@jialin.huang
FRONT-ENDBACK-ENDNETWORK, HTTPOS, COMPUTERCLOUD, AWS, Docker
To live is to risk it all Otherwise you are just an inert chunk of randomly assembled molecules drifting wherever the Universe blows you

© 2024 jialin00.com

Original content since 2022

back
RSS

AWS Governance? Protection? Audition?

TL;DR

  1. Most services belong to Security, Identity, & Compliance category
  1. Only CloudTrail, Trusted Advisor and Config are in Management & Governance category

AWS Shield

Security, Identity, & Compliance

Protection against DDoS attacks, with CloudFront, Route53, ELB

AWS WAF

Security, Identity, & Compliance

Web-level protection against threats like IP-based filtering, geographic origins, XSS, SQL Injection

with CloudFront, ALB, API Gateway

AWS CloudTrail

Management & Governance

Tracks who did what in AWS services

AWS Security Hub

Security, Identity, & Compliance

Central monitoring center that automatically integrates with various AWS security services

Just remember "Hub" and you're good

AWS Audit Manager

Security, Identity, & Compliance

If you see "compliance" in the question, think Audit Manager

Reviews overall AWS cloud services for regulatory compliance like GDPR, HIPAA

AWS Artifact

Security, Identity, & Compliance

For checking compliance docs and stuff like HIPAA

AWS Inspector

Security, Identity, & Compliance

Scans for vulnerabilities in Amazon EC2, ECR, Docker Images, and Lambda

Checks things like linux and git versions for vulnerabilities

AWS Macie

Security, Identity, & Compliance

Scans S3 buckets for sensitive information

GuardDuty

Security, Identity, & Compliance

Just turn it on - no complex setup needed

Analyzes

  • CloudTrail Logs, VPC Flow Logs (in/outbound traffic captured), DNS Logs (Route53)

Monitors resources for threats like malware

  • AWS Accounts
  • EC2
  • Lambda
  • EKS
  • RDS
  • S3

AWS Config

Management & Governance

Checks if resource configurations comply with rules

Example for S3:

  1. Server-side encryption enabled

    https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-server-side-encryption-enabled.html

  1. Logging enabled

    https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-logging-enabled.html

[
  {
    "ConfigRule": {
      "ConfigRuleName": "s3-bucket-encryption-enabled",
      "Description": "Check if S3 buckets have encryption enabled.",
      "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
      }
    }
  },
  {
    "ConfigRule": {
      "ConfigRuleName": "s3-bucket-logging-enabled",
      "Description": "Check if S3 buckets have access logging enabled.",
      "Source": {
        "Owner": "AWS",
        "SourceIdentifier": "S3_BUCKET_LOGGING_ENABLED"
      }
    }
  }
]

AWS Trusted Advisor

Management & Governance

Identifies unused resources, helps with planning, provides some recommendations

It doesn't force you to make changes

Resources

https://aws.amazon.com/products/

https://docs.aws.amazon.com/inspector/v1/userguide/inspector_assessments.html

https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html

EOF