-enabled AMI products
AWS Marketplace
4. No cost, community AMIs

36

Amazon Machine Image (AMI) based products are available for buyers or from sellers through AWS
Marketplace, where there are several ways to bill, buy or use them.

Buying a product means that you have accepted the terms of the product as shown on the product’s listing
page. This includes pricing terms and the seller’s end user license agreement (EULA), and that you agree to use
such product in accordance with the AWS Customer Agreement.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :D=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

AWS Marketplace: AMI security requirements

• AMIs must not contain known vulnerabilities or malware.
• AMIs must use current OSs and software packages.
• AMIs must not request or use secret keys.
• Linux-based AMIs must not allow SSH password authentication.
• Instance access must be key pair based (no password-based
authorization).

37

AMIs hosted on AWS Marketplace must adhere to many security requirements. These are verified by AWS
before the AMI is published.

• AMIs must not contain any known vulnerabilities, malware, or viruses as detected by the self-service AMI
scanning tool or AWS Security.
• AMIs must use currently supported OSs and software packages. Any version of an AMI with an end-of-life
(EoL) OS or software package will be delisted from the AWS Marketplace. You can build a new AMI with
updated packages and publish it as a new version to AWS Marketplace.
• AMIs must not request or use access or secret keys from users to access AWS resources. If your AMI
application requires access to the user account, it must be achieved through an IAM role created through
CloudFormation. When single-AMI launch is turned on for products with a CloudFormation delivery method,
corresponding usage instructions must include clear guidance for creating minimally privileged IAM roles.
• Linux-based AMIs must not allow SSH password authentication. Turn off password authentication through
your sshd_con4g 4le by setting PasswordAuthentication to NO.
• All instance authentication must use key pair access, not password-based authentication, even if the
password is generated, reset, or de4ned by the user at launch. AMIs must not contain passwords,
authentication keys, key pairs, security keys, or other credentials for any reason.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :D:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Comparing Community and AWS Marketplace AMIs

• Community AMIs
• Whenever an AWS user creates an AMI, they can add permissions
to it to make it public. In that case, it becomes accessible through
community AMIs. These AMIs come from AWS users and are not
verified by AWS.

• AWS Marketplace AMIs

• All AMIs in AWS Marketplace are verified by AWS.

38

Note: The end consumer of the AMI, regardless of where it was sourced from, is responsible for fully vetting the
AMI based on their security requirements.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :D>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Knowledge check 1
Which tasks does Amazon Inspector help you perform? (Select TWO)

Choice Response

A Prioritize patch remediation.

B Speed up deployment of databases.

C Run Amazon EC2 instances without the use of antivirus software.

D Identify zero-day vulnerabilities sooner.

E Disable unnecessary services.

39

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :DD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Knowledge check 1 answer

Which tasks does Amazon Inspector help you perform? (Select TWO)

The correct answers are A and D.

A. (Correct) Amazon Inspector can scan configurations and identify
resources that require patches.
B. (Incorrect) Amazon Inspector does not speed up deployment of any
resources.
C. (Incorrect) Amazon Inspector helps to find vulnerabilities but it is a passive
tool and cannot remediate issues or protect your instance if it is infected
with malware. It is always recommended that you use anti-virus software on
your EC2 instances.
D. (Correct) Identify zero-day vulnerabilities sooner.
E. (Incorrect) Amazon Inspector is a passive tool. It cannot remediate issues or
disable services.

40

A. (Correct) Amazon Inspector can scan configurations and identify resources that require patches.
B. (Incorrect) Amazon Inspector does not speed up deployment of any resources.
C. (Incorrect) Amazon Inspector helps to find vulnerabilities but it is a passive tool and cannot remediate issues
or protect your instance if it is infected with malware. It is always recommended that you use anti-virus
software on your EC2 instances.
D. (Correct) Identify zero-day vulnerabilities sooner.
E. (Incorrect) Amazon Inspector is a passive tool. It cannot remediate issues or disable services.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :D<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Knowledge check 2
What is a good reason to use an Amazon Elastic Block Store (Amazon EBS)
backed root volume for your Amazon EC2 instance?

Choice Response

A You only pay when the instance is running.

B Data is persistent.

C The root device is temporary.

D The boot time is slower.

41

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :DV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Knowledge check 2 answer

What is a good reason to use an Amazon Elastic Block Store (Amazon EBS) backed root volume for
your Amazon EC2 instance?

The correct answer is B.

A. (Incorrect) Amazon instance store backed instances are more cost effective;
you only pay when the instance is running.
B. (Correct) Amazon EBS backed root volumes and all their data is
persistent.
C. (Incorrect) In an Amazon instance store backed instance, the root device is
temporary.
D. (Incorrect) Amazon instance store backed instances boot slower than EBS
backed instances.

42

(Incorrect) Amazon instance store backed instances are more cost effective; you only pay when the instance is
running.
(Correct) Amazon EBS backed root volumes and all their data is persistent.
(Incorrect) In an Amazon instance store backed instance, the root device is temporary.
(Incorrect) Amazon instance store backed instances boot slower than EBS backed instances.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :DX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Module 3 Remember…
summary • Harden against compute vulnerabilities.
• Hardening with benchmarks
• AMIs or image security

• Protect data on your instances.

• Encryption on Amazon EBS
• AWS Systems Manager for management and
maintenance
• Secure secrets storage

• Detect vulnerabilities.
• Amazon Inspector
• AWS Config

43

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :DY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Lab 2: Securing Lab duration: 60 minutes

the Endpoint
By the end of this lab, you will be able to
do the following:
• Create a custom AMI
• Deploy a new EC2 instance from a custom AMI
• Patch an EC2 instance using AWS Systems
Manager
• Encrypt an EBS volume
• Understand how Amazon EBS encryption works
and how it impacts other operations, such as
snapshots

44

Overview
You are a security engineer at AnyCompany. You are responsible for the security of all company Amazon Elastic
Compute Cloud (Amazon EC2) instances, the data that is stored on the instances (data at rest), and data as it
travels between the instances (data in transit).

The application developers at AnyCompany frequently use EC2 instances for frontend web servers and backend
database servers. Rather than having to apply security-related adjustments to each new instance as they are
deployed, you want to provide a preconfigured base image for all company instances.

In this lab, you create a custom Amazon Machine Image (AMI) that contains various configuration changes. You
then deploy a new instance from the custom AMI and use user data scripts on the instance to add a new user
specific to the function of the instance. You then learn how to use AWS Systems Manager to keep your
instances patched. Finally, you use Amazon Elastic Block Store (Amazon EBS) encryption to protect company
data at rest.

Objectives
By the end of this lab, you will be able to do the following:
• Create a custom AMI.
• Deploy a new EC2 instance from a custom AMI.
• Patch an EC2 instance using AWS Systems Manager.
• Encrypt an EBS volume.
• Understand how Amazon EBS encryption works and how it impacts other operations, such as snapshots.

Duration
This lab requires approximately 60 minutes to complete.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :DZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) D* !F%G9( AO> #)+,&-'.

Lab architecture

45

Environment overview
The diagram shows the basic architecture of the lab environment.

The following list details the major resources in the diagram:

• A VPC with one public subnet and two private subnets in one Availability Zone, and one public subnet in a
second Availability Zone
• A Network Load Balancer with two nodes, one in each public subnet
• An EC2 instance acting as a web server in the first private subnet
• An EC2 instance acting as a database server in the second subnet
• Two security groups, one for each instance based on its purpose

The network traffic flows from an external user, through an internet gateway to one of the two Network Load
Balancer nodes, to the web server. If the URL of the WordPress blog site running on the web server is
requested, traffic flows to the database server as well.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :DW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Monitoring and Alerting

AWS Partner: AWS Security Best Practices
(Technical)

Threats are continuously changing. For many organizations, they are increasing in volume and severity as
operations become more and more dependent on digital resources. Visibility of these threats is important to an
organization's ability to respond, and in some cases is a legal requirement. Amazon Web Services provides
several ways that you can monitor your resources, create alerts, and even automate remediation activities.

In this module, you will learn information on monitoring and alerting for your AWS environment, based on
various best practices, frameworks, and standards.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Module By the end of this module, you will be able to do

the following:
objectives &
outline • Configure service and application logging.

• Analyze logs, findings, and metrics centrally.

• Automate response to events as much as possible.

Topics:
• Logging network traffic

• Logging user and API traffic

• Visibility with Amazon CloudWatch

• Enhancing monitoring and alerting

• Verifying your AWS environment

By the end of this module, you will be able to do the following:

• Configure service and application logging.

• Analyze logs, findings, and metrics centrally.
• Automate response to events as much as possible.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Logging network
traffic
Section 1 of 5

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

VPC Flow Logs

What they are Best Practices
VPC Flow Log capture packet metadata like the • VPC flow logging should be enabled
source IP address, destination IP address, ports, for packet rejects for all VPCs.
protocol, packet size and other metadata.

• Flow Logs cannot monitor packet contents

• Flow logging is instrumental to
(payload or application layer data). network traffic investigations.
• They are not real-time, they use aggregation • AWS Config has a rule to check if a
interval for capture. VPC has flow logging enabled.
• Some types of traffic traversing your network
are NOT captured by Flow Logs.

• They have no affect on network throughput

or latency.

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from
network interfaces in your VPC. Flow logs can help you with many tasks, such as diagnosing overly restrictive
security group rules or monitoring the traffic that is reaching your instance. Security Hub recommends that you
enable flow logging for packet rejects for all VPCs. Flow logs provide visibility into network traffic that traverses
the VPC and can detect anomalous traffic or provide insight during security workflows.

VPC Flow Logs can be turned on per elastic network interface, per subnet, or per Virtual Private Network or
VPC* to help you with several tasks, such as the following:
• Diagnosing overly restrictive security group rules
• Monitoring the traffic that is reaching your instance and determining the direction of the traffic to and from
the network interfaces

Turning on VPC Flow Logs on an entire VPC or subnet may generate a very large volume of logs, therefore you
should do the following:
• Filter for desired results based on need. Think before turning on VPC Flow Logs on an entire VPC or subnet.
(Will you use it?)

Flow logs can be sent to an Amazon Simple Storage Service or Amazon S3 bucket or Amazon CloudWatch
Logs, where you set up alarms or visualize the data.
• Use S3 Lifecycle policies to manage large amounts of log data by moving logs to the appropriate storage tier
or expiring log files that are no longer needed.
• Query logs in Amazon S3 using Amazon Athena or analyze data with CloudWatch Logs with Insights.

Not all traffic traversing your network is captured by VPC Flow Logs. Types of traffic that are not captured
include:
• Traffic destined to Amazon Domain Name Service or DNS server, Windows instance traffic for Amazon
Windows license activation, DHCP traffic, Mirrored traffic, traffic to and from 169.254.169.254 for instance
metadata, traffic to and from 169.254.169.123 for the Amazon Time Sync Service, traffic to the reserved IP
address for the default VPC router and traffic between an endpoint network interface and a Network Load

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Balancer network interface.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Anatomy of a log
Default format Custom format
• You cannot customize or change • Specify fields and order
the default format. included in flow log records (any
number, but at least one field is
required).
• Simplify log processing.

1 2 3 4 5 6 7
2 123…0 eni- 172.31.9.2 172.31.1.6 49761 3389 6 20 4249 141…1 141..9 REJECT OK
12ab…9
Longer fields in the example above have been truncated using “…” to allow the entire log to be shown on a single line.

Each network interface that produces a flow log is assigned its own unique log stream. Although flow logs do
not capture real-time log streams for your network interfaces, they can still provide valuable information for
security monitoring, alerting, or troubleshooting. Logs can be collected and stored in a default or custom
format. With the default format, the flow log records include version 2 fields, in the order shown in the example
log on the following slide. Later versions added additional fields that can be used with custom logs. You cannot
customize or change the default format. To capture any additional fields or a different subset of the default
fields, you must specify a custom format.

With a custom format, you can specify which fields are included in the flow log records and in which order. This
way, you can create flow logs that are specific to your needs and omit fields that are not relevant. You can
specify any number of the available flow log fields, but you must specify at least one. Additional fields include a
variety of information such as Region, az-id, tcp-flags (set), traffic-path, flow-direction, and more.

The example log on the slide shows Remote Desktop Protocol or RDP traffic (destination port 3389, TCP
protocol 6) sent to network interface eni-12abb8ca123456789 in account 123456789010 was rejected. Some of
the important fields in the log are as follows:
1. account-id: This is the AWS account ID of the owner of the source network interface for which traffic is
recorded. If the network interface is created by an AWS service (for example, when creating a VPC endpoint
or Network Load Balancer), the record may display unknown for this field.
2. interface-id: This is the ID of the network interface for which the traffic is recorded.
3. srcaddr: This is the source address for incoming traffic, or the IPv4 or IPv6 address of the network interface
for outgoing traffic on the network interface.
4. dstaddr: This is the destination address for outgoing traffic, or the IPv4 or IPv6 address of the network
interface for incoming traffic on the network interface.
5. srcport: This is the source port of the traffic.
6. dstport: This is the destination port of the traffic.
7. action: This is the action that is associated with the traffic. It can be either accept or reject, based on
whether the traffic was allowed through filtering mechanisms.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Logging network traffic

Traffic Mirroring
Using Traffic Mirroring provides a detective control so
you can send your traffic to out-of-band security
appliances for the following:
• Content inspection
• Threat monitoring
• Troubleshooting

While VPC Flow Logs can be used for basic flow analysis, they lack full packet-level information. Using the AWS
Traffic Mirroring service, you can copy your traffic from an Amazon Elastic Cloud Compute or Amazon EC2
network interface and send it to a supported target. You can now “sniff” the cloud network traffic traveling in
and out of your EC2 instances. The copied traffic can be sent to a security or monitoring device for inspection,
threat monitoring, or even troubleshooting.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<X
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Reasons for Traffic Mirroring

• Detect network and security anomalies
• You can extract traffic of interest from any workload in a VPC and route it to
the detection tools of your choice. You can detect and respond to attacks
more quickly than is possible with traditional log-based tools.

• Implement compliance and security controls

• You can meet regulatory and compliance requirements that mandate
monitoring, logging, and so forth.

Traffic Mirroring is another way to perform monitoring. From a security perspective, you can use this to deploy
out-of-band intrusion detection and analysis tools. Prior to the availability of traffic monitoring, there was no
way to look at our traffic as a bit-by-bit copy. The only options were to route traffic through another instance,
which essentially changes some of the information within the traffic, or deploy local collection agents on
instances.

Target intrusion detection devices or analysis tools can be deployed as individual instances or as a fleet of
instances behind a Network Load Balancer. Traffic mirroring also supports filters and packet truncation, so you
only extract only traffic of interest.

Note: When turned on, the AWS GuardDuty Service performs some network threat and anomaly detection
using the VPC Flow Log data, but it is limited based on the contents of a flow log. Remember, flow logs do not
capture an exact copy of traffic. Application layer data, for example, is not considered in a VPC Flow log.
GuardDuty is still an important tool for layering defenses, providing anomaly detection on AWS API calls through
AWS CloudTrail analysis.

Learn more about traffic mirroring at https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-

mirroring.html

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<Y
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Traffic Mirroring components

• Target – The destination for mirrored
traffic. A single instance, appliance, or
a load balancer connecting to a fleet
• Filter – A set of rules that defines the
traffic that is of interest. Traffic that
will be copied in the traffic mirror
session
• Session – An entity that describes
Traffic Mirroring from a source to a
target using filters

Unlike with AWS services, using out-of-band, third-party intrusion detection or analysis solutions requires the
use of Traffic Mirroring. If you are going to implement Traffic Mirroring, you should be familiar with the basic
components as shown on the slide.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<Z
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Logging user and API

traffic
Section 2 of 5

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :<W
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

AWS CloudTrail functions

• Simplify compliance audits by automatically recording and storing
activity logs for an AWS account.
• Increase visibility into user and resource activity.
• Discover and troubleshoot security and operational issues by
capturing a comprehensive history of changes that occurred in an
AWS account.

AWS CloudTrail tracks the who, what, where, and when

of any API calls that occurs in your AWS environment.

10

CloudTrail is turned on in your AWS account when you create it. When activity occurs in your AWS account, that
activity is recorded in a CloudTrail Event. With CloudTrail being turned on by default, you can log into CloudTrail
and review your Event History. In this view, not only do you see the last 90 days of events, you can also select a
specific event to view more information about it.

To access your CloudTrail log files directly or archive them for auditing purposes past the 90-day window, you
can create a specific trail and specify the S3 bucket for log file delivery. Creating a trail (as opposed to just
viewing the default CloudTrail information) also lets you deliver events to CloudWatch Logs and CloudWatch
Events for further action.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :V=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Security benefits and uses

• Perform security analysis and detect behavior patterns by ingesting
CloudTrail API call history into log management and analytics
solutions
• Maintain compliance with internal policies or regulatory standards
• Detect malicious activities and integrate other AWS services to
automate remediation

11

Security analysis: Perform security analysis and detect user behavior patterns by ingesting CloudTrail API call
history into log management and analytics solutions such as CloudWatch Logs, CloudWatch Events, Athena,
Amazon OpenSearch Service, or another third-party solution.

Compliance aid: CloudTrail facilitates compliance with internal policies and regulatory standards by providing a
history of API calls in your AWS account.

Automated remediation: Detect malicious activities such as data exfiltration by collecting activity data on S3
objects through object-level API events recorded in CloudTrail. After data is collected, use other AWS services,
such as Amazon EventBridge and AWS Lambda, to initiate response procedures.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :V:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

CloudTrail configuration
You can configure two types of “trails”:
1. A trail that applies to one Region
2. A trail that applies to all Regions
• This is the default setting when you create a trail in the CloudTrail console.
• This is a best practice recommendation.

12

You can configure CloudTrail to deliver log files from multiple Regions to a single S3 bucket for a single account.
When you change an existing single-Region trail to log all Regions, CloudTrail logs events from all Regions in
your account. As long as CloudTrail has permissions to write to the target S3 bucket, the bucket for a multi-
Region trail does not have to be in the trail's home Region.

Logging events in a single Region is not recommended.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :V>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Best practice: Multi-Region configuration

{
"IncludeGlobalServiceEvents": true,
"Name": "my-trail",
"TrailARN": "arn:aws:cloudtrail:us-east-2:123456789012:trail/my-trail",
"LogFileValidationEnabled": false,
"IsMultiRegionTrail": true,
"IsOrganizationTrail": false,
"S3BucketName": "my-bucket"
}

13

Enabling Multi-Region on your CloudTrail configuration ensures that you get a complete record of events taken
by a user, role, or service in AWS accounts. You should ensure that you set up these trails in every AWS account
used by your company or organization. Multi-Region is a default configuration and a best practice because it
allows you to detect unexpected activity in otherwise unused Regions. Global service events (such as AWS
Identity and Access Management) are also included and logged. If you have a multi-account setup through AWS
Organizations, you can create a trail that logs all events for all AWS accounts in that organization. This
centralization is important for thorough and accurate monitoring.

To confirm that a trail applies to all Regions, the "IsMultiRegionTrail" element should show true within a
CloudFormation template, or the setting is enabled in the AWS Management Console, as shown in the images
on the slide.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :VD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

AWS CloudTrail best practices

Section Topic

14

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :V<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

AWS Centralized Logging Solution

15

The diagram here presents an architecture you can automatically deploy in about 30 minutes using an
implementation guide and accompanying CloudFormation templates (provided by AWS). This solution contains
log ingestion, log indexing, and visualization. The implementation guide and CloudFormation template are
provided free of charge; however, the customer is responsible for the cost of running and using various services
contained within the solution. See more about the estimated costs for this solution at
https://docs.aws.amazon.com/solutions/latest/centralized-logging/cost.html.

Solution details:
1. Log ingestion: Amazon CloudWatch Logs destinations deploy in the primary account and are created with
the required permissions in each of the selected Regions. CloudWatch Logs subscription filters can be
configured for log groups to be streamed to the Centralized Logging account.
2. Log indexing: A centralized Amazon Kinesis Data Streams and Amazon Kinesis Data Firehose are provisioned
to index log events on the centralized Amazon OpenSearch Service domain. The CloudWatch Logs
destinations created to stream log events have Kinesis Data Streams as their target. Once the log events
stream to Kinesis Data Streams, the service invokes an AWS Lambda function to transform each log event to
an Amazon OpenSearch Service document, which is then put into Kinesis Data Firehose. You can monitor
Kinesis Data Firehose while it sends custom CloudWatch Logs containing detailed monitoring data for each
delivery stream.
3. Visualization: Amazon OpenSearch Service and Kibana provide data visualization and exploration support.
An Amazon OpenSearch Service domain is created inside an Amazon VPC, preventing public access to the
Kibana dashboard. Optionally, a Microsoft Windows Jumpbox Server can be launched to access the Amazon
OpenSearch Service cluster and Kibana dashboard.

More resources can be found at https://aws.amazon.com/solutions/implementations/centralized-logging/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :VV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Centralizing multi-account CloudTrail logging

AWS Organizations AWS Control Tower

• Use AWS Organizations to • Centralizes logging for AWS
centralize logging; Organizations by default.
• From multiple Regions into one S3
bucket (all-Regions/one-account)
• From multiple accounts into one
account’s Amazon Simple Storage
Service (S3) bucket
16

Centralized CloudTrail logging is a generally recommended deployment to ensure the integrity of logs. This is
also the recommended deployment when an organization has a dedicated security team or managed service
provider that will be exclusively handling the logs.

In a multi-account environment using AWS Organizations, you can enable CloudTrail once in the management
account and have it applied to all AWS accounts.
• Log prefix changes from “/AWSLogs/<accountID>/” to “/AWSLogs/<OrganizationID>/”.
• There is no more updating of the S3 bucket policies.

One option for centralizing CloudTrail logging is by using AWS Control Tower. AWS Control Tower provides
enhanced governance and control when you are using AWS Organizations to manage multiple AWS accounts.
AWS Control Tower sets up a new trail when you set up a landing zone (which is a well-architected, multi-
account environment, based on best practices) and configures CloudTrail to enable centralized logging and
auditing. When you enroll a new account into AWS Control Tower, your account is governed by the AWS
CloudTrail trail for the AWS Control Tower organization. If you have an existing deployment of a CloudTrail trail
in that account, you may see duplicate charges unless you delete the existing trail for the account before you
enroll it in AWS Control Tower.

For more information about using AWS Control Tower, visit

https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
For more about the use of AWS Control Tower and other AWS solutions for achieving security governance at
scale, explore our 1-day classroom training at https://aws.amazon.com/training/classroom/aws-security-
governance-at-scale/

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :VX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

AWS CloudTrail with AWS Organizations

1. Turn on CloudTrail for

your Organization.

2. Update bucket policy.

3. Turn on CloudTrail for

222222222222.

4. Turn on CloudTrail for

3333333333.

17

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :VY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Amazon S3 log storage

• Use a dedicated S3 bucket for CloudTrail logs.

• Implement least-privilege access to buckets where
you store log files.
• Enable multi-factor authentication (MFA) Delete on
the log storage bucket.
AWS Security
Brest Practices • Limit access to the “AWSCloudTrail_FullAccess”
policy.

18

The following are some best practices for the Amazon S3 bucket where you store logs from CloudTrail:

• You can configure CloudTrail to deliver log files from multiple AWS accounts to a single S3 bucket.
• A default descriptive folder structure makes it efficient to store log files from multiple accounts and
Regions in the same S3 bucket.
• A detailed log file name helps identify the contents of the log file.
• A unique identifier in the file name prevents overwriting log files.

• Implement least-privilege access to buckets where you store log files.

• Review the Amazon S3 bucket policy for any buckets where you store log files and adjust it if
necessary. This bucket policy will be generated for you if you create a trail using the CloudTrail
console, but can also be created and managed manually.
• Be sure to manually add a aws:SourceArn condition key to the bucket policy. More information on this
can be found at https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-
policy-for-cloudtrail.html

• Enable multi-factor authentication or MFA. Delete on the bucket where you store log files.
• Configuring multi-factor authentication (MFA) ensures that attempts to alter the versioning state of
your bucket or permanently delete an object version require additional authentication. This helps
prevent actions that could compromise the integrity of your log files, even if an IAM user with
permissions to delete Amazon S3 objects is compromised.

• Limit access to the “AWSCloudTrail_FullAccess” policy.

• Users with the “AWSCloudTrail_FullAccess” policy can disable or reconfigure the most sensitive and
important auditing functions in their AWS accounts. Limit application of this policy to as few
individuals as possible to maintain the principle of least privilege and protect the integrity of log files.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :VZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

CloudTrail: Lifecycle management

• Configured through
Amazon S3
• Available actions:
• Transition to different
storage tier
• Expire (delete) object
• Transition and expire

19

Configure object lifecycle management for the bucket where you store log files: Define retention policies that
meet your business and auditing needs. These may require consideration of legal or regulatory requirements to
retain logs, and in some cases cost. For example, you might want to archive log files that are more than a year
old to Amazon Glacier. You can also delete log files after a certain amount of time has passed in order to save on
costs for storing logs that are no longer needed.

Transition actions define when objects transition to another Amazon S3 storage class. For example, when
moving a log object to the Amazon S3 Infrequent Access storage class 30 days after creation or archive objects
to Amazon Simple Storage Service Glacier storage class 1 year after creation.

Expiration actions specify when the objects expire (are deleted on your behalf). Note: This option
deletes all objects in the bucket that meet the criteria regardless of the file type. When an object has been
expired, it cannot be recovered.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :VW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

CloudTrail confidentiality: AWS KMS encryption

20

Use server-side encryption with AWS Key Management Services or KMS managed keys: You can encrypt
CloudTrail logs through AWS KMS. By default, the files are encrypted using S3 Server-Side Encryption or SSE-S3,
and then transparently decrypted when you read them. Optionally, you can specify a KMS key or SSE-KMS, and
it will be used to encrypt your log files. See the diagram for an example of this process.

1. Create an AWS KMS key: Create or use an existing AWS KMS key and apply key policy to allow CloudTrail to
encrypt and the SecOps engineers to decrypt the logs.
2. Specify the AWS KMS key: Specify the key to CloudTrail.
3. Retrieve the object: Use the S3 GetObject API call to retrieve the desired log file.
4. Decrypt the log files: The SecOps engineer uses the key to decrypt the log files.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :X=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Enable log integrity validation

• Once you turn on log file integrity validation, CloudTrail will start
delivering digest files on an hourly basis to the same S3 bucket
where you receive your CloudTrail log files, but with a different
prefix.
• CloudTrail log files are delivered to:
/optional_prefix/AWSLogs/AccountID/CloudTrail/*
• CloudTrail digest files are delivered to:
/optional_prefix/AWSLogs/AccountID/CloudTrail-Digest/*

21

Enable CloudTrail log file integrity: To determine whether a log file was modified, deleted, or unchanged after
CloudTrail delivered it, you can use CloudTrail log file integrity validation. Validated log files are invaluable in
security and forensic investigations.

This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital
signing. You can use the AWS Command Line Interface or AWS CLI to validate the files in the location where
CloudTrail delivered them.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :X:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Integrate with CloudWatch Logs

Best Practices
• Monitor and alert on specific events.
• Simple searching is provided.
• Use AWS Config to ensure CloudTrail is
sending events to CloudWatch Logs.

22

Integrate with Amazon CloudWatch Logs: CloudWatch Logs allows you to monitor and receive alerts for specific
events captured by CloudTrail. For example, you can monitor key security and network-related management
events, such as failed AWS Management Console sign-in events or changes made to security groups. You can
also configure AWS Config to provide ongoing detection to help ensure that all trails are sending events to
CloudWatch Logs using the “cloud-trail-cloud-watch-logs-enabled” rule.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :X>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Visibility with
Amazon CloudWatch
Section 3 of 5

23

In order to detect potential security incidents within your environment, you must be able to comprehensively
monitor your environment. Amazon CloudWatch provides functions to allow for monitoring and alerting. Before
we explore this service, let’s look at some of the things that you can gain visibility over with Amazon
CloudWatch.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :XD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Indicators of compromise
• Abnormal CPU utilization

• Significant or sudden increases in database reads

• HTML response sizes

• Mismatched port-application traffic

• Unusual DNS requests

• Unusual outbound network traffic

• Anomalies in privileged user account activity

• Geographical irregularities (source of traffic)

• Unusually high traffic at irregular hours

• Multiple, repeated, or irregular login attempts

24

Indicators of Compromise or IoC are largely similar in cloud environments to how they are in traditional IT
environments. Logging and alerting on anomalies is helpful in recognizing potential malware, malicious
activities, or other indicators of a compromised system. Some of the types of anomalies that may be recognized
by the use of CloudWatch include the examples noted on the slide.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :X<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

CloudWatch Alarms best practices

These are just a few examples of areas that should be monitored with
CloudWatch Alarms:
• AWS Console sign-In requests without MFA

• IAM policy configuration changes

• Root account usage

• Authorization failures; unauthorized API calls made within your AWS account

• AWS KMS key configuration changes

• AWS CloudTrail configuration changes

• AWS EC2 instance and S3 changes

• AWS VPC, Route table, Internet Gateway, ACLs or security group configuration changes

25

There are many simple alarms that you can implement to monitor your environment. Recommendations for
creating alarms are usually very specific to an organization’s architecture and needs; however they are the
responsibility of the customer (remember the AWS Shared Responsibility Model). CloudWatch alarms come in
two types, which can help you to customize what you are monitoring and ensure that even complex situations
composed of corresponding events or metrics can be captured. Next, you will look at the differences between
metric alarms and composite alarms.

• For more prescriptive guidance from AWS about using Amazon CloudWatch, see
https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-
cloudwatch/welcome.html
• For more information about what activities require the root account, see
https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :XV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Metric alarms versus Composite Alarms

Metric Alarm Composite Alarm
A metric alarm has the following Alarms can be combined and
possible states: grouped.
• OK – The metric or expression is • They are hierarchical.
within the defined threshold.
• They use Boolean logic AND, OR, and
• ALARM – The metric or expression is NOT.
outside the defined threshold.
• They can help to alleviate or avoid
• INSUFFICIENT_DATA – The alarm has alarm fatigue by reducing noise.
just started, the metric is not
available, or not enough data is
available for the metric to determine
the alarm state.
26

Metric alarms watch a single CloudWatch metric or the result of a math expression based on CloudWatch
metrics. The alarm performs one or more actions based on the result, such as sending a notification to an
Amazon Simple Notification Service or SNS topic, performing an Amazon EC2 action or an Amazon EC2 Auto
Scaling action, or creating an OpsItem or incident in AWS Systems Manager.

A single event in a complex environment can generate multiple alarms. A continuous large volume of alarms can
overwhelm you or mislead the triage and investigation process. If this happens, you can end up dealing with
alarm fatigue or wasting time reviewing false positives (a false positive is an alert that incorrectly indicates that
malicious activity is occurring).

With composite alarms, you can combine multiple alarms into alarm hierarchies. This reduces alarm noise by
initiating just once when multiple alarms are initiated at the same time. You can use this to provide an overall
state for a grouping of resources such as an application, AWS Region, or Availability Zone. You can also add logic
and group alarms into a single high-level alarm, initiated when the underlying conditions are met. This means
you can introduce intelligent decisions and minimize false positives. Composite alarms are created using one or
more alarm states combined with Boolean operators AND, OR, and NOT and constants TRUE and FALSE. A
composite alarm is initiated when its expression evaluates to be TRUE.

Note: Currently, composite alarms only support an action of notifying Amazon SNS topics.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :XX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Using CloudWatch anomaly detection

• The expected range of
values is shown as a wide
gray band.

• Actual values outside this

band are shown as red (the
points extending above the
wide band).

• Anomaly detection
algorithms account for the
seasonality and trend
changes of metrics.
27

When you turn on anomaly detection for a metric, CloudWatch applies statistical and machine learning
algorithms. These algorithms continuously analyze metrics of systems and applications, determine normal
baselines, and surface anomalies with minimal user intervention.

The algorithms generate an anomaly detection model. The model generates a range of expected values that
represent normal behavior. With this feature, you can create anomaly detection alarms based on a metric's
expected value. This type of metric alarm doesn't have a static threshold. Instead, the alarm compares the
metric's value to the expected value based on the anomaly detection model. You can initiate an alarm when a
metric value is above or below the band of expected values.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :XY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Example: Alerting on API Activity

28

When using Amazon EventBridge Rules, you must build an event pattern. Events that match the pattern for your
rule will be sent to a target. You can use targets such as the EventBridge event bus, EventBridge API
destinations, including SaaS partners such as Salesforce, or another AWS service.

In the example on the slide, matching events activate the EventBridge rule, which then targets AWS Simple
Notification Service (AWS SNS) to notify one or more people by the means you choose.

For more information about alerting with Amazon Event Bridge see
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :XZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Enhancing
monitoring and
alerting
Section 4 of 5

29

Monitoring of your resources can be greatly enhanced by integrating other AWS services. This section will look
at Amazon GuardDuty and AWS Security Hub, and how they can provide even more insight into your
environments’ security.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :XW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Threat detection: • One-click activation and continuous monitoring

without architectural or performance impact
Amazon
GuardDuty • Instant On provides findings in minutes
• No agents, no sensors, no network appliances to
install
• Manage multiple accounts, with or without AWS
Organizations
• Built-in anomaly detection with machine
learning
• Malware protection identifies resources
compromised by malware, or those at risk
• Partner integrations for additional protections

30

Logs are also a useful source of information for automated threat detection. GuardDuty is a managed,
continuous security monitoring service that analyzes and processes events from several sources, such as VPC
Flow Logs, CloudTrail management event logs, CloudTrail Amazon S3 data Event logs, and DNS logs. It uses
threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify
unexpected and potentially unauthorized and malicious activity within your AWS environment. You can use
Amazon GuardDuty across multiple Regions and manage multiple accounts with a GuardDuty delegated
administrator. When using AWS Organizations and Amazon GuardDuty, you can also enable Amazon GuardDuty
for any new accounts joined to the organization.

GuardDuty also provides Malware Protection. With this feature enabled, whenever GuardDuty detects
suspicious behavior on an Amazon EC2 instance or a container workload, GuardDuty Malware Protection
automatically initiates an agentless scan on the Amazon Elastic Block Store (EBS) volumes attached to the
impacted EC2 instance or container workload to detect the presence of malware. GuardDuty is a passive
service; however, it can be used in a multi-service workflow to initiate remediation through Lambda or other
AWS services and features.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Y=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

GuardDuty – Detecting an event

31

Data sources: To detect unauthorized and unexpected activity in your AWS environment, GuardDuty analyzes
and processes data from the sources such as VPC flow logs, DNS logs, AWS CloudTrail logs, Amazon S3 events
and Amazon EKS audit logs, and RDS protection profiles to protect Amazon Aurora databases. Additionally, the
GuardDuty uses these data sources to detect anomalies involving the following AWS resource types: IAM access
keys, EC2 instances, S3 buckets, and Amazon Elastic Kubernetes Service (Amazon EKS) resources. While in
transit from these data sources to GuardDuty, all the log data is encrypted. GuardDuty extracts various fields
from these logs for profiling and anomaly detection, and then discards the logs.

Findings: When a potential threat is detected, GuardDuty delivers a detailed security finding to the GuardDuty
console and EventBridge Events. This makes alerts more actionable and more easily integrated into existing
event management or workflow systems. The findings include the category, resource affected, and metadata
associated with the resource, such as the severity level.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Y:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

GuardDuty: Findings

32

When GuardDuty detects suspicious or unexpected behavior, it generates a finding. A finding is a notification
that contains the details about a potential security issue that GuardDuty discovers. One very useful piece of
information in the finding details is a finding type. The purpose of the finding type is to provide a concise yet
readable description of the potential security issue.

For example, the GuardDuty UnauthorizedAccess:EC2/SSHBruteForce finding type quickly informs you that
somewhere in your AWS environment, an EC2 instance has been targeted by an attacker trying to gain access.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Y>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Manage and • Managed AWS service

remediate: • Consolidates and aggregates findings.
AWS Security Hub
• Provides checks against a number of
security standards.
• Provides customizable insights about
findings.
• Integrates with ticketing, chat, incident
management, investigation, GRC, SOAR,
and SIEM tools.

33

Security Hub is a fully managed AWS service offering that is turned on within a Region, and aggregates findings
across all of your accounts within minutes. With Security Hub, you can centrally manage security and
compliance findings in one location, reducing the time spent wrangling data from different locations within the
AWS Management Console.

Security Hub provides automated security checks for a number of standards. It also integrates with various
ticketing, chat, incident management, threat investigation, Governance Risk and Compliance or GRC, Security
Orchestration Automation and Response or SOAR, and Security Information and Event Management or SIEM
tools. These integrated tools can automatically receive findings from Security Hub. In addition to the default
insights that are provided by AWS and AWS Partners, you can also create your own insights to track issues that
are unique to their environment. This benefit provides you with a certain level of customization that can come
in handy when dealing with company security requirements and regulations. Let’s take a closer look at some of
theses features through Security Hub’s pre-built dashboard views.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :YD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Security checks
Security Hub provides
automated security checks
for the following standards:
• Center for Internet Security or CIS
AWS Foundations

• Payment Card Industry Data

Security Standard or PCI DSS

• AWS Foundational Security Best

Practices

34

Security Hub provides automated security checks for the following standards: Center for Internet Security or CIS
AWS Foundations, Payment Card Industry Data Security Standard or PCI DSS, and AWS Foundational Security
Best Practices. To run security checks on your environment's resources, AWS Security Hub either uses steps
specified by the standard, or uses specific AWS Config rules. Some rules are managed rules, which are managed
by AWS Config. Other rules are custom rules that Security Hub develops.

AWS Config rules that Security Hub uses for controls are referred to as service-linked rules, because they are
enabled and controlled by the Security Hub service.
To enable checks against these AWS Config rules, every account that has Security Hub enabled must first enable
AWS Config, and enable resource recording for all resources.

For every control that uses an AWS Config service-linked rule, Security Hub creates instances of the required
rules in your AWS environment.
These service-linked rules are specific to Security Hub. It creates these service-linked rules even if other
instances of the same rules already exist. The service-linked rule adds ”securityhub” before the original rule
name, and a unique identifier after the rule name.

AWS Config has a quota for the number of managed rules per account per Region. The service-linked AWS
Config rules that Security Hub creates do not count towards that quota. You can enable a security standard even
if you have already reached the AWS Config limit for managed rules in your account.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Y<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Security Hub Insights

35

An AWS Security Hub insight is a collection of related findings. It identifies a security area that requires attention
and intervention. For example, an insight might point out EC2 instances that are the subject of findings that
detect poor security practices. An insight brings together findings from across finding providers. Security Hub
offers several built-in managed insights. You cannot modify or delete managed insights, but you can create your
own custom insights.

Note: An insight only returns results if you have enabled integrations or standards that produce matching
findings. For example, the managed insight 29. Top resources by counts of failed CIS checks only returns results
if you enable the CIS AWS Foundations standard.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :YV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Remediation with Security Hub

Manual remediation Automatic remediation
• Slower than automatic • Prevents impact radius from
remediation, but notifications growing.
can help expedite response.
• You can write simple rules to
• Should be used to test new indicate events you are
automatic remediations before interested in and specify
they are put into a production automated actions for when an
environment. event matches a rule.

36

Security Hub integrates with EventBridge, helping you create custom response and remediation workflows.
Response and remediation actions can be fully automated, or they can be initiated manually in the console. You
can also use Systems Manager Automation documents, AWS Step Functions, and Lambda functions to build
automated remediation workflows that can be initiated from Security Hub.

Even for low-impact workloads, automatic remediation should be thoroughly tested before being deployed
into a production environment. Iterating and evolving automatic remediation is key to ensuring these
activities do not impact production environments.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :YX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Auto remediation example

37

An example of a safe and good use for auto remediation is CloudTrail logging. It is a best practice to have
CloudTrail logging turned on. If it is turned off, whether accidentally or maliciously, an auto remediation task
could be set up to turn CloudTrail logging back on. With CloudTrail logging back on, it can automatically resolve
the finding in the Security Hub workflow status and send Amazon SNS message to the security team to let them
know it was remediated.
1. Integrated services send their findings to Security Hub.
2. From the Security Hub console, you’ll choose a custom action for a finding. Each custom action is then
emitted as a CloudWatch Event.
3. The CloudWatch Event rule initiates a Lambda function. This function is mapped to a custom action based
on the custom action’s Amazon Resource Name or ARN.
4. Depending on the rule, the Lambda function that is invoked will perform a remediation action on your
behalf.

Read more about how to implement this auto remediation from the AWS security blog Automated Response
and Remediation with AWS Security Hub at
https://aws.amazon.com/blogs/security/automated-response-and-remediation-with-aws-security-hub/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :YY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Auditing your AWS

environment
Section 5 of 5

38

Once you have implemented controls, you must regularly audit your environment to accurately assess risk and
compliance with regulations and industry standards. In many regulated industries, you will be subject to audits
from external parties. In this section, you will explore AWS Audit Manager and how it is used to automate
evidence collection. This reduces the manual effort that often happens in preparation for audits. With Audit
Manager, it is easy to assess if your policies, procedures, and controls are operating effectively.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :YZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

AWS Audit AWS Audit Manager provides an automated

Manager and continuous process for the following:
• Collects evidence of security controls
• Assesses whether controls are operating
effectively
• Provides assessment reports to streamline
audit preparation

39

AWS Audit Manger is an AWS managed service. Using this service, you can establish a framework of choice and
set up an automated and continuous process to review and collect data based on this framework. These
assessments help you to assess whether your controls are operating effectively. Because the process is
automated, it streamlines risk assessments and compliance with regulations and industry standards and helps
you maintain a continuous, audit-ready posture across your compute resources.

Remember: The evidence that is collected through Audit Manager might not include all of the information
about your AWS usage that is needed for an audit performed by an enforcing entity. Audit Manager is a valuable
resource, but it is NOT a substitute for legal counsel or compliance experts.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :YW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Choose or create a framework

• Many standard frameworks are available specific to industry,
location-based regulatory guidance, and international standards.
• Create custom frameworks to address your security requirements
• Use existing controls to define your framework, or create your own
in the Control library.

40

You can choose a standard framework after browsing the Framework library, or create and maintain your own
custom frameworks. You can create new frameworks from scratch, or customize and modify an existing
framework per your needs.

The Control library is another area to consider, especially if you are creating your own custom frameworks. This
is the central place for browsing standard controls provided by AWS and managing your custom controls. You
can create new custom controls from scratch, or customize standard controls by specifying which data to collect
as evidence from your data sources.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Z=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Explore framework controls

• Controls are
categorized
as standard or
custom.

• Data source is
the service or
artifact from
which the
evidence is
derived.
41

Each framework has several controls assigned including the following:

• Controls are categorized by type and data source.
• Data source is the service or artifact from which the evidence is derived.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Z:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Define audit scope

Select the following items

to help define the audit
scope:
• Accounts
• Services
• Audit owners

42

Audit owners drive the audit preparation across your organization and have full permission to manage the
assessment they are assigned to. Define the audit scope by selecting the following:
• Accounts in scope
• Services in scope
• Audit owners

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Z>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Gather evidence (Evidence Finder)

• Evidence is automatically collected and stored in folders with a

default name of the date it was collected.
• Evidence finder is a query based feature that you can enable to help
expedite your search
• You can also manually upload evidence (this is required by some
control types).

43

Evidence finder provides a powerful way to search for evidence. Instead of browsing deeply nested evidence
folders, you can quickly query your evidence to find what you need. You can use filters and groupings to control
the scope of your search query. Apply broad filters to check on your overall system health, or narrow your filters
to target specific evidence. Then, choose how you want to group the results. When you’re done, generate an
assessment report with details about the evidence.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :ZD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Evidence summary
• The summary section provides a high-level overview of the items in
the evidence folder.

44

The summary section provides a high-level overview of the items in the evidence folder. This includes the
following:
• The date that the folder was created or the evidence was collected.
• The name of the control associated with the evidence folder
• The number of evidence items that were manually selected for inclusion in the assessment report
• The total number of evidence items in the evidence folder
• The total number of AWS resources that were assessed when generating the evidence in this folder
• The number of evidence items that fall under the user activity category; this evidence is collected from AWS
CloudTrail logs
• The number of evidence items that fall under the configuration data category; this evidence is collected
from configuration snapshots of other AWS services such as Amazon EC2, Amazon S3, or IAM
• The number of evidence items that fall under the manual category; this evidence is uploaded manually
• The number of evidence items that fall under the compliance check category; this evidence is collected from
AWS Config or AWS Security Hub
• The total number of issues that were reported directly from AWS Security Hub, AWS Config, or both

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :Z<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Compile a report
• After you select the evidence to include in
your assessment report, you can generate
the final assessment report to share with
auditors.
• When you generate an assessment report, it
is placed into the S3 bucket that you
designated as your assessment report
destination.

45

For more information about generating a report, see the Audit Manager User Guide at
https://docs.aws.amazon.com/audit-manager/latest/userguide/generate-assessment-report.html.

The controls offered by Audit Manager through the prebuilt frameworks do not guarantee that you will pass an
assessment associated with that framework. Instead, they help reduce effort and time in your assessment
preparation and review. In addition to Audit Manager, AWS Artifact should be used to help gather supplemental
evidence to assist in the assessment preparation and review.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :ZV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Knowledge check 1
Which services can VPC Flow Logs records be published to?

Choice Response
The two destinations that VPC Flow logs can be published to are Amazon S3 and Amazon
A
CloudWatch Log.

B VPC Flow logs are not published to Amazon RDS.

C VPC Flow logs are not published to Amazon DynamoDB.

D VPC Flow logs are not published to AWS Cloudtrail.

46

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :ZX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Knowledge check 1 answer

Which services can VPC Flow Logs records be published to?

The correct response is A.

A. (Correct) The two destinations that VPC Flow logs can be published to are Amazon S3
and Amazon CloudWatch Log.
B. (Incorrect) VPC Flow logs are not published to Amazon RDS.
C. (Incorrect) VPC Flow logs are not published to Amazon DynamoDB.
D. (Incorrect) VPC Flow logs are not published to AWS CloudTrail.

47

A. (Correct) The two destinations that VPC Flow logs can be published to are Amazon S3 and Amazon
CloudWatch Log.
B. (Incorrect) VPC Flow logs are not published to Amazon RDS.
C. (Incorrect) VPC Flow logs are not published to Amazon Dynamo DB.
D. (Incorrect) VPC Flow logs are not published to AWS CloudTrail.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :ZY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Knowledge check 2
AWS CloudTrail log file integrity validation is invaluable in security and forensic
investigations. Which industry standard algorithm is used for validation hashing?

Choice Response

A MD5 is a deprecated hashing algorithm.

B SHA-256 is the industry standard algorithm used for validation hashing.

C AES-256 is a symmetric encryption algorithm, not a hashing algorithm.

D DES is a deprecated symmetric encryption algorithm, not a hashing algorithm

48

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :ZZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Knowledge check 2 answer

AWS CloudTrail log file integrity validation is invaluable in security and forensic investigations. Which
industry standard algorithm is used for validation hashing?

The correct response is B.

A. (Incorrect) MD5 is a deprecated hashing algorithm.
B. (Correct) SHA-256 is the industry standard algorithm used for validation hashing.
C. (Incorrect) AES-256 is a symmetric encryption algorithm, not a hashing algorithm.
D. (Incorrect) DES is a deprecated symmetric encryption algorithm, not a hashing algorithm.

49

A. (Incorrect) MD5 is a deprecated hashing algorithm.

B. (Correct) SHA-256 is the industry standard algorithm used for validation hashing.
C. (Incorrect) AES-256 is a symmetric encryption algorithm, not a hashing algorithm.
D. (Incorrect) DES is a deprecated symmetric encryption algorithm, not a hashing algorithm.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :ZW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Module summary Remember…

• Use service and application logging.

• AWS CloudTrail
• VPC Flow Logs

• Automate response to events as much as

possible.
• Some key services and features include the
following:
• CloudWatch Alarms
• Amazon GuardDuty
• Security Hub
• AWS Audit Manager

50

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :W=
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Lab 3: Security Lab duration: 45 minutes

Monitoring
By the end of this lab, you will be able to
do the following:
• Configure an Amazon Linux 2 instance to send
log files to Amazon CloudWatch
• Create Amazon CloudWatch alarms and
notifications to monitor for failed login attempts
• Create Amazon CloudWatch alarms to monitor
network traffic through a Network Address
Translation (NAT) gateway

51

Overview
As a security engineer at AnyCompany, you are responsible for monitoring the company network and Amazon
Elastic Compute Cloud instances for abnormal activity.

In this lab, you configure an Amazon Linux 2 instance to send log files to Amazon CloudWatch. You then create
Amazon CloudWatch alarms and notifications to alert you to a specified number of login failures on your EC2
instances. Finally, you create a CloudWatch alarm and notification to monitor outgoing traffic through a NAT
gateway.

Objectives
By the end of this lab, you will be able to do the following:
Configure an Amazon Linux 2 instance to send log files to Amazon CloudWatch
Create Amazon CloudWatch alarms and notifications to monitor for failed login attempts
Create Amazon CloudWatch alarms to monitor network traffic through a NAT gateway

Duration
This lab requires approximately 45 minutes to complete.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :W:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) <* T9(-'9&-(K %(6 !4)&'-(K

Lab Architecture

52

Environment overview
The diagram shows the basic architecture of the lab environment.

The following list details the major resources in the diagram:

• A VPC with one public subnet and two private subnets in one Availability Zone, and one public subnet in a
second Availability Zone.
• A Network Load Balancer with two nodes, one in each public subnet.
• An EC2 instance acting as a web server in the first private subnet.
• An EC2 instance acting as a database server in the second subnet.
• Two security groups, one for each instance based on its purpose.
The network traffic flows from an external user, through an internet gateway to one of the two Network Load
Balancer nodes, to the web server. If the URL of the WordPress blog site running on the web server is
requested, traffic flows to the database server as well.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :W>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Course conclusion
AWS Partner: AWS Security Best
Practices (Technical)
1

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :WD
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Course objective Congratulations on completing this course!

review You have successfully learned and applied
your skills to meet the following objectives:
• Design and implement a secure network
infrastructure.
• Design and implement compute security.
• Design and implement a logging solution.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :W<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Next steps

• Protect your infrastructure against common

security threats
• Protect data at rest and in transit with encryption
• Apply security assessments in an automated and
reproducible manner
• Configure authentication for resources and
AWS Security
Engineering applications in the AWS Cloud
• Gain insight into events by monitoring and
analyzing logs
3

AWS Security Engineering is a 3-day course that you can take to further your knowledge about securing the AWS
Cloud. Security Engineering on AWS demonstrates how to efficiently use AWS security services to stay secure in
the AWS Cloud. The course focuses on implementing security practices to enhance the security of your data and
systems in the cloud.
For more information, see https://aws.amazon.com/training/classroom/security-engineering-on-aws/

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :WV
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Continue your
learning
Module 15: Course summary

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :WX
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

AWS Certification levels

Foundational Professional
Knowledge-based certification for foundational Role-based certifications that validate advanced skills and
understanding of AWS Cloud. No prior knowledge. At least two years of AWS Cloud experience
experience necessary. recommended.

Associate Specialty
Role-based certifications that showcase your knowledge Certifications focused on specific topics. Recommended level
and skills and build your credibility as an AWS Cloud of experience varies.
professional. Prior AWS Cloud or strong on-premises IT
experience recommended.

AWS Certification helps learners to build credibility and confidence by validating their cloud expertise with an
industry-recognized credential. Certification helps organizations to identify skilled professionals who can lead
cloud initiatives by using Amazon Web Services (AWS).

The slide shows the AWS certifications that are currently available. To earn an AWS certification, you must earn
a passing score on a proctored exam. Each certification level for role-based certifications provides a
recommended experience level with AWS Cloud services as follows:
• Professional – Two years of comprehensive experience designing, operating, and troubleshooting solutions
by using the AWS Cloud
• Associate – One year of experience solving problems and implementing solutions by using the AWS Cloud
• Foundational – Six months of fundamental AWS Cloud and industry knowledge

Specialty certifications focus on a particular technical domain. The recommended experience for taking a
specialty exam is technical experience in the domain as specified in the exam guide.

AWS does not publish a list of all services or features that are covered in a certification exam. However, the
exam guide for each exam lists the current topic areas and objectives that the exam covers. For more
information, the exam guides and other preparation materials are available on the AWS Certification exam
preparation page at https://aws.amazon.com/certification/certification-prep/.

The information on this slide is current as of March 2023. However, exams are frequently updated, and the
details regarding which exams are available—and what is tested by each exam—are subject to change. For more
information about the latest AWS certification exam information, see the AWS Certification page at
https://aws.amazon.com/certification/.

You are required to update your certification (or recertify) every 3 years. For more information, see the AWS
Recertification page at https://aws.amazon.com/certification/recertification/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :WY
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Core 4 – Steps to prepare for an AWS Certification exam

Approach exam day with confidence

Step 1 Step 2 Step 3 Step 4

Get to know Learn about Take exam Validate your Explore all AWS
the exam and exam topics preparation exam readiness Certification Exams
exam-style in AWS Skill training in with Official
questions Builder AWS Skill Practice Exams
Builder

This course includes content that might be related to an AWS Certification exam. To continue preparing for the
exam, follow these core 4 steps.

For more information about each exam, you can scan the QR code to see “Explore AWS Certification exams” at
https://aws.amazon.com/certification/exams/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :WZ
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Prepare for AWS Certification – step 1

Get to know the exam and exam-style questions

1 Review the exam guide.

Sign up for access to AWS Skill

2
Builder, the AWS online learning
center.
Enroll and take an AWS Certification
3
Official Practice Question Set.

Step one is getting to know the exam and exam-style questions.

You can review the exam guide for each exam by exploring the AWS Certification Exams page. For more
information, see Explore all AWS Certification exams at https://aws.amazon.com/certification/exams/.

For sample exam questions, you can sign up on AWS Skill Builder. Within Skill builder, you can enroll in an
Official Practice Question Set. For more information, see AWS Skill Builder: Your learning center to build in-
demand cloud skills at https://explore.skillbuilder.aws/learn.

The questions in the practice sets are created by following the same process as questions that you will see on
the actual AWS Certification exams. They include detailed feedback and recommended resources to help you
prepare for your exam.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; :WW
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Prepare for AWS Certification – step 2

Learn about exam topics in Skill Builder

1 Identify gaps in your exam topic

knowledge.
Enroll in self-paced digital courses
2
you need to learn about.

Access AWS Builder Labs to get

3 hands-on; apply your skills in the
AWS Console.
8

Step two is brushing up on exam topics.

In addition to the reviewing the exam guide and enrolling in self-paced courses on AWS Skill Builder, you can
explore AWS Builder Labs to get hands-on experience with AWS. For more information, see
AWS Builder Labs: Learn cloud skills in a live AWS environment at https://aws.amazon.com/training/digital/aws-
builder-labs/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >==
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Prepare for AWS Certification – step 3

Take exam prep training in AWS Skill Builder

AWS Skill Builder offers courses

1
across all domains.

AWS Builder Labs contain more

2
than 500 self-paced labs.

3 Use gaming to prepare for your

AWS Certification with AWS Cloud
Quest.
9

Next, you can take exam preparation courses in AWS Skill Builder

Skill Builder also offers many resources that you can use to address any gaps in your knowledge that you
discover.
1. Skill Builder offers courses across all domains.
2. There also are more than 500 self-paced labs.
3. Finally, if you’d like to gain hands-on experience with AWS services by playing an actual game – try AWS
Cloud Quest.

Note: some of these resources require a digital subscription.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=:
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Prepare for AWS Certification – step 4

Validate your exam readiness

Take an AWS
Certification
Official Practice
Exam with exam-
style scoring.

10

Finally, determine your exam readiness by taking an official practice exam.

Each practice exam includes the same number of questions as the actual exam. The practice exams provide
practice with the same question style, depth, and rigor as the certification exam. They include exam-style
scoring and a pass or fail. You’ll also receive feedback on the answer choices for each question with
recommended resources to deepen your understanding of key topics. You can determine whether you want to
simulate the exam experience by taking a timed exam with answers only shown at the end. Or you can choose
other options, like untimed, or with answers shown after submitting each question.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=>
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Register for your exam

Learn about options for taking the exam.

11

AWS offers flexible, convenient options for taking exams. Explore the Schedule an Exam page to choose the
exam option that works best for you. For more information, see Schedule an Exam: Find the testing option that
works best for you at https://aws.amazon.com/certification/certification-prep/testing/.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=D
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

AWS Skill Builder online learning center

Continue to deepen the skills you

need, your way, with more than 500
courses and interactive training
developed by the experts at AWS.

Game-based learning Self-paced labs

Get started
Use case challenges Exam preparation https://aws.amazon.com/training/digital

12

Continue your learning with AWS Skill Builder, our online learning center.

Are you ready to achieve your goals at your pace? Free digital training on AWS Skill Builder offers more than 500
on-demand courses and learning plans so you can build the skills that you need, your way.

Want to build problem-solving cloud skills in an interactive, engaging experience? A Skill Builder subscription
offers access to self-paced labs, practice exams, role-based games, and real-world challenges to accelerate your
learning.

For more information about how to learn more and get started, see AWS Skill Builder at
https://aws.amazon.com/training/digital.

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=<
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Don’t miss these learning opportunities

Free Digital Training Classroom Training AWS Certification

Learn with hundreds of free, Deepen your technical skills Validate your expertise with
self-paced digital courses on and learn from an accredited an industry-recognized
AWS fundamentals. AWS instructor. credential.

13

AWS Training and Certification is an organization dedicated to expanding and deepening knowledge of AWS, and
driving proliferation in the use of AWS services. Our programs are designed for customers, AWS Partners, and
AWS employees. Over the past several months, we have rolled out several new courses, training labs, and
certifications to our customers and partners.

Expand your AWS Cloud skills. For more information, see the following resources:
• Digital training – https://explore.skillbuilder.aws/
• Classroom training – https://aws.amazon.com/training
• AWS Certification – https://aws.amazon.com/certification
• AWS Workshops – https://workshops.aws/
• Tech Talks – https://aws.amazon.com/events/online-tech-talks/on-demand/
• AWS Ramp-Up Guides – https://aws.amazon.com/training/ramp-up-guides/

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=V
!"# 2&%-(-(K %(6 O)&'-J-+%'-9( T96,4) V* O9,&0) O9(+4,0-9(

Thanks for participating!

Corrections, feedback, or other questions?

Contact us at https://support.aws.amazon.com/#/contacts/aws-training.
All trademarks are the property of their owners.

15

C >=>DE !F%G9( ")H #)&I-+)0E @(+; 9& -'0 %JJ-4-%')0; !44 &-K3'0 &)0)&I)6; >=X