🔐
AWS SCS-C01
  • Practice Test Scores
  • Domain 1 - Incident Response
    • Incident Response
    • Exposed AWS Access Keys
    • Compromised EC2 Instance
    • How do you report abuse of AWS resources?
    • GuardDuty
    • Penetration Testing
  • Domain 2 - Logging & Monitoring
    • Some Basics
    • Inspector
    • Security Hub
    • AWS WAF
    • Systems Manager
    • Systems Manager Features
    • CloudWatch Logs
    • Athena
    • CloudTrail
    • Config
    • Trusted Advisor
    • CloudTrail Log File Integrity
    • Macie
    • S3 Event Notifications
    • VPC Flow Logs
    • Centralized Logging Architecture
  • Domain 3 - Infrastructure Security
    • Bastion Hosts
    • Site-to-Site VPN
    • VPC Peering
    • VPC Endpoints
    • Network ACL
    • Firewall vs IPS vs IDS
    • EBS
    • CloudFront
    • Shield
    • Mitigating DDoS Attacks
    • EC2 Key Pair Troubleshooting
    • EC2 Tenancy
    • Artifact
    • Lambda@Edge
    • Simple Email Service (SES)
    • DNS Support in VPC
  • Domain 4 - Identity & Access Management
    • Organizations
    • IAM Policy Evaluation Logic
    • Understanding IAM Policies
    • IAM Tutorial: Delegate access across AWS accounts using IAM roles
    • External ID
    • iptables
    • IAM policy elements: Version
    • IAM policy elements: Variables and tags
    • Policy elements: Principal and NotPrincipal
    • IAM policy elements: Condition
    • Security Token Service (STS)
    • Identity federation in AWS
    • Enabling SAML for your AWS resources
    • Single Sign-On
    • Cognito
    • Directory Service
    • Trusts in Active Directory
    • Example S3 Bucket Policies
    • Cross-account access to S3 buckets using Resource-based policies and IAM policies
    • S3 Access Control Lists (ACLs)
    • Presigned URLs
    • S3 Versioning
    • S3 Cross-Region Replication (CRR)
    • S3 Object Lock
    • Configuring MFA-protected API access
    • IAM Permission Boundaries
  • Domain 5 - Data Protection
  • CloudHSM
  • Key Management Service (KMS)
  • Symmetric CMKs vs Asymmetric CMKs
  • Data Key Caching
  • Deleting KMS CMKs
  • Default KMS Key Policy
  • Managing access to KMS CMKs
  • KMS CMK Key Types
  • Rotating KMS CMKs
  • Example Key Policies for KMS Questions
  • KMS Grants
  • KMS CLI Commands
  • Importing key material in KMS
  • KMS Condition Keys
  • Migrating Encrypted KMS Data Across Regions
  • KMS Encryption Context
  • CloudHSM vs KMS
  • S3 Data Encryption
  • Application Load Balancer (ALB)
  • ELB Listeners Part 1
  • ELB Listeners Part 2
  • AWS Certificate Manager (ACM)
  • Glacier
  • DynamoDB Encryption
  • AWS Secrets Manager
  • Summaries
    • Domain 1
    • Domain 2
    • Domain 3
    • Domain 4
    • Domain 5
Powered by GitBook
On this page
  • Origin Access Identity (OAI)
  • Using SNI to Serve HTTPS Requests
  • Signed URLs

Was this helpful?

  1. Domain 3 - Infrastructure Security

CloudFront

  • CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users.

  • It delivers your content through a worldwide network of data centres called edge locations.

  • When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

    • If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately.

    • If the content is not in that edge location, CloudFront retrieves it from an origin that you've defined, e.g. such as an S3 bucket, that you have identified as the source for the definitive version of your content.

Origin Access Identity (OAI)

  • To ensure that your users access your files using only CloudFront URLs, regardless of whether the URLs are signed, do the following:

    1. Create a special CloudFront user called an OAI and associate it with your distribution.

    2. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users.

  • After you take these steps, users can only access your files through CloudFront, not directly from the S3 bucket.

Using SNI to Serve HTTPS Requests

  • Server Name Indication (SNI) is an extension for the TLS protocol, which is used in HTTPS.

  • It's included in the TLS/SSL handshake process in order to ensure that client devices are able to see the correct SSL certificate for the website they are trying to reach.

Signed URLs

  • Many companies that distribute content over the internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee.

  • Require that your users access your private content by using special CloudFront signed URLs or signed cookies.

  • Use signed URLs in the following cases:

    • You want to restrict access to individual files, for example, an installation download for your application.

    • Your users are using a client (for example, a custom HTTP client) that doesn't support cookies.

  • Use signed cookies in the following cases:

    • You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website.

    • You don't want to change your current URLs.

PreviousEBSNextShield

Last updated 4 years ago

Was this helpful?