Summary and Quiz

In this lesson, we’ll summarize what we’ve learned so far in this chapter and test our knowledge with a short quiz.

Summary

In this chapter, we learned about security services offered by AWS. Here’s a brief summary of the services we covered:

AWS KMS

KMS is used to manage encryption keys in AWS. There are two main types of KMS keys:

• AWS-managed keys: These keys are generated and managed by AWS. They are generally related to an AWS service like S3, EBS.

• Customer-managed keys: These keys are generated and managed by users. We have complete control over the configuration of these keys.

WAF

AWS WAF is a network firewall used to protect our applications from malicious access. We can configure related web ACLS to defend our attacks from specific types of attacks, including XSS scripting, SQL injections, and Cross-site request forgery. WAF analyzes the request sent to the application and blocks any request that does not comply with the set ACL rules.

Amazon Detective

Amazon Detective helps organizations identify security issues, conduct efficient investigations, and proactively respond to potential threats by continuously analyzing and correlating log data from various AWS services, such as AWS CloudTrail and Amazon VPC Flow Logs. It does not resolve any security issues. Rather, it just identifies them and recommends the actions using which the security threats can be mitigated.

AWS Directory Service

With AWS Directory Service, organizations can centralize user identities and access management, simplifying authentication and authorization across AWS resources and applications.

Secret Manager

Secret Manager can be used to store our passwords and credentials. All stored secrets within AWS Secrets Manager undergo encryption via AWS Key Management Service (KMS), which delivers resilient encryption standards and proficient key management capabilities.

Amazon Macie

Amazon Macie helps organizations maintain their data assets’ confidentiality, integrity, and availability in AWS environments. It is a fully managed data security and privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data stored in AWS.

SecurityHub

AWS Security Hub is a security service that provides us with a comprehensive view of the security state of our AWS account. It collects data from various AWS accounts, services, and other third-party products to determine the security issues in our account.

AWS Firewall Manager

AWS Firewall Manager helps us manage firewalls in our account from a single place. It can also be implemented at an organizational level allowing us to secure multiple AWS accounts from a single point and enabling us to stay consistent related to our firewall policies.

AWS GuardDuty

AWS GuardDuty is a regional service that is fully managed by AWS. GuardDuty helps us protect our AWS environments by identifying potential security issues such as unusual API calls, compromised EC2 instances, unauthorized access attempts, and potentially malicious IP addresses.

AWS Inspector

AWS Inspector is a security assessment service that helps users automate the process of assessing the security and compliance of our AWS resources. It allows users to identify security vulnerabilities, compliance issues, and deviations from security best practices within our EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and Lambda functions.

AWS Network Firewall

AWS Network Firewall is a fully managed firewall that is used to protect the resources inside virtual private clouds created using Amazon VPC. Through this service, we can monitor and filter the incoming and outgoing traffic for our VPC through resources such as AWS Direct Connect, internet gateways, or NAT gateways.

AWS Shield

AWS Shield is a protection service that protects applications hosted in the AWS cloud from Distributed Denial of Service (DDoS) attacks. It operates on the OSI model’s network, transport, and application layer (3rd, 4th, and 7th layer).

AWS Resource Access Manager

AWS Resource Access Manager (RAM) is a service that allows us to securely share our AWS resources over multiple AWS accounts. These accounts can be within the same organization or different organizations.

AWS CloudHSM

AWS Cloud Hardware Security Modules (CloudHSMs) are cloud-based cryptographic devices that provide secure key storage and cryptographic operations to help us meet our encryption and compliance requirements. While creating an AWS HSM we specify an HSM user and then using that user's credentials we can use the HSM.

AWS Audit Manager

AWS Audit Manager is a service that allows us to audit our AWS resources and simplifies how we manage and assess risk in compliance with industry standards. It automates the process of collecting evidence, allowing us to ensure the policies, activities, and procedures we have created are working as expected.

AWS Artifact

AWS Artifact is an AWS managed repository of security and compliance reports and select online agreements. We can utilize these reports to demonstrate our AWS infrastructure's compliance.

Test your knowledge

Let’s take a quiz to make sure we’ve not missed out on anything: