This chapter covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam domain:
Domain 4: Security and Compliance
(For more information on the official AWS Certified SysOps Administrator – Associate [SOA-C02] exam topics, see the Introduction.)
In this chapter, you learn how to use AWS features to protect data at rest or in transit. You first learn about the different encryption techniques and then learn how the AWS Key Management Service (KMS) can help you manage your encryption keys.
Next, you learn about data classifications and the role of a certificate authority (CA). In that section, you learn how the AWS Certificate Manager (ACM) can be used to manage your public and private certificates.
This chapter ends with a collection of important security tools: AWS Secrets Manager, Amazon GuardDog, Amazon Inspector, and AWS Security Hub.
This section covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam topic for Domain 4: Security and Compliance:
4.2 Implement data and infrastructure protection strategies
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. Besides data at rest and data in transit, what is another form of data that needs to be protected?
2. To determine that a web server is valid, a _____ from a CA can be used.
1. Answer: Data in use
2. Answer: Certificate
Encryption is the process of transforming data from its original form to a form that, when viewed, does not reveal the original data. There are three different forms of encryption:
Data at rest: Data is encrypted when it is stored. Either you can encrypt the data prior to uploading the data to storage, or in some cases, a function that is provided by the cloud provider can perform this method. When you perform the data encryption, it is your responsibility to decrypt the data when the original data is needed. When the cloud provider encrypts the data, the decryption process must be performed by the cloud provider.
Data in transit: Data is encrypted before it is sent and decrypted when received. This form of encryption could involve several different techniques, but in most cases for cloud computing environments, it means that the data is encrypted by a network device that then sends the data across the network.
Data in use: Data is encrypted when being actively used, which typically means while it is stored in random-access memory (RAM). Because some exploits may make data in RAM vulnerable, this form of encryption may be very important to ensuring data integrity.
Many different technologies can be used to encrypt data, and which technology you use will depend on several factors, including which cloud provider you utilize. These technologies fall into one of two methods of encryption:
Symmetric encryption: With this method, you use the same key (a unique value of some sort) to both encrypt and decrypt the data.
Asymmetric encryption: With this method, you use a different key to encrypt and decrypt the data. One key is referred to as the public key, and the other is called the private key. An example of using this encryption method would be if you wanted someone to send data to you across the network. You provide the public key to this person, and this person then encrypts the data. The only way to decrypt the data is to use the private key, which you would never share with anyone else.