Using AWS Web Application Firewall as a Response to Attacks One of the primary purposes of a denial-of-service attack is to make the system being attacked unresponsive. Assets will be protected if you place your applications and web services, along with corresponding load balancers and Content Delivery Networks (CDNs), such as CloudFront, behind a Web […]

DDoS Attack Patterns There are many different DDoS attacks that can be used to achieve the end goal of disruption. The following subsections explain a couple of these at a high level to help you understand the principles of DDoS attacks. Note The exam will not test you on the different types of attacks and […]

Vulnerable AWS Credentials Another significant vulnerability for identity and access management is access credentials (specifically, an access key and secret access key) that are not rotated in a programmatic manner. These credentials are tied to a specific user and any capabilities or access that that user has been granted. Mitigation of Vulnerable AWS Credentials Create […]

Mitigation for a Lack of Identity Federation Implementing a modern identity service or platform helps mitigate the risk of password compromise with multiple identities. AWS’s native IAM Identity Center allows you to connect with your existing SAML identity provider or create and manage your users and groups directly from the IAM service itself. This helps […]

AWS Infrastructure Scanning If you spin up an EC2 instance on a public URL and then check the logs, you will see that they are populated with scans that determine whether any standard software has been installed with the default settings. Even though AWS itself does not publish the list of public URLs used for […]

Mitigation for Business Continuity and Resilience A business can often determine how to recover and protect a particular application much more easily than it can determine how quickly each application needs to be recovered. This can be resolved by setting a Recovery Time Objective (RTO) and a Recovery Point Objective (RPO) for each application. How […]

With an outline of what you are responsible for from an AWS customer perspective and a refresher of the baseline services that will be discussed throughout the different scenarios in your journey, this first section will conclude with an examination of some of the top risks that your cloud environment can be exposed to. Even […]

Summary In this chapter, you reviewed many of the main services used in AWS architecture. These make up the majority of the services that will be part of your day-to-day responsibilities as AWS cloud security engineers and the services that will be referenced in the questions in the exam. Having a baseline knowledge of these […]

Reviewing Deviations Using Trusted Advisor As you use Trusted Advisor, over time, you will see that the service begins to highlight potential issues within your account. This section will cover how to review these deviations and how to interpret the severity of the issues found. From within the AWS Management Console, select Trusted Advisor from […]

API Gateway When trying to build RESTful and WebSocket APIs, AWS creates a fully managed service that is built around a simple interface. API Gateway can act as the entrance to other AWS services, such as data stored on RDS, or compute calls made by the EC2 or Lambda services, just as examples. API Gateway […]