Table of Contents
AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) Index
Return to AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) Glossary, AWS Certified Security Specialty All-in-One Exam Guide, AWS Glossary, AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) Acronyms
“ (AWSSecPrce 2021)
A
- reading, 47–48
- responding to, 60–69
- access and access control
- CloudFront, 377–378
- CloudHSM, 281
- CloudTrail, 183
- CloudWatch logs, 445
- CMKs, 256–261
- public certificates, 310–313
- Secrets Manager, 301–303
- security groups, 436–440
- VPCs, 475–482
- buckets, 561–562
- NACLs, 77, 431–435, 487–488
- S3, 531
- temporary credentials, 538–543
- authentication, 513
- compromised credentials, 73–74
- description, 15–16
- IAM, 59–60, 70, 73–74
- CloudFront, 224, 227–230
- Elastic Load Balancer, 223–224
- S3, 231–232
- information, 76–77
- accounting, monitoring for, 89
- ARNs, 511
- GuardDuty, 151
- hierarchical grouping, 546–547
- Macie, 152
- Organizations, 544–545, 582–583
- ACM (AWS Certificate Manager), 292
- overview, 307–308
- private certificates, 317–325
- public certificates, 308–317
- authorization documents, 521
- Active Directory (AD), 516–517, 585
- AD (Active Directory), 516–517, 585
- Java for, 282
- PKCS#11 for, 282
- Efficiency pillar, 10
- aggregators in Config, 122–124
- creating, 102–104
- monitoring, 91
- operations, 99–102
- ALBs. See Application Load Balancers (ALBs)
- automating, 59–60, 63–65
- CloudWatch, 91
- ACM certificates, 309
- aliases in CMKs, 242–243, 249–250
- All Users group for access control lists, 539
- alternate domain names in
- CloudFront, 376
- CloudTrail tables, 591–593
- data analysis, 221
- applications, 516
- components, 543
- Amazon Machine Images (AMIs)
- SSM agent, 496
- updating, 502–503
- policies, 525
- IAM, 567–568
- key identifiers, 250
- users, 510–511
- AMIs (Amazon Machine Images)
- SSM agent, 496
- updating, 502–503
- annotated documentation in Operational
- Excellence pillar, 3–4
- authorization, 386–390
- caching, 79
- client certificates, 391–392
- endpoints, 384–385
- integration types, 385
- overview, 381–382
- request validation, 385
- throttling, 79, 386
- Optimization pillar, 12–13
- Application Load Balancers (ALBs)
- listeners, 394
- logging, 396
- monitoring, 93
- vs. NLB, 397–398
- overview, 393
- ACM certificates, 308
- authentication, 515–516
- monitoring, 110–113
- Aqua tool, 503
- authentication, 590
- temporary credentials, 537
- authentication, 590
- temporary credentials, 537
- authentication, 590
- temporary credentials, 537
- asymmetric CMKs, 240, 267
- CloudTrail tables, 591–593
- data analysis, 221
- resource, 125
- auditing]]
- CloudTrail service, 177–193
- CMK usage, 254
- Config for, 120
- controls, 18–19
- AWS CloudHSM, 281
- CMKs, 256–261
- public certificates, 310–313
- Secrets Manager, 294–295, 301–303
- troubleshooting, 585–595
- API Gateway, 386–390
- failures, monitoring, 194
- IAM, 16–17, 520–537
- resource-based policies, 529–537
- CAP theorem, 12
- availability zones (AZs), 412–413, 417
- AWS Certificate Manager (ACM), 292
- overview, 307–308
- private certificates, 317–325
- public certificates, 308–317
- AWS CloudHSM. See CloudHSM
- AWS CloudTrail. See CloudTrail
- CMM, 331–333
- command-line interface]], 342–343
- data keys, 330–332
- encryption context, 334
- keyrings, 333, 335–339
- overview, 330–332
- programming languages, 340–343
- AZs (availability zones), 412–413, 417
B
CloudHSM, 271, 277
data protection, 23–24
bad bot attacks, firewalls for, 400
base images, updating, 502–503
bastion hosts and public subnets, 475–479
behaviors, CloudFront, 373–375
BFD (Bidirectional Forwarding Detection), 447
BGP (B[[order Gateway Protocol)
Route 53, 368
Bidirectional Forwarding Detection (BFD), 447
alarms, 104
consolidated, 544–545
as suspicious activity, 46
binary conditions in identity-based policies, 525
blacklists in Geo Restriction, 380–381
Block Public Access feature, 541–543
Boolean conditions in identity-based policies, 525
B[[order Gateway Protocol (BGP)
Route 53, 368
bot attacks, firewalls for, 400
bottom line, monitoring for, 88
browsers, ACM certificates for, 308
Bucket field in S3 access logs, 232
Bucket Owner field in S3 access logs, 232
bucket-owner-full-control ACLs, 541
access control lists, 538–541, 561–562
CloudFront, 380–381, 482
CloudTrail log access, 183
permissions, 166–167, 570
policies, troubleshooting, 559–565
S3, 153–157
built-in metrics in CloudWatch, 94
bytes field in VPC flow logs, 223
Bytes Sent field in S3 access logs, 232
C
c-ip field in CloudFront access logs, 228
c-port field in CloudFront access logs, 230
AWS Encryption SDK, 340–341
keyrings, 333
API Gateway, 79
CloudFront, 378–379
data key, 343–347
canaries, health check, 112–113
Canonical Name (CNAME) records, 311–312
CAP theorem, 12
capacity in Reliability pillar, 8–9
CAs (Certificate Authorities)
ACM, 292
AWS CloudHSM, 271
private certificates, 318–321
CD/CI (continuous delivery and continuous integration) development cycle, 89
certificate ARNs, 458
Certificate Authorities (CAs)
ACM, 292
AWS CloudHSM, 271
private certificates, 318–321
Certificate Manager for CMKs, 243
certificate revocation lists (CRLs), 320
ACM, 292
API Gateway, 391–392
CloudFront, 377
change histories, Config for, 120
change management in Reliability
pillar, 9
Operational Excellence pillar, 4
Trusted Advisor, 167
checks in Trusted Advisor, 167–168
chosen_cert_arn field in Elastic Load Balancer log access, 226
CIDR (Classless Inter-Domain Routing)
API Gateway resource policies, 389
VPCs, 418–420
cipher-block chaining in API Gateway, 390
Cipher Suite field in S3 access logs, 232
Classic Elastic Load Balancer, 392
Macie, 157–159
overview, 21–22
Classless Inter-Domain Routing (CIDR)
API Gateway resource policies, 389
VPCs, 418–420
clean rooms, 24–25
authentication, 512–513
AWS Encryption SDK, 342–343
client certificates in API Gateway, 391–392
client:port field in Elastic Load Balancer log access, 225
access control, 377–378
behaviors, 373–375
caches, 378–379
configuring, 481–482
domain names, 376
Geo Restriction, 380–381
origins, 374–376
overview, 372–373
S3, 380
web application delivery, 479–482
CloudHSM authentication and access control, 281
clusters, 272–277
key management, 279–280
monitoring, 284–286
overview, 239–240, 270–271
software libraries, 281–283
user management, 278–279
utilities, 280–281
cloudhsm_mgmt_util utility, 278, 280–281
CloudTrail access to, 183
authentication, 585, 587–593
building blocks, 179–180
CMKs, 242, 254
configuring, 180–184
encryption context, 252
governance and risk auditing]], 177–193
logs, GuardDuty analysis of, 142
logs, monitoring, 193–202
non-API service events and console sign-in events, 203
notifications, 203
public certificate monitoring, 316–317
regions, 183–184
CloudWatch, 18
alarms, 99–104
application monitoring, 110–113
events, 104–110
goals, 89–90
infrastructure monitoring, 90–92
introduction, 87–89
metrics, 92–99
questions, 114–118
resources, 118
review, 113–114
CloudWatch Logs access to, 445
agents, 206–218
CloudTrail logs monitoring, 193–202
CloudWatch Logs Insights, 205–206
components, 205
description, 180
overview, 203–204
working with, 50
CloudWatch Logs Insights, 205–206
clusters in AWS CloudHSM activating, 276–277
creating, 272–273
CSRs, 275
EC2 instance connections, 273–274
initializing, 275–276
CMKs. See customer master keys (CMKs) CMM (cryptographic materials manager)
AWS Encryption SDK, 331–334
keyrings, 335–336
CMPs (Cryptographic Materials Providers), 350–357
CNAME (Canonical Name) records, 311–312
CNG (Cryptography API: Next Generation) API, 283
CO (Crypto Officer) in AWS CloudHSM, 278
code in Operational Excellence pillar, 3
Cognito service applications, 516
components, 543
collections in Amazon DynamoDB, 348–349
authentication, 512–513
AWS Encryption SDK, 342–343
Command type field in CloudHSM
logs, 285
CloudWatch Logs Insights, 206
Config for, 120
enhanced. See enhanced security monitoring and compliance services
compromised credentials, remediating, 73–77, 151
compromised EC2 instances, remediating, 70–72
Condition field in authorization
documents, 521
IAM, 525–527
Web Application Firewall, 401–403
Config service aggregators, 122–124
configuration history, 126
configuration items, 124–126
configuration recorder, 128
configuration snapshots, 126–128
configuration streams, 128–129
conformance packs, 140–141
overview, 120–121
rules, 129–140
setting up]], 121–122
CloudFront, 481–482 CloudTrail, 180–184
CloudWatch alarms, 103–104, 151
monitoring for, 89
S3 lifecycle policies, 575–581
Session Manager remote access, 503–505
configure tool for AWS CloudHSM, 281
conformance packs in Config service, 140–141
consistency in CAP theorem, 12
console sign-in events, logging, 203
consolidated billing in Organizations, 544–545
constraints for grants, 260
consumption model in Cost Optimization pillar, 12
Container Insights service, 110
containment stage in incident response plans, 30
continuous delivery and continuous integration (CD/CI) development cycle, 89
Contributor Insights service, 110
cookies in CloudFront, 229, 377–378, 481
cost optimization in Trusted Advisor, 166
best practices, 13
Could Not Parse Metadata message, 597
CPUUtilization metric in CloudWatch, 93
create-saml-provider command, 518
IAM. See Identity and Access Management (IAM)
secrets, 294–297, 303–306
temporary, 537–543
CRLs (certificate revocation lists), 320
cross-account permissions for buckets, 570
cross-site scripting]] (XSS), firewalls for, 399–400
Crypto Officer (CO) in AWS CloudHSM, 278
Crypto User (CU) in AWS CloudHSM, 278
cryptographic materials manager (CMM)
AWS Encryption SDK, 331–334
keyrings, 335–336
Cryptographic Materials Providers (CMPs), 350–357
Cryptographic Module Validation Program, 239
cryptographic-related services
AWS Certificate Manager. See AWS
Certificate Manager (ACM) overview, 291–293
questions, 326–328
resources, 328
review, 325
Secrets Manager. See Secrets Manager
KMS. See Key Management Service (KMS) overview, 239–240
questions, 286–289
resources, 289
review, 286
AWS Encryption SDK. See AWS Encryption SDK
DynamoDB Encryption Client. See DynamoDB Encryption Client
overview, 329–330
questions, 362–364
resources, 364
review, 361–362
Cryptography API: Next Generation (CNG)
API, 283
cs fields in CloudFront access logs, 228–230
CSRs, cluster, 275
CU (Crypto User) in AWS CloudHSM, 278
custom data identifiers in Amazon Macie, 159–161
custom domains in API Gateway, 390–391
custom headers in CloudFront, 376
custom metrics in CloudWatch, 94–98
custom rules in Config, 132–140
custom services, VPC endpoints for, 445–446
customer gateways in Direct Connect, 453–455
customer-managed CMKs, 241–242
customer managed policies, 522
customer master keys (CMKs), 239–240
aliases, 242–243, 249–250
asymmetric, 267
authentication and access control, 256–261
creating, 255
deleting, 256, 265–266
envelope encryption, 251–252
grants, 259–260
key identifiers, 249–250
keyrings, 337
modifying]], 256, 264–265
monitoring, 270
overview, 240–241
policies, 257–260
rotation, 267–268
symmetric, 261–264, 266–267
customer trust, monitoring for, 88
D
DAST (dynamic application security testing) tools, 503
protecting, 23
data [[center operations in Cost Optimization pillar, 12
data events in CloudTrail, 181
data identifiers in Macie, 159–161
protecting, 23
AWS Encryption SDK, 330–332
caching, 343–347
CMKs, 240–242
keyrings, 335–339
overview, 243–245, 332
pairs, 246–248
backup, replication, and recovery, 23–24
classification, 21–22
data at rest, 23
data in transit, 23
tokenization and encryption, 22
date conditions in identity-based
policies, 525
date field in CloudFront access logs, 228
DDoS attacks. See Distributed Denial of
DDoS response teams (DRTs), 405–406
debugging CloudWatch Logs Insights, 206
dedicated connections in Direct Connect, 449–450
CMKs, 256, 265–266
secrets, 298
de[[limiters for buckets, 560
deployment of ACM certificates, 308
describe-instances command, 476–478, 485
describe-network-acls command, 477
describe-route-tables command, 477
describe-security-groups command, 479
DescribeTable operation in DynamoDB
Cost Optimization pillar, 12–13
Operational Excellence pillar, 3–5
Performance Efficiency pillar, 10
Reliability pillar, 8–9
detective controls auditing]] controls, 18–19
logs, 17–18
overview, 17
DevOps and DevSecOps, 89, 502–505
DHCP (Dynamic Host Configuration
Protocol), 417, 428–430
dimensions in CloudWatch metrics, 94
connection types, 449–451
global infrastructure locations, 414
virtual private interfaces, 451–454
VPC connections, 446–455
VPNs, 459–460
discovering sensitive data in Amazon Macie, 157–162
Distributed Denial of Service (DDoS) attacks
API Gateway for, 382
CloudFront for, 373, 379
CloudWatch for, 93
for, 367–368
Shield for, 31, 403–406
Distributed Reflection Denial of Service
DNS. See Domain Name System (DNS) Do nothing attribute in Amazon DynamoDB
Encryption Client, 353
documentation in Operational Excellence pillar, 3–4
domain_name field in Elastic Load Balancer log access, 226
domain name servers in DNS resolution, 368
attacks on, 371–372
records for ACM certificates, 311–312
VPCs, 428–430
ACM certificates, 308
CloudFront, 376
domain validation (DV) for ACM
certificates, 308
domains in public certificates, 315
DRDoS (Distributed Reflection Denial of Service) attacks, 372
DRTs (DDoS response teams), 405–406
dstaddr field in VPC flow logs, 223
dstport field in VPC flow logs, 223
DV (domain validation) for ACM certificates, 308
dynamic application security testing (DAST) tools, 503
dynamic credentials in IAM, 15
Dynamic Host Configuration Protocol
(DHCP), 417, 428–430
DynamoDB Encryption Client, 329–330
client-side vs. server-side, 348
CMPs, 351, 355–357
DynamoDB Encryption Context, 354–355
encrypted and signed fields, 348–350
material descriptions, 353–354
operation, 350–351
overview, 347–348
programming languages, 357–361
DynamoDB Encryption Context, 354–355
E
accounts, 544
e-mail notifications for alerts, 63–65
e-mail validation for ACM
certificates, 312
CMKs, 241
grants, 259–260
automating commands for, 80–82
CloudWatch alarms, 102–103
cluster connections, 273–274
compromised, 70–72
grants, 259–260
IAM credentials, 514–515
Internet [[Gateway, 483–491
metrics, 208–218
monitoring, 194
NACLs, 432–433, 487–488
route tables, 488–489
security groups, 72, 437, 486–487
Session Manager, 503–505
SSM endpoints, 496–498
VPCs, 420–423
EC2 service, monitoring, 93
ECC (elliptic curve cryptography) key pairs
CMKs, 240, 267
data keys, 246
NIST curves, 282
ECDSA (Elliptic Curve Digital Signature Algorithm)
AWS Encryption SDK, 334, 340
PKCS#11 for, 282
ECMP protocol, 464
economics in Organizations, 582
edge consolidation in transit gateway, 464
edge locations in global infrastructure, 413–414
API Gateway. See API Gateway CloudFront. See CloudFront
Elastic Load Balancer, 392–398
introduction, 365–367
questions, 407–410
resources, 410
review, 406
Shield, 403–406
WAF, 398–403
Effect field in authorization documents, 521
efficiency measures in Cost Optimization
pillar, 12
questions, 492–494
review, 491
troubleshooting, 483–491
egress-only Internet [[Gateway, 424–425
CMKs, 241
grants, 259–260
Elastic Compute Cloud (EC2). See EC2 instances
EC2 instances, 484–486
VPCs, 431
Elastic Load Balancer (ELB)
Application, 393–394
Classic, 392
description, 392
EC2 instances, 438
logs, 177, 223–227, 396
Network, 395
requests, 397–398
security policies and forward secrecy, 395–396
Server Name Indicator, 396–397
Elastic Network Interface (ENI), 430
ELB. See Elastic Load Balancer (ELB)
elb field in Elastic Load Balancer log access, 225
elb_status_code field in Elastic Load Balancer log access, 226
elliptic curve cryptography (ECC) key pairs
CMKs, 240, 267
data keys, 246
NIST curves, 282
Elliptic Curve Digital Signature Algorithm (ECDSA)
AWS Encryption SDK, 334, 340
PKCS#11 for, 282
Enable Private DNS Name option, 446
Encrypt and sign attribute for DynamoDB Encryption Client, 353
encrypted-volumes
Macie, 159–160
encryption. See also AWS Encryption SDK;
cryptographic-related services; cryptographic services; cryptographic tools
data protection, 22
S3, 574
AWS Encryption SDK, 334–335
DynamoDB Encryption Client fields, 348–350
Encryption SDK, 329–330
EncryptionContextEquals constraint, 260
EncryptionContextSubset constraint, 260
end field in VPC flow logs, 223
API Gateway, 384–385
gateways, 443
interface, 441–442
policies, 444–446
VPCs, 440–446
enhanced security monitoring and compliance services, 119
GuardDuty, 141–151
Macie, 152–162
questions, 170–173
resource configuration monitoring. See Config service
resources, 173
review, 169–170
Trusted Advisor, 165–168
envelope encryption, 251–252, 330
eradication stage in incident response plans, 30
Error Code field in S3 access logs, 232
error_reason field in Elastic Load Balancer log access, 227
event investigation, 29
incident response. See incident response questions, 55–57
resources, 58
review, 54–55
root cause analysis, 47–54
event preparation in Security pillar, 7
event remediation and planning
automating. See automation compromised EC2 instances, 70–72
credentials, 73–77
questions, 83–85
resources, 85
review, 82–83
alerts, 63–69
CloudTrail, 142, 179, 181
CloudWatch, 91, 104–110
CloudWatch Logs, 205
Secrets Manager, 306–307
sign-in, 203
evolution in Operational Excellence pillar, 5
excluded items in Trusted Advisor, 167
expenditures in Cost Optimization pillar, 12–13
experimentation in Performance Efficiency pillar, 10
expiration actions in S3 lifecycle, 572–574, 577, 579–581
expired status in public certificates, 316
F
failed authorization, monitoring, 194
failed login attempts, monitoring, 208–218
failed status in public certificates, 316
Failed to Assume Role: Issuer Not Present in Specified Provider message, 597
failure anticipation in Operational Excellence pillar, 4
failure management in Reliability pillar, 9
failure recovery in Reliability pillar, 8
Falcon Endpoint Protection Premium, 502
fault tolerance for Trusted Advisor, 166
faults, monitoring for, 89
IAM, 16, 516–520
troubleshooting, 595–597
Field-level Encryption Config setting in CloudFront, 375
CloudWatch Logs metrics, 205
GuardDuty, 143–144
Macie, 158–162
root cause analysis, 51–54
fine-grained authorization, 16–17
firewalls. See Web Application Firewall (WAF)
fle-encrypted-fields field in CloudFront access logs, 230
fle-status field in CloudFront access logs, 230
DNS, 371–372
firewalls for, 400
folders in S3, 559–560
follow-up stage in incident response plans, 30
benefits, 77–78
Elastic Load Balancer, 395–396
forwarding resolvers in DNS resolution, 368
foundations in Reliability pillar, 9
FULL_CONTROL permissions for access control lists, 539–540
FullAWSAccess policy, 545–546, 584
G
API Gateway. See API Gateway Direct Connect, 453–455
endpoints, 443
Internet. See Internet [[Gateway NAT, 490–491, 497
General Data Protection Regulation (GDPR), 152
generate-client-certificate command, 392
generate-credential-report command, 585–586
GenerateDataKey operations, 244, 253
GenerateDataKeyWithoutPlaintext call, 244, 247
geo match conditions in WAF, 401
Geo Restriction in CloudFront, 380–381
get-bucket-policy command, 482
get-credential-report command, 586
get-distribution-config command, 482
get-query-execution command, 594
get-query-results command, 594–595
get-random-password command, 297
GetFederationToken action, 537
getLocalCryptographicMaterialsCache function, 346
GitHub, accidental commits to, 76–77
Glacier, 572–574
availability zones, 412–413
description, 411
Outposts, 414
public vs. VPC attached services, 415
regions, 411–412
service availability, 415–416
global operations in Performance Efficiency pillar, 10
governance and risk auditing]] in CloudTrail, 177–193
CMKs, 259–260
creating, 253
encryption context, 252
tokens, 253–254
CloudWatch Logs, 205
IAM, 510
security. See security groups
attack simulation, 144–151
configuration, 151
data sources, 142–143
enabling, 143
findings, 143–144
overview, 141–142
root cause analysis, 51–52
H
hardware security modules (HSMs). See CloudHSM
headers in CloudFront, 376
health check canaries, 112–113
HIDS (host IDS), 501–502
hierarchical grouping in Organizations, 546–547
high-resolution metrics in CloudWatch, 99
configuration, 126
event, 588
DevOps, 502–505
overview, 495–501
questions, 506–508
resources, 508
review, 506
Host Header field in S3 access logs, 232
Host Id field in S3 access logs, 232
host IDS (HIDS), 501–502
host-level boundaries, protecting, 19–20
hosted connections in Direct Connect, 449–450
HTTP flooding]], firewalls for, 400
HTTP Only option in CloudFront, 375
API Gateway, 382, 385
CloudFront, 481
HTTP status field in S3 access logs, 232
HTTPCode_ELB_4XX_Count metric in CloudWatch, 93
HTTPS protocol in CloudFront, 375
human interaction in Security pillar, 6
Hyperplane technology, 423
I
IAM. See Identity and Access Management (IAM)
identification stage in incident response plans, 30
identifiers in IAM, 511–512
Identity and Access Management (IAM)
Amazon Cognito, 543
applications, 515–516
ARNs, 510–511
authentication, 509–520, 585–587
authorization, 520–537
CLI, 513
CloudTrail log access, 183
CMKs, 258–259
compromised EC2 instances, 70
credentials, compromised, 151
credentials, EC2 instances, 514–515
credentials, protecting, 15–16
credentials, remediating, 73–77
credentials, role, 513–515
credentials, temporary, 537–543
federation, 516–520
fine-grained authorization, 16–17
identifiers, 511–512
Organizations, 543–547
overview, 14–15
privilege escalation]], 194–199
questions, 550–557
resources, 557
review, 550
roles, 513–515
root users, 510
secrets, 301
single sign-on, 548–549
Trusted Advisor, 166
authorization, 522–529
conditions, 525–527
NotAction and NotResource elements, 527–529
operation, 523–524
identity foundation in Security pillar, 6
identity in Security pillar, 7
identity pools in Amazon Cognito, 543
IDS/IPS (intrusion detection system/intrusion prevention system), 501
If exists conditions in identity-based policies, 525
updating, 502–503
importing public certificates, 313–314
inactive status in public certificates, 316
inbound rules for security groups, 436–437
inbound traffic restrictions for networks, 433–434
Amazon EMR, 39
Amazon [[Kinesis, 39–40
Athena, 39
clean rooms, 24–25
CloudTrail, 35–37
CloudWatch Logs, 37–38
Config, 33–35
GuardDuty, 40–41
Macie, 44–45
Shield, 31–32
WAF, 32–33
incident response plans (IRPs) stages, 29–30
global. See global infrastructure
monitoring in CloudWatch, 90–92
network. See network infrastructure
network- and host-level boundaries, 19–20
system security configuration and maintenance, 20–21
questions, 492–494
review, 491
troubleshooting, 475–482
initialization vectors (IVs) in AWS Encryption SDK, 340
injection attacks, firewalls for, 400–401
inline policies for authorization, 522
Insights events in CloudTrail, 181–182
instance compromise, GuardDuty for, 141
INSUFFICIENT_DATA state in CloudWatch alarms, 100
integration types in API Gateway, 385
integrity for CloudTrail logs, 192–193
interface-id field in VPC flow logs, 223
EC2 instances, 483–491
egress-only, 424–425
Systems Manager, 497
VPCs, 420–422
intrusion detection system/intrusion prevention system (IDS/IPS), 501
investigation stage in incident response plans, 30
CloudFront, 378
DNS resolution. See Domain Name System (DNS)
EC2 instances, 484–486, 514
GuardDuty, 142
identity-based policy conditions, 525
VPCs. See virtual private clouds (VPCs) WAF, 401
IRPs (incident response plans) stages, 29–30
isolation in Organizations, 583
issuing private certificates, 322–323
item encryptors in Amazon DynamoDB Encryption Client, 352–353
IVs (initialization vectors) in AWS Encryption SDK, 340
J
Java Cryptographic Extension (JCE) provider framework, 282
Amazon DynamoDB Encryption Client, 357–359
AWS CloudHSM, 282
AWS Encryption SDK, 340–341
JavaScript programming language
AWS Encryption SDK, 340–342
keyrings, 333
JCE (Java Cryptographic Extension) provider framework, 282
authorization, 520–522
CloudTrail logs, 178
snapshots, 127–128
K
Key Encryption Keys (KEKs), 251
Key field in S3 access logs, 232
key identifiers (KeyIds), 249–250
key management infrastructure (KMI), 255
CloudTrail, 180
CloudTrail logs, 191
CMKs. See customer master keys (CMKs) cryptographic operations, 249
data keys, 243–248
description, 105
DynamoDB Encryption Client, 355–356
encryption context, 252–253
envelope encryption, 251–252
grants, 253–254
key identifiers, 249–250
key management infrastructure, 255
overview, 239–240
key_mgmt_util utility, 279–281
key storage providers (KSPs), 283
KeyIds (key identifiers), 249–250 keyrings
AWS Encryption SDK, 333, 335–339
KMS, 337–338
master key compatibility, 337
operation, 335–336
overview, 335
raw, 338–339
keys
CloudHSM, 279–280
conditions, 525–526
Kinesis in incident response, 39–40
KMI (key management infrastructure), 255
KMS. See Key Management Service (KMS)
kms:CallerAccount condition, 259
kms:Decrypt permission, 338
kms:Encrypt permission, 338
kms:GenerateDataKey permission, 338
kms:GrantIsForAWSResource condition, 259
KSPs (key storage providers), 283
L
Lambda authorizer, 386–389 Lambda functions
API Gateway, 385
CloudWatch events, 106
secrets, 304
least privilege concept in IAM, 15
Letter of Authorization and Connecting Facility Assignment (LOA-CFA), 449–451
libraries in AWS CloudHSM, 281–283 Lifecycle Manager, 578
lifecycle policies in S3, 572–581
lifetime of private certificates, 319
list-distributions command, 480
listeners in Application Load Balancers, 394
LOA-CFA (Letter of Authorization and Connecting Facility Assignment), 449–451
load shedding in API Gateway, 386
Local Zones in global infrastructure, 414
LocalCryptoMaterialsCache constructor, 345–346
Log Delivery Group for access control lists, 539
log-status field in VPC flow logs, 223
Log type field in AWS CloudHSM logs, 285
login attempts, monitoring, 208–218 loginHSM command, 277
logs
ACM certificates, 310
capabilities, 176–177
capturing and analyzing, 17–18
CloudFront, 224, 227–230
CloudHSM, 284–286
CloudTrail. See CloudTrail
CloudWatch. See CloudWatch
Elastic Load Balancer, 223–227, 396
introduction, 175
questions, 233–237
resources, 237
review, 233
root cause analysis, 48–50
sources, 176
VPC flow logs, 38, 50, 219–223
long-term retention of CloudWatch Logs, 204
lookup-events command, 589–590
M
Macie
custom data identifiers, 159–161
findings, 161–162
overview, 152–153
root cause analysis, 51, 54
malicious IP addresses, GuardDuty for, 142
malicious network requests, blocking, 435
managed policies for authorization, 522
managed rules in Config, 130–131
managed services in Cost Optimization pillar, 12
management events in CloudTrail, 181
management security groups, 438–440
CMKs. See customer master keys (CMKs)
description, 332
keyrings, 337
providers, 333
master Security Hub accounts, 163
Match Viewer option in CloudFront, 375
matched_rule_priority field in Elastic Load Balancer log access, 226
material descriptions in DynamoDB Encryption Client, 353–354
mechanical sympathy in Performance Efficiency pillar, 10
member Security Hub accounts, 163
memory metrics in EC2 instances, 208–218
metadata in configuration items, 124–126
CloudHSM, 285–286
CloudWatch, 92–99
CloudWatch Logs, 205
CloudWatch Logs agent, 207
EC2 instances, 208–218
MFA (multifactor authentication)
description, 510
IAM, 15–16, 585
Mock option in API Gateway, 385
MofN access control, 279
CloudHSM, 284–286
CloudTrail logs, 193–202
CloudWatch. See CloudWatch
CMKs, 270
Performance Efficiency pillar, 11
public certificates, 316–317
resource configuration. See Config service
Secrets Manager, 306–307
Trusted Advisor checks, 167–168
most recent providers in DynamoDB Encryption Client, 356
multiaccount strategy in Organizations, 582–583
multifactor authentication (MFA)
description, 510
IAM, 15–16, 585
GuardDuty, 151
Macie, 152
multiple regions in CloudTrail logs, 183–184
N
NACLs (Network Access Control Lists)
EC2 instances, 487–488
VPCs, 431–435
name servers for DNS resolution, 368
names
accounts, 544
ACM certificates, 308–309
CloudWatch metrics, 93
IAM, 511–512
users, 510
namespaces for CloudWatch metrics, 93
NAT (Network Address Translation) gateways
overview, 422–424
Systems Manager, 497
VPCs, 490–491
Network Access Control Lists (NACLs)
EC2 instances, 487–488
VPCs, 431–435
Network Address Translation (NAT) gateways overview, 422–424
Systems Manager, 497
VPCs, 490–491
network connections, on-premises, 446–459
network infrastructure, 411
access control, 431–440
global, 411–416
questions, 471–474
review, 469–471
VPCs. See virtual private clouds (VPCs)
network-level boundaries, protecting, 19–20
Network [[Load Balancers (NLBs)
vs. ALB, 397–398
description, 395
NetworkIn metric in CloudWatch, 93
NewConnectionCount metric in CloudWatch, 93
NLBs (Network [[Load Balancers)
vs. ALB, 397–398
description, 395
non-API service events, logging, 203
noncompliant security groups, remediating, 136–140
Not Authorized to Perform sts:AssumeRoleWithSAML message, 596
NotAction elements in identity-based policies, 527–529
alerts, 63–65
CloudTrail, 203
Trusted Advisor, 167
NotResource elements in identity-based policies, 527–529
numeric operations in identity-based
policies, 525
O
OAIs (Origin Access Identities), 482
Object Size field in S3 access logs, 232
objects in S3. See also buckets
ACLs, 561
overview, 559–560
permissions, 562–565
OCSP (Online Certificate Status Protocol), 292–293
OK state in CloudWatch alarms, 100
on-premises network connections in VPCs, 446–459
one-time contacts in event indicators, 47
Online Certificate Status Protocol (OCSP), 292–293
Opcode field in AWS CloudHSM logs, 285
OpenSSL, 283
Operation field in S3 access logs, 232
best practices, 5
operational failures in Operational Excellence pillar, 4–5
operational troubleshooting in CloudWatch Logs Insights, 206
Operational Excellence pillar, 4–5
Organizations, 582
OR [[operator for identity-based policies, 526
accounts, 544–545
hierarchical grouping, 546–547
overview, 543–544
SCPs, 533–534, 545–546, 582–584
services integration, 547
trails, 182
Origin Access Identities (OAIs), 482
origins in CloudFront, 374–376, 481
OSSEC Server Intrusion Detection System, 502
outbound rules in security groups, 436–437
outcomes, monitoring for, 89
Outposts in global infrastructure, 414
Outreach in event indicators, 46–47
OWASP Top 10 list of vulnerabilities, 401
P
packets field in VPC flow logs, 223
partition tolerance in CAP theorem, 12
partitions in ARNs, 511
partners tools, 46
pass-through JCE key stores, 282
IAM. See Identity and Access Management (IAM)
secrets, 294–297
patches
description, 496
Systems Manager, 498–500
PEM (Privacy Enhanced Mail) coding, 314
pending automatic renewal status for public certificates, 316
pending validation status for public certificates, 316
perfect forward secrecy, 77–78
monitoring for, 89
Trusted Advisor, 166
best practices, 10–12
periods in CloudWatch metrics, 94
access control lists, 539–540
boundaries, in resource-based policies, 531–533
buckets, 166–167, 570
CMKs, 257–258
compromised credentials, 75
IAM. See Identity and Access Management (IAM)
secrets, 296, 301
Personal Health Dashboard, 61–69
PKCS#11 library, 282–283
data keys, 244–248
encryption context, 252
envelope encryption, 251
API Gateway resources, 389
authorization, 520–522
authorization, identity-based, 522–529
authorization, resource-based, 529–537
buckets, troubleshooting, 559–565
CMKs, 257–260
Elastic Load Balancer, 395–396
endpoints, 444–446
SCP. See service control policies (SCPs) secrets, 301–303
session, 534–537
tag, 546
pre-shared keys in site-to-site VPNs, 459
PRECO (Precrypto Officer) in AWS CloudHSM, 278
prefixes]]
buckets, 560
premortem exercises in Operational Excellence pillar, 4–5
preparation in Operational Excellence pillar, 5
preparation stage in incident response plans, 30
Principal field in authorization documents, 521
principals in IAM, 14–15
Privacy Enhanced Mail (PEM) coding, 314
private CAs, 292
ACM, 317–325
CAs, 318–321
creating, 323–325
issuing and revoking, 322–324 monitoring, 325
overview, 317–319
private endpoints in API Gateway, 385
private hosted zones in DNS, 370
private VIFs, 451
endpoints, 441, 443
privilege escalation]], monitoring, 194–202
ProcessedBytes metric in CloudWatch, 93
profits, monitoring for, 88
AWS Encryption SDK, 340–343
DynamoDB Encryption Client, 357–361
protecting sensitive data in Macie, 152–162
protocol field in VPC flow logs, 223
provider stores in DynamoDB Encryption Client, 355
ACM, 308–317
characteristics, 308–310
importing, 313–314
managing, 310–313
monitoring, 316–317
renewing, 315–316
requesting, 313
public IP addresses for EC2 instances, 484–486
public-read-write ACLs, 541
public services in global infrastructure, 415
public subnets for bastion hosts, 475–479
public VIFs, 451–452
publishing CloudWatch metrics, 95–98
put-bucket-lifecycle command, 581
put-metric-data command, 98–99
AWS Encryption SDK, 340, 342
DynamoDB Encryption Client, 359–361
Q
queries for CloudWatch Logs, 204
query strings in CloudFront, 481
R
rate-based rules for WAF, 402–403
RCA. See root cause analysis (RCA)
RDK (Rule Development Kit), 132–135
rds-instance-public-access-check rule, 130
RDS (Relational Database Service) database
logs, 177
READ_ACP permissions for access control lists, 539
READ permissions for access control lists, 539
real-time application, CloudWatch Logs monitoring for, 204
Reboot counter field in AWS CloudHSM logs, 285
received_bytes field in Elastic Load Balancer log access, 226
recent changes in Trusted Advisor, 167
reconnaissance, GuardDuty for, 141
recorder, configuration, 128
data protection, 23–24
recursive resolvers in DNS, 368–369
redirect_url field in Elastic Load Balancer log access, 227
Referer field in S3 access logs, 232
refreshing Trusted Advisor, 167
regional endpoints in API Gateway, 384
ARNs, 511
CloudTrail logs, 183–184
CloudTrail trails, 180
global infrastructure, 411–412
RejectedConnectionCount metric in CloudWatch, 93
related events in configuration items, 125
Relational Database Service (RDS) database logs, 177
relationships, resource, 125
best practices, 9
automating. See automation
Config, 131–132, 136–140
event. See event remediation and planning
remote access with Session Manager, 503–505
Remote IP field in S3 access logs, 232
renewing
ACM certificates, 308
public certificates, 315–316
data protection, 23–24
secrets, 303–304
Representational State Transfer (REST) APIs, 382–383
request field in Elastic Load Balancer log access, 226
request_creation_time field in Elastic Load Balancer log access, 226
Request ID field in S3 access logs, 232
request_processing_time field in Elastic Load Balancer log access, 225
Request-URI field in S3 access logs, 232
request validation for API Gateway, 385
Requested DurationSeconds Exceeds MaxSessionDuration Set for This Role message, 597
requested material descriptions in DynamoDB Encryption Client, 354
Requester field in S3 access logs, 232
Require Acceptance For Endpoint option, 446
resource attributes in configuration items, 125
authorization, 529–537
Organizations SCPs, 533–534
permission boundaries, 531–533
session, 534–537
resource configuration monitoring. See Config service
Resource field in authorization documents, 521
resource owners in S3, 560–561
API Gateway, 389
secrets, 301–303
ARNs, 511
Cost Optimization pillar, 13
Response field in CloudHSM logs, 285
response_processing_time field in Elastic Load Balancer log access, 225
Response Signature Invalid message, 597
REST (Representational State Transfer) APIs, 382–383
Restrict Viewer Access setting in CloudFront, 375
retention of CloudWatch Logs, 204
reversible changes in Operational Excellence pillar, 4
reviews in Performance Efficiency pillar, 11
revoke-certificate command, 324
revoked status for public certificates, 316
revoking private certificates, 322–324
risk auditing]] in CloudTrail, 177–193
roles
accounts, 544
IAM, 15, 513–515
RoleSessionName in AuthnResponse Must Match message, 596
RoleSessionName is Required in AuthnResponse message, 596
root CAs, 319
event investigation, 47–54
root OUs, 546
root users and accounts authentication, 15, 166, 510
Rootaccount-mfa-enabled rule, 130
CMKs, 267–268
secrets, 294–295, 303–306
route propagation in transit gateway, 468
EC2 instances, 488–489
VPCs, 418–420
CMKs, 240
RSA keyrings, 338–339 RSA keys
JCE for, 282
OpenSSL, 283
PKCS#11 for, 282
public certificates, 309
Rule Development Kit (RDK), 132–135
rules
ACLs, 477–478
Application Load Balancers, 394
CloudWatch events, 105–109
Config, 129–140
NACLs, 487–488, 491
Secrets Manager, 307
security groups, 436–437, 479
WAF, 401–403
CloudWatch Logs agent, 211–213
Systems Manager, 79–82
S
S3. See Simple Storage Service (S3)
S3 Glacier Deep Archive, 572–574
SaaS (Software as a Service), 548
SAML (Security Assertion Markup Language) authentication troubleshooting, 595–597
federation, 516–519
single sign-on, 548–549
SAST (static application security testing) tools, 503
sc fields in CloudFront access logs, 228, 230
scaling in Reliability pillar, 8
schedule-key-deletion command, 108
schedules for CMK deletions, 265–266
SCPs (service control policies), 16–17
Organizations, 533–534, 545–546
overview, 584–585
secret keys in authentication, 513
authentication and access control, 301–303
description, 292
monitoring, 306–307
overview, 293–294
rotation, 294–295
rules, 307
secrets management, 296–300
secrets rotating and replicating, 303–306
secretsmanager-rotation-enabled-check rule, 307
secretsmanager-scheduled-rotation-successcheck rule, 307
CloudFront, 481
failed login attempts, monitoring, 208–218
Secure Sockets Layer (SSL) protocol
certificates, 377
CloudFront, 374–375
pinning, 309–310
secured services in Secrets Manager, 294
security analysis, Config for, 120
Security Assertion Markup Language (SAML)
authentication troubleshooting, 595–597
federation, 516–519
single sign-on, 548–549
EC2 instances, 72, 486–487
Trusted Advisor, 166
configuring, 163–164
enabling, 164
findings, 165
overview, 162–163
root cause analysis, 51, 53
security information and event management (SIEM) tools, 162
Cost Optimization pillar, 12–13
Operational Excellence pillar, 3–5
Performance Efficiency pillar, 10–12
questions, 26–27
Reliability pillar, 8–9
resources, 28
review, 25
shared responsibility model. See shared responsibility model
best practices, 7–8
data protection, 21–24
IAM, 14–17
infrastructure protection, 19–21
IAM, 16
role credentials, 513
temporary credentials, 537–543
selection in Performance Efficiency pillar, 11
sensitive data in Macie, 152–162
sensitive information in accidental commits, 76–77
sent_bytes field in Elastic Load Balancer log access, 226
Sequence No field in AWS CloudHSM logs, 285
Server Message Block (SMB) protocol, 435
Server Name Indicator (SNI), 396–397
serverless architectures in Performance Efficiency pillar, 10
service control policies (SCPs), 16–17
Organizations, 533–534, 545–546
overview, 584–585
service limits in Trusted Advisor, 166–167
service names for interface endpoints, 442
Session handle field in AWS CloudHSM logs, 285
Session Manager, remote access with, 503–505
session policies, resource-based, 534–537
shared responsibility model, 2, 13–14
data protection, 21–24
IAM, 14–17
infrastructure protection, 19–21
AWS CloudHSM keys, 279
CloudTrail logs, 184–190 Shield service
features, 403–404
features, 405
shuffle-sharding, 367, 372
SId field in authorization documents, 521
SIEM (security information and event management) tools, 162
Sign only attribute in DynamoDB Encryption Client, 353
Signature Version field in S3 access logs, 232
signed cookies in CloudFront, 377–378
signed fields in DynamoDB Encryption Client, 348–350
signed URLs in CloudFront, 377–378
Simple Notification Service (SNS) topics alerts, 63–65
CloudTrail, 180
CloudWatch alarms, 102
configuration streams, 128–129
access control lists, 538–541
CloudFront, 380–381, 482
data keys, 244
groups, 561
logs, 177
Macie, 152–162
Single Sign-On (SSO), 16, 516–517, 548–549
SMB (Server Message Block) protocol, 435
configuration, 126–128
SNI (Server Name Indicator), 396–397
SNS topics. See Simple Notification Service (SNS) topics
Software as a Service (SaaS), 548
software libraries in CloudHSM, 281–283
software vulnerabilities in DNS, 372
Specified Provider Doesn’t Exist message, 597
SQL injection, firewalls for, 400–401
srcaddr field in VPC flow logs, 223
srcport field in VPC flow logs, 223
SSH. See Secure Shell (SSH)
ssl-cipher field in CloudFront access logs, 230
ssl_cipher field in Elastic Load Balancer log access, 226
ssl-protocol field in CloudFront access logs, 230
ssl_protocol field in Elastic Load Balancer log access, 226
SSL (Secure Sockets Layer) protocol certificates, 377
CloudFront, 374–375
pinning, 309–310
SSL/TLS offloading in AWS CloudHSM, 271
SSM agent, 496
SSO (Single Sign-On), 16, 516–517, 548–549
staging labels for secrets, 295–296
stand-alone policies for authorization, 522
start field in VPC flow logs, 223
start-query-execution command, 593
stateful access network control, 431
stateless access network control, 431
Statement field in authorization documents, 520
static access keys with compromised credentials, 74
static application security testing (SAST) tools, 503
static credentials in IAM, 15
static materials providers in DynamoDB Encryption Client, 356–357
static thresholds for CloudWatch alarms, 102
statistics in CloudWatch metrics, 94
StatisticSet, 98
status for public certificates, 316
CloudTrail, 182
S3. See Simple Storage Service (S3)
CloudWatch Logs, 205
configuration, 128–129
string operations in identity-based policies, 525
IAM, 16
role credentials, 513
temporary credentials, 537–543
subdomains for public certificates, 315
bastion hosts, 475–479
VPCs, 418
subordinate CAs, 319
success status for public certificates, 316
supply and demand in Cost Optimization pillar, 13
Support API in Trusted Advisor, 167
symmetric CMKs, 240
creating, 261–264
overview, 266–267
Synthetics service, 110, 112–113
system logs, monitoring, 206–218
system security configuration and maintenance, 20–21
systems, monitoring, 204
CloudWatch Logs agent, 213
gateways, 497
Managed Instances dashboard, 210
SSM agent, 496
T
tag policies for member accounts, 546
target_group_arn field in Elastic Load Balancer log access, 226
target groups in Application Load Balancers, 394
target_processing_time field in Elastic Load Balancer log access, 225
target_status_code field in Elastic Load Balancer log access, 226
target_status_code_list field in Elastic Load Balancer log access, 227
target:port field in Elastic Load Balancer log access, 225
target:port_list field in Elastic Load Balancer log access, 227
CloudWatch events, 105
TDE (Transparent Data Encryption), 271
technologies in Performance Efficiency pillar, 10
temporary access keys for compromised credentials, 74
access control lists, 538–543
STS, 537–543
testing CloudWatch rules, 108–110
firewalls for, 399–401
GuardDuty detection of, 141–151
throttling in API Gateway, 79, 386
AWS CloudHSM logs, 285
CloudFront access logs, 228
time stamps in CloudWatch metrics, 93
time-taken field in CloudFront access logs, 229
time-to-first-byte field in CloudFront access logs, 230
time-to-live (TTL) periods in API Gateway, 79
time to market improvements, monitoring for, 88
timed out status for public certificates, 316
timestamp field in Elastic Load Balancer log access, 225
TLDs (top-level domains) in Route 53, 367
TLS/SSL protocol for Elastic Load Balancer, 395
TLS (Transport Layer Security) version in API Gateway, 390–391
TLS version field in S3 access logs, 232
data protection, 22
grants, 253–254
top-level domains (TLDs) in Route 53, 367
alerts, 63–65
CloudTrail, 180
CloudWatch alarms, 102
configuration streams, 128–129
Total Time field in S3 access logs, 232
trace_id field in Elastic Load Balancer log access, 226
traceability in Security pillar, 6
trade-offs in Performance Efficiency pillar, 12
trails. See CloudTrail
associations, 467–468
attachments, 466
components, 464–465
overview, 464
route propagation, 468
route tables, 466–467
transit VIFs, 452–453
transition actions in S3 lifecycle, 572–581
transparency logs for ACM certificates, 310
Transparent Data Encryption (TDE), 271
Transport Layer Security (TLS) version in API Gateway, 390–391
Trend Micro Deep Security ISP, 502
Triple DES keys, PKCS#11 for, 282
authentication, 585–595
CloudFront bucket access, 482
CloudWatch Logs agent, 218–219
egress, 483–491
federation, 595–597
ingress, 475–482
operational, 206
Organizations, 582–585
questions, 598–602
resources, 602
review, 598
SCPs, 584–585
checks, 167–168
introduction, 165–166
trusted IP lists in GuardDuty, 142
TTL (time-to-live) periods in API Gateway, 79
Turn-Around Time field in S3 access logs, 232
two-factor authentication (2FA), 510
type field in Elastic Load Balancer log access, 225
U
Unauthenticated User in CloudHSM, 278
units in CloudWatch metrics, 94
URLs in CloudFront, 377–378
usage plans in API Gateway, 386
user_agent field in Elastic Load Balancer log access, 226
User-[[Agent field in S3 access logs, 232
user behavior, monitoring for, 90
user management in AWS CloudHSM, 278–279
Amazon Cognito, 543
API Gateway, 389–390
V
validity period for ACM certificates, 308
values for CloudWatch metrics, 93
verification for data keys, 248
authorization documents, 520
Version Id field in S3 access logs, 232
Viewer Protocol Policy setting in CloudFront, 375
VIFs (virtual interfaces), 451–454
access and access control, 475–482
DNS resolution, 428–430
Elastic IP addresses, 431
Elastic Network Interface, 430
endpoints, 440–446, 501
Internet [[Gateway, 420–422, 424–425, 483–484
logs, 177
NACLs, 431–435
on-premises network connections, 446–459
Organizations, 583
overview, 416–417
peering, 425–427
route tables, 418–420
secrets, 304
security groups, 436–440
shared, 427–428
subnets, 418
Systems Manager, 497–498
virtual private gateways (VPGs), 457
virtual private interfaces, 451–454
virtual private networks (VPNs)
software, 460–461
transit, 461–462
visibility, monitoring for, 88
basics, 220–221
data, 221–222
fields, 222–223
GuardDuty data source, 142
overview, 219–220
VPC links in API Gateway, 385, 390
VPCs. See virtual private clouds (VPCs)
W
WAF. See Web Application Firewall (WAF) Wavelength zones in global infrastructure, 414
Web ACL Capacity Units (WCUs), 402
Web Application Firewall (WAF)
Classic, 401–402
overview, 398
threats, 399–401
versions, 398–399
WAFv2, 402–403
web applications with CloudFront, 479–482
web servers, launching, 145–147
Web[[Socket APIs, 382
WHOIS contacts for ACM certificates, 312
wildcard certificates in ACM, 292
wildcard domains in public certificates, 315
wildcard names in ACM certificates, 309
EC2 instances, 82
workload behavior, monitoring for, 90
Wrapped Materials Provider (Wrapped CMP), 356
wrapping AWS CloudHSM keys, 279–280
WRITE permissions for access control lists, 539
WRITE_ACP permissions for access control lists, 539
X
ACM, 292
private certificates, 318
x-edge-detailed-result-type field in CloudFront access logs, 230
x-edge-location field in CloudFront access logs, 228
x-edge-request-id field in CloudFront access logs, 229
x-edge-response-result-type field in CloudFront access logs, 230
x-edge-result-type field in CloudFront access logs, 229
x-forwarded-for field in CloudFront access logs, 229
x-host-header field in CloudFront access logs, 229
XSS (cross-site scripting]]), firewalls for, 399–400
Y
YAML templates conformance packs, 140–141
Your Request Included an Invalid SAML Response To Logout message, 596
Fair Use Sources
© 1994 - 2024 Cloud Monk Losang Jinpa or Fair Use. Disclaimers
SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.