Allowed without prior approval for nine services: EC2 (including NAT and ELB), RDS, CloudFront,Aurora, API Gateway, Fargate, Lambda, Lightsail, and Elastic Beanstalk
May see older questions about "Pre-authorized scanning engine from marketplace"
Abuse notice
Received if workload is being used for non-AUP conforming purposes
Stolen laptop use-case: modify authorized_key file of all EC2 instances
CloudTrail stores 90 days in console. After that, can use Athena to query S3.
Logging and monitoring
VPC flow log format
Inspector scans target based on tag key-value pair
Uses supported baselines, e.g., CVE, CIS, best practices, network reachability, etc.
Some, like CVE, require Inspector agent
Systems manager
Run command
Patch compliance: check instance compliance status
Patch baseline: which patches are needed, define approval
Maintenance window
Parameter store: prefer SecureString, uses KMS
Config records config changes and provides compliance rule sets, integrated with Lambda for auto-remediation
Audit IAM policies before/after Incident
Detect CloudTrail disabled
Verify instances are using specific AMI
Detect security group rules on specific ports
Detect internet gateway addition to non-authorized VPC
Detect EBS volume encryption
WAF is layer 7, integrates with ALB, CloudFront, and API Gateway
CloudWatch logs can centrally store server and application logs
Assign IAM role to instance allowing CloudWatch push
Install CloudWatch Agent
Configure appropriate config to start agent
To troubleshoot, verify awslogs service is running manually or via Run Command and verify IAM policy
Metric filters used to identify errors
Alarms can be sent after metrics reach threshold
IP packet inspection achieved at VPC level with all outbound traffic sent to proxy server or at host level with appropriate agent, not with flow logs
CloudTrail
Enable for all regions and store data centrally
Create S3 bucket in central account
Configure CloudTrail in all accounts to push logs to central account
To update log prefix, first modify S3 bucket policy and then update trail
Region-specific outside of US, dedicated connection between data center and AWS
Not encrypted, use VPN tunneling if required
CloudFront
Signed URLs: real-time messaging protocol (RTMP) (cookies not supported), restrict access to specific files, users are using client without cookie support
Signed cookies: multiple restricted files
Supports custom TLS certificates in PEM format, must be imported into US East (N. Virginia) region, key length cannot exceed 2048 bits
VPC endpoints
Can use to allow only specific S3 buckets within account
Can use with KMS and aws:sourceVpc condition key to allow only specific VPCs to access KMS and ensure private DNS is enabled
Network ACL
Stateless, works at subnet level, max 40 rules with default of 20. If you need more, use, e.g., iptables
URL allowlist, e.g., "server should only access URL related to package updates", enabled via AWS Marketplace custom proxy like Squid
SES
TLS for encrypted SMTP connection, ports 25, 587, and 2587
Can disable instances from using Amazon-provided DNS by disabling DNS resolution in VPC
Can use host-based IDS for file integrity, integrate with CloudWatch for alerting
For IPS, install agent on instance and report to central SIEM server
Identity and access management
Cross-account IAM role troubleshooting
Verify sts:AssumeRole granted
Verify appropriate RoleArn is added
Verify external ID
VPN used for remote employees to connect to private VPC resources, can use VPN appliance from AWS Marketplace like OpenVPN
When integrating AD, DNS should point to AD
SCPs can only restrict access, impact root user as well
Active Directory Federation Service (ADFS) is a Microsoft SSO solution
Supports SAML, AD groups are associated/mapped with IAM roles where all users in group can assume role
In AD, direction of trust is opposite direction of access
IAM role can be used across multiple services by modifying trust policy
Data protection
ACM is regional, must be in same region as ELB and in US East (N. Virginia) for CloudFront
Cannot export public certificates created by ACM but can export private certificates
AWS uses SafeNet Luna SA 700 HSA CloudHSM, tamper-evident
CloudTrail logs are server-side encrypted by default in S3, can optionally use SSE-KMS
KMS
Automated rotation works for AWS KMS generated key material, cannot be used for imported key material, you must manually rotate them. You can do this by creating a new CMK and mapping an existing key alias to it.
For cross-region imported CMKs, you can re-wrap the data encryption key from the source region using the CMK
If you accidentally delete imported CMK, download a new wrapping key and import key into existing CMK
ELB
If app is using custom protocol, use TCP instead of HTTP(S) listeners
Supports Perfect Forward Secrecy (PFS), need to enable ECDHE key exchange
Glacier Vault lock can be aborted when InProgress
For user to start instance with encrypted EBS, must have kms:Decrypt and kms:CreateGrant permissions
