Domain 2

Understanding VPC Flow Logs

  • In this example, SSH traffic (destination port 22, TCP protocol) to network interface eni-1235b8ca123456789 in account 123456789010 was allowed

    • 2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

Inspector

  • It assesses applications for exposure, vulnerabilities, and deviations from best practices.

  • An Inspector assessment can use any combination of the following rules packages:

    • Network Reachability - Analyse your network configurations to find security vulnerabilities.

    • Common vulnerabilities and exposures (CVEs).

    • Center for Internet Security (CIS) Benchmarks.

    • Security best practices for Inspector.

Systems Manager

  • Managed Instance:

    • Machine that has been configured for use with Systems Manager.

  • SSM Agent:

    • Amazon software that can be installed and configured on an EC2 instance and on-premises

  • Run Command:

    • Lets you remotely and securely manage the configuration of your managed instances.

    • E.g. automate common admin tasks and perform ad hoc configuration changes at scale.

  • Patch Manager:

    • Automates the process of patching managed instances with both security related and other types of updates.

  • Patch Baseline:

    • Defines which patches are approved for installation on your instances.

  • Parameter Store

    • Provides secure and hierarchical storage for secrets management.

Config

  • It provides a detailed view of the configuration of your AWS resources in your AWS account.

  • A Config rule represents your desired configuration settings for specific AWS resources and if a resource violates a rule, Config flags the resource and the rule as noncompliant and then your Lambda functions can take actions based on the rule violations.

Athena

  • Interactive query service to analyse data directly in S3 using standard SQL.

  • A common use case of Athena is to use it for querying AWS Service Logs, such as CloudTrail logs (especially if your logs are older than 90 days) and VPC flow logs.

Web Application Firewall (WAF)

  • Protects/monitors HTTP(S) requests that are forwarded to a CloudFront distribution, an API Gateway REST API, an Application Load Balancer and it also lets you control access to your content.

  • An example of a match statement is a XSS scripting attack rule (inspects for cross-site scripting attacks in a specified request component).

  • An example of a complex statement is a rate-based rule (tracks the rate of requests from individual IP addresses).

CloudWatch Logs

  • Install and configure the CloudWatch Logs Agent on a Running EC2 Linux Instance:

    • Create an IAM role with an appropriate policy to allow the EC2 instance to create logs.

    • Install AWS Logs Agent.

    • Modify Configuration File.

    • Start the AWS Logs Agent.

  • Troubleshooting the CloudWatch Agent:

    • CloudWatch Agent Won't Start - Is there an issue with your configuration?

    • Is the CloudWatch agent running on the Instance?

    • Has the EC2 Instance got permissions to write logs to CloudWatch Logs?

CloudWatch Metric Filter

  • Search and filter the log data coming into CloudWatch Logs.

  • They define the terms and patterns to look for in log data as it is sent to CloudWatch Logs.

  • CloudWatch Logs uses these metric filters to turn log data into numerical CloudWatch metrics that you can graph or set an alarm on.

IP Packet Inspection

  1. At VPC level, create a proxy server and route all VPC outbound traffic through the proxy server.

  2. Install the appropriate agent on the host and inspect host-level traffic.

  • VPC Flow Logs cannot be used for packet inspection.

CloudTrail

  • When activity occurs in your AWS account, that activity is recorded in a CloudTrail event.

  • Determine whether a log file was modified after CloudTrail delivered it, use CloudTrail log file integrity validation.

  • Changing a Prefix for an Existing Bucket:

    • You may see the error: There is a problem with the bucket policy.

      • A bucket policy with an incorrect prefix can prevent your trail from delivering logs to the bucket.

        • To resolve this issue, use S3 to update the prefix in the bucket policy.

        • Then use CloudTrail to specify the same prefix for the bucket in the trail.

Multiple Account's CloudTrail log files into a single S3 bucket

  1. Turn on CloudTrail in the account where the destination bucket will belong.

  2. Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail.

  3. Turn on CloudTrail in the other accounts you want to use.

  4. Configure CloudTrail in these accounts to use the same bucket in step 1.

Macie

  • Fully managed data security and data privacy service that uses machine learning and pattern matching to help you discover, monitor, and protect your sensitive data in AWS.

Security Hub

  • Comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices.

PreviousDomain 1NextDomain 3

Last updated

Was this helpful?