AWS security practitioners must be able to demonstrate their knowledge of security tools and methods to protect critical infrastructure and avoid the often costly penalties for violations. Security engineers and managers seeking additional IT training and certification (such as AWS' Certified Security-Professional Program) can provide value not only for their careers, but also for the security of their organizations.
Stuart Scott, author of AWS Certification Security-Professional Exam Guide, said that another benefit of certifications is that they can improve the company's reputation. "In order to be able to say that our team has passed AWS security certification-Specialty tells customers,'Your data is in our hands,'" he said.
AWS managed services (such as Amazon's cloud audit tool AWS Config) play an important role in properly protecting infrastructure at all levels. AWS Certification Security-Professional exam questions may involve various functions provided by these services, including evidence collection and compliance enforcement rules.
The following is an excerpt from Chapter 13 of the AWS Certified Security-Specialty Exam Guide, published by Packt Publishing, AWS Content and Security Director of Cloud Academy. Scott outlines how to use the AWS Config service to better understand and protect the AWS environment.
After reading the excerpt, take the AWS Certified Security-Specialty practice test questions to see what you have learned.
Be sure to check out Scott’s Q&A, who provides more insights on certification, and download the PDF of Chapter 13 to read the entire chapter-including more AWS certification security-professional exam questions.
With the number of services in AWS increasing every year (currently 168 services at the time of writing), it is easy to understand how difficult it is to understand the resources you might be running in your environment. How do you keep up with the instances you are running, where, what are they running, and the resources still needed? You may be running infrastructure that is no longer needed that has been overlooked in the thousands of virtual appliances in production.
With the huge network of resources running in your account, do you have a clear understanding of which resources are associated with which? Which ENI is connected to which instance? In which subnet is this instance running? Which subnets are connected to which VPC? Do you have a logical mapping of the infrastructure to quickly and easily determine the explosion radius in the event of an accident, or to understand resource dependencies when changing the configuration?
Most importantly, do you know their current configuration status? Are you sure they are running the latest patches, or is it possible that some of your infrastructure is exposed and vulnerable to potential security threats?
If someone makes a change to your infrastructure and environment, do you have an accurate record of the change, what was changed, and when it was changed?
Going back to compliance, how do you ensure that the resources you are deploying and retaining meet the compliance requirements specified by internal and external controls and processes?
It is usually necessary to answer all the above questions when performing an audit, but obtaining this information in traditional IT deployments can be very troublesome, not to mention the cloud environment, because the cloud environment is inherently more dynamic and susceptible to a higher rate of change. But , AWS understands these audit and compliance requirements and has an AWS service called AWS Config to help you solve many of these issues in an automated, auditable, and compliant manner.
For a comprehensive walkthrough of how to configure AWS Config, see: https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html. In this book, I want to pay more attention to the different components of AWS Config and how they operate to help you understand how the service works and provide a certain level of audit and governance checks. So, after setting it up, please come back here to explore the various components of AWS Config.
To understand how AWS Config can help you achieve these results, let me explain some of the components of the service, including the following:
Let's start with our first component-Configuration Item (CI).
This is a basic element of AWS Config. It is essentially a JSON file that contains the point-in-time snapshot information of the attribute configuration data of a specific AWS resource in the environment supported by AWS Config (the full list of supported resources can be found at: https ://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
These attributes include its current configuration, any direct relationship between the resource and other resources, metadata, and events. The new CI is updated every time a change is made to the resource, for example, when an API call is made to create, update, or delete the resource.
To learn more about CI construction, you can find a table with a list of configuration item components in the AWS documentation: https://docs.aws.amazon.com/config/latest/developerguide/config-item table.html. Let us introduce the components one by one:
These CIs are effective building blocks of AWS Config and are used by many other components of the service. Let us continue to see how they work together.
When a resource change occurs in your environment and a new CI is created as a result, the CI is automatically added to the configuration flow, which is essentially an SNS topic. During the configuration of AWS Config, you can specify the SNS topic to be used for your stream:
This enables you to monitor the flow and customize notifications for resource changes, helping you identify potential problems or unexpected security incidents.
This is particularly useful in auditing and provides a complete history of all changes made to the resource. By organizing the CI of the resource, AWS Config can collect the modification history of the resource. You can access your resource history through the AWS CLI or through the AWS Management Console as an event timeline. In addition, as part of the process, AWS Config will store configuration history files for each resource type in the S3 bucket selected during AWS Config configuration.
Here, you can view the configuration history of the EC2 security group. It shows the date and time of any changes made to the resource:
Using the AWS Management Console, you can select these changes and gain insight into the elements of the changes. In addition, after a security incident or interruption occurs, this historical record is very useful for determining the timeline of the event that caused the incident and can help you resolve it quickly and effectively.
Similarly, using the building blocks of AWS Config, new CIs will be created, allowing configuration snapshots to be built to obtain point-in-time images of the AWS environment using AWS Config for all supported AWS resources in a specific region. This snapshot can be initiated by running the delivery-config-snapshot command of the AWS CLI, and the result will be sent to your predefined Amazon S3 bucket.
You can think of the configuration recorder as a switch for the AWS Config service. You must enable the configuration recorder before the service can start creating your configuration item (CI). When you configure AWS Config for the first time, the configuration recorder starts automatically, but once it starts, you can stop and re-enable it later:
This will display the initial configuration screen and allow you to select the type of resource you want AWS Config to record. If you uncheck Record all resources supported by the region, you can choose from a drop-down list of specific types, as shown in the following example:
After selecting the resource of your choice and selecting the target S3 bucket to store your configuration history and snapshot files, the configuration recorder can start resource changes.
From a compliance perspective, AWS Config rules are a great feature and should be implemented when you use AWS Config. Backed by AWS Lambda functions that perform simple logic, configuration rules automatically monitor your resources to ensure that they meet the specific compliance controls you may need to introduce in your AWS environment. If a resource is found to be out of compliance, you will be notified via SNS and configuration flow so that you can take corrective actions.
These questions are planned by SearchSecurity to test your knowledge of the above excerpts.
Stuart Scott has worked in the IT industry for more than two decades and has a broad background covering a range of technologies, but his passion is focused on AWS. Scott is the head of AWS content and security for Cloud Academy, where he has created more than 80 courses and taught more than 100,000 students. His content focuses on cloud security and compliance and how to implement and configure AWS services to protect, monitor, and protect customer data in AWS. Scott has written many cloud security blogs and regularly holds webinars with AWS and leading AWS partners. He is a certified expert in the Experts Exchange community. In January 2016, he was awarded the title of "Expert of the Year" for sharing cloud service knowledge with the community.
Aruba Networks, owned by HPE, stated that one of its cloud databases was accessed by hackers and they were able to use location and...
The security team is curious about how chaos engineering can benefit them. Read about security chaos engineering tools...
New Trend Micro research revealed a cyber mercenary organization that has been actively targeting well-known organizations and...
Without careful supervision, multi-cloud deployments can be expensive. These data management and security practices can help IT teams...
Many developers are turning to AWS Lambda as an alternative to EC2 instances. The following are two ways to create a Lambda function.
AWS and Google Cloud provide their own style of PaaS. Although they have some similarities, take a closer look at their core...
Think you are ready to take the AWS Certified Solutions Architect certification exam? Use these 12 questions to test your knowledge, then...
Amazon said its truck monitoring system is designed for driver safety. But many industry experts are right...
Amazon wants to strengthen its global footprint, but the obstacles and challenges the e-commerce giant faces today are not...
Despite the many benefits that containers bring, no container engine is perfect. Understand what Docker troubleshooting involves,...
This year's VMworld conference was actually held from October 5th to October 7th. Read the latest news and announcements about...
Tanzu integration and vSphere VM services enable developers and administrators to use VMs and guest operating systems as desired state images in vSphere...
Migrating local VMware VMs to the cloud is not necessarily difficult. VMware and Oracle provide VMware hosted deployment...
When comparing Workstation Pro to Hyper-V, it is important to consider the type of operating system you are using, how often you run the VM, and...
The spin-off agreement provides VMware greater strategic and financial flexibility to develop its cloud and infrastructure...
The strategic partnership is expanded to roll out all-fiber Gigabit broadband to as many as 8 million households across the country,...
With the continuation of pandemic consumer habits, the ongoing digital transformation has resulted in an increase in online sales of Marks and Spencer.
One of the promises of quantum computing is to optimize the combination of tasks such as complex train scheduling to...
All rights reserved, copyright 2011-2021, TechTarget Privacy Policy Cookie Preferences Do not sell my personal information