Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
      • Pod
    • Helm Chart
    • OAuth2 Proxy
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
    • MetalLB
    • Kong Gateway
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Argo Events
    • Spinnaker
    • Jenkins
    • Harbor
    • TeamCity
    • Git
      • Bitbucket
  • Coding
    • DevSecOps
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
      • Azure Cloud
    • Golang
    • Laravel
    • Python
    • Jquery & JavaScript
    • Selenium
  • Log, Monitor & Tracing
    • DataDog
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
    • NextCloud
  • Toggle search form

[AWS] Solutions Architect Professional: Lesson 2 – Security

Posted on December 19, 2022December 23, 2022 By nim No Comments on [AWS] Solutions Architect Professional: Lesson 2 – Security

https://media.datacumulus.com/aws-sap/AWS%20Certified%20Solutions%20Architect%20Professional%20Slides%20v3.1.1.pdf

Contents

Toggle
  • 1) CloudTrail
    • 1.1) AWS CloudTrail
    • 1.2) CloudTrail Diagram
    • 1.3) CloudTrail Events
    • 1.4) CloudTrail Insights
    • 1.5) CloudTrail Events Retention
    • 1.6 CloudTrail – Solution Architecture:
      • 1.6.1) Delivery to S3
      • 1.6.2) Multi-Account, Multi-Region Logging
      • 1.6.3) Alert for API calls
      • 1.6.4) Organizational Trail
    • 1.7) CloudTrail: How to react to events the fastest?
  • 2) KMS
    • 2.1) AWS KMS (Key Management Service)
    • 2.2) KMS – KMS Key Types
    • 2.3) Types of KMS Keys
    • 2.4) KMS Key Material Origin
    • 2.5) KMS Key Source
      • 2.5.1) Custom Key Store (CloudHSM)
      • 2.5.2) External
    • 2.6) KMS Multi-Region Keys

1) CloudTrail

1.1) AWS CloudTrail

• Provides governance, compliance and audit for your AWS Account
• CloudTrail is enabled by default!
• Get a history of events / API calls made within your AWS Account by:
• Console
• SDK
• CLI
• AWS Services
• Can put logs from CloudTrail into CloudWatch Logs or S3
• A trail can be applied to All Regions (default) or a single Region.
• If a resource is deleted in AWS, investigate CloudTrail first!

1.2) CloudTrail Diagram

1.3) CloudTrail Events

• Management Events:
• Operations that are performed on resources in your AWS account
• Examples:
• Configuring security (IAM AttachRolePolicy)
• Configuring rules for routing data (Amazon EC2 CreateSubnet)
• Setting up logging (AWS CloudTrail CreateTrail)
• By default, trails are configured to log management events.
• Can separate Read Events (that don’t modify resources) from Write Events (that may modify resources)


• Data Events:
• By default, data events are not logged (because high-volume operations)
• Amazon S3 object-level activity (ex: GetObject, DeleteObject, PutObject): can separate Read and Write Events
• AWS Lambda function execution activity (the Invoke API)


• CloudTrail Insights Events:
• See next slide

1.4) CloudTrail Insights

• Enable CloudTrail Insights to detect unusual activity in your account:
• inaccurate resource provisioning
• hitting service limits
• Bursts of AWS IAM actions
• Gaps in periodic maintenance activity
• CloudTrail Insights analyzes normal management events to create a baseline
• And then continuously analyzes write events to detect unusual patterns
• Anomalies appear in the CloudTrail console
• Event is sent to Amazon S3
• An EventBridge event is generated (for automation needs)

1.5) CloudTrail Events Retention

• Events are stored for 90 days in CloudTrail
• To keep events beyond this period, log them to S3 and use Athena

1.6 CloudTrail – Solution Architecture:

1.6.1) Delivery to S3

1.6.2) Multi-Account, Multi-Region Logging

1.6.3) Alert for API calls

• Log filter metrics can be used to detect a high level of API happening
• Ex: Count occurrences of EC2 TerminateInstances API
• Ex: Count of API calls per user
• Ex: Detect high level of Denied API calls

1.6.4) Organizational Trail

1.7) CloudTrail: How to react to events the fastest?

Overall, CloudTrail may take up to 15 minutes to deliver events

• EventBridge:
• Can be triggered for any API call in CloudTrail
• The fastest, most reactive way

• CloudTrail Delivery in CloudWatch Logs:
• Events are streamed
• Can perform a metric filter to analyze occurrences and detect anomalies

• CloudTrail Delivery in S3:
• Events are delivered every 5 minutes
• Possibility of analyzing logs integrity, deliver cross account, long-term storage

2) KMS

2.1) AWS KMS (Key Management Service)

• Anytime you hear “encryption” for an AWS service, it’s most likely KMS
• Easy way to control access to your data, AWS manages keys for us
• Fully integrated with IAM for authorization
• Seamlessly integrated into:
• Amazon EBS: encrypt volumes
• Amazon S3: Server-side encryption of objects
• Amazon Redshift: encryption of data
• Amazon RDS: encryption of data
• Amazon SSM: Parameter store
• Etc…
• But you can also use the CLI / SDK

2.2) KMS – KMS Key Types

• Symmetric (AES-256 keys)
• First offering of KMS, single encryption key that is used to Encrypt and Decrypt
• AWS services that are integrated with KMS use Symmetric KMS keys
• Necessary for envelope encryption
• You never get access to the KMS key unencrypted (must call KMS API to use)
• Asymmetric (RSA & ECC key pairs)
• Public (Encrypt) and Private Key (Decrypt) pair
• Used for Encrypt/Decrypt, or Sign/Verify operations
• The public key is downloadable, but you can’t access the Private Key unencrypted
• Use case: encryption outside of AWS by users who can’t call the KMS API

2.3) Types of KMS Keys

• Customer Managed Keys
• Create, manage and use, can enable or disable
• Possibility of rotation policy (new key generated every year, old key preserved)
• Can add a Key Policy (resource policy) & audit in CloudTrail
• Leverage for envelope encryption
• AWS Managed Keys
• Used by AWS service (aws/s3, aws/ebs, aws/redshift)
• Managed by AWS (automatically rotated every 1 year)
• View Key Policy & audit in CloudTrail
• AWS Owned Keys
• Created and managed by AWS, use by some AWS services to protect your resources
• Used in multiple AWS accounts, but they are not in your AWS account
• You can’t view, use, track, or audit

2.4) KMS Key Material Origin

• Identifies the source of the key material in the KMS key
• Can’t be changed after creation


• KMS (AWS_KMS) – default
• AWS KMS creates and manages the key material in its own key store
• External (EXTERNAL)
• You import the key material into the KMS key
• You’re responsible for securing and managing this key material outside of AWS
• Custom Key Store (AWS_CLOUDHSM)
• AWS KMS creates the key material in a custom key store (CloudHSM Cluster

2.5) KMS Key Source

2.5.1) Custom Key Store (CloudHSM)

• Integrate KMS with CloudHSM cluster as a Custom Key Store
• Key materials are stored in a CloudHSM cluster that you own and manage
• The cryptographic operations are performed in the HSMs
• Use cases:
• You need direct control over the HSMs
• KMS keys needs to be stored in a dedicated HSMs
• HSMs must be validated at FIPS 140-2 Level 3 (KMS validated at FIPS 140-2 Level 2)

2.5.2) External

• Import your own key material into KMS key, Bring Your Own Key (BYOK)
• You’re responsible for key material’s security, availability, and durability outside of AWS
• Must be 256-bit Symmetric key (Asymmetric is NOT supported)
• Can’t be used with Custom Key Store (CloudHSM)
• Manually rotate your KMS key (Automatic Key Rotation is NOT supported)

2.6) KMS Multi-Region Keys

• A set of identical KMS keys in different AWS Regions that can be used
interchangeably (~ same KMS key in multiple Regions)
• Encrypt in one Region and decrypt in other Regions (No need to re-encrypt or making cross-Region API calls)
• Multi-Region keys have the same key ID, key material, automatic rotation, …
• KMS Multi-Region are NOT global (Primary + Replicas)
• Each Multi-Region key is managed independently
• Only one primary key at a time, can promote replicas into their own primary
• Use cases: Disaster Recovery, Global Data Management (e.g., DynamoDB Global Tables), Active-Active Applications that span multiple Regions, Distributed Signing applications, …

AWS - Amazon Web Service

Post navigation

Previous Post: [Oauth2-Proxy] Protect any of your websites on Kubernetes by Oauth2-Proxy
Next Post: Wins from Effective Kafka Monitoring at Adobe: Stability, Performance, and Cost Savings

More Related Articles

[IP/EKS] Add new subnets into the eks on AWS AWS - Amazon Web Service
[Terraform] – Terraform Beginner – Lesson 4: Remote State AWS - Amazon Web Service
[AWS] Optimizing Image Storage in Amazon ECR: Understanding Layer Reuse and Immutability. AWS - Amazon Web Service
[DocumentDB] Install MongoDB on AWS Cloud AWS - Amazon Web Service
[AWS] Login Argocd via Cognito in AWS ArgoCD
[Terraform] ResourceAlreadyExistsException: The specified log group already exists AWS - Amazon Web Service

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • [WordPress] Hướng dấn gửi mail trên WordPress thông qua gmail. June 15, 2025
  • [Bitbucket] Git Clone/Pull/Push with Bitbucket through API Token. June 12, 2025
  • [Teamcity] How to transfer the value from pipeline A to pipeline B June 9, 2025
  • [Windows] Remove the process that consumes too much CPU. June 3, 2025
  • Deploying Web-Based File Managers: File Browser and KubeFileBrowser with Docker and Kubernetes June 3, 2025

Archives

  • June 2025
  • May 2025
  • April 2025
  • March 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
    • NextCloud
  • CI/CD
    • Argo Events
    • ArgoCD
    • ArgoWorkflows
    • Git
      • Bitbucket
    • Harbor
    • Jenkins
    • Spinnaker
    • TeamCity
  • Coding
    • DevSecOps
    • Golang
    • Jquery & JavaScript
    • Laravel
    • NextJS 14 & ReactJS & Type Script
    • Python
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • Azure Cloud
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kong Gateway
    • Kubernetes
      • Ingress
      • Pod
    • Longhorn – Storage
    • MetalLB
    • OAuth2 Proxy
    • Vault
    • VictoriaMetrics
  • Log, Monitor & Tracing
    • DataDog
    • ELK
      • Kibana
      • Logstash
    • Fluent
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2025 NimTechnology.