https://DevOpsCloud.io -- Cloud Monk Losang Jinpa

User Tools

Site Tools

Trace: aws_certified_security_specialty_all-in-one_exam_guide_exam_scs-c01_index
aws_certified_security_specialty_all-in-one_exam_guide_exam_scs-c01_index

Table of Contents

AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) Index

Return to AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) Glossary, AWS Certified Security Specialty All-in-One Exam Guide, AWS Glossary, AWS Certified Security Specialty All-in-One Exam Guide (Exam SCS-C01) Acronyms

“ (AWSSecPrce 2021)

INDEX

A

  • responding to, 60–69
  • CMKs, 256–261
  • VPCs, 475–482
  • NACLs, 77, 431–435, 487–488
  • IAM, 59–60, 70, 73–74
  • S3, 231–232
  • ARNs, 511
  • PKCS#11 for, 282
  • aggregators in Config, 122–124
  • aliases in CMKs, 242–243, 249–250
  • updating, 502–503
  • IAM, 567–568
  • updating, 502–503
  • throttling, 79, 386
  • vs. NLB, 397–398
  • CMKs, 256–261
  • IAM, 16–17, 520–537
  • CAP theorem, 12
  • CMM, 331–333
  • keyrings, 333, 335–339

B

backing keys in CMKs, 268

backups

CloudHSM, 271, 277

data protection, 23–24

bad bot attacks, firewalls for, 400

base images, updating, 502–503

bastion hosts and public subnets, 475–479

behaviors, CloudFront, 373–375

BFD (Bidirectional Forwarding Detection), 447

BGP (B[[order Gateway Protocol)

Direct Connect, 447–448

Route 53, 368

Bidirectional Forwarding Detection (BFD), 447

billing

alarms, 104

consolidated, 544–545

as suspicious activity, 46

binary conditions in identity-based policies, 525

BlackDuck tool, 503

blacklists in Geo Restriction, 380–381

Block Public Access feature, 541–543

Boolean conditions in identity-based policies, 525

B[[order Gateway Protocol (BGP)

Direct Connect, 447–448

Route 53, 368

bot attacks, firewalls for, 400

bottom line, monitoring for, 88

browsers, ACM certificates for, 308

brute-force attacks, SSH, 151

Bucket field in S3 access logs, 232

Bucket Owner field in S3 access logs, 232

bucket-owner-full-control ACLs, 541

bucket-owner-read ACLs, 541

buckets

access control lists, 538–541, 561–562

CloudFront, 380–381, 482

CloudTrail log access, 183

permissions, 166–167, 570

policies, enforcing, 565–572

policies, overview, 562–565

policies, troubleshooting, 559–565

resource owners, 560–561

S3, 153–157

built-in metrics in CloudWatch, 94

bytes field in VPC flow logs, 223

Bytes Sent field in S3 access logs, 232

C

c-ip field in CloudFront access logs, 228

c-port field in CloudFront access logs, 230

C programming language

AWS Encryption SDK, 340–341

keyrings, 333

caches

API Gateway, 79

CloudFront, 378–379

data key, 343–347

canaries, health check, 112–113

canonical IDs, 560

Canonical Name (CNAME) records, 311–312

CAP theorem, 12

capacity in Reliability pillar, 8–9

CAs (Certificate Authorities)

ACM, 292

AWS CloudHSM, 271

private certificates, 318–321

CD/CI (continuous delivery and continuous integration) development cycle, 89

certificate ARNs, 458

Certificate Authorities (CAs)

ACM, 292

AWS CloudHSM, 271

private certificates, 318–321

Certificate Manager for CMKs, 243

certificate revocation lists (CRLs), 320

certificates

ACM, 292

ACM, private, 317–325

ACM, public, 308–317

API Gateway, 391–392

CloudFront, 377

change histories, Config for, 120

change management in Reliability

pillar, 9

changes

Operational Excellence pillar, 4

Trusted Advisor, 167

checks in Trusted Advisor, 167–168

chosen_cert_arn field in Elastic Load Balancer log access, 226

CIDR (Classless Inter-Domain Routing)

API Gateway resource policies, 389

site-to-site VPNs, 459

VPCs, 418–420

cipher-block chaining in API Gateway, 390

Cipher Suite field in S3 access logs, 232

Classic Elastic Load Balancer, 392

classification of data

Macie, 157–159

overview, 21–22

Classless Inter-Domain Routing (CIDR)

API Gateway resource policies, 389

site-to-site VPNs, 459

VPCs, 418–420

clean rooms, 24–25

CLI (Command Line Interface)

authentication, 512–513

AWS Encryption SDK, 342–343

client certificates in API Gateway, 391–392

client:port field in Elastic Load Balancer log access, 225

CloudFormation stacks, 72

CloudFront

access control, 377–378

access logs, 224, 227–230

attack surfaces, 379

behaviors, 373–375

bucket access, 482

caches, 378–379

configuring, 481–482

DDoS attacks, 379

domain names, 376

Geo Restriction, 380–381

Lambda@Edge, 381

origins, 374–376

overview, 372–373

S3, 380

web application delivery, 479–482

CloudHSM authentication and access control, 281

clusters, 272–277

custom key storage, 241

helper tools, 281

key management, 279–280

key material origin, 251

monitoring, 284–286

overview, 239–240, 270–271

software libraries, 281–283

use cases and concepts, 271

user management, 278–279

utilities, 280–281

cloudhsm_mgmt_util utility, 278, 280–281

CloudHub, 461, 463

CloudTrail access to, 183

authentication, 585, 587–593

building blocks, 179–180

CMKs, 242, 254

configuring, 180–184

encryption context, 252

governance and risk auditing]], 177–193

incident response, 35–37

logs, example, 49–50, 178–179

logs, GuardDuty analysis of, 142

logs, integrity, 192–193

logs, monitoring, 193–202

logs, S3 storage, 18

logs, securing, 191–192

logs, sharing, 184–190

non-API service events and console sign-in events, 203

notifications, 203

public certificate monitoring, 316–317

regions, 183–184

storage locations, 182

CloudWatch, 18

alarms, 99–104

application monitoring, 110–113

events, 104–110

goals, 89–90

infrastructure monitoring, 90–92

introduction, 87–89

metrics, 92–99

questions, 114–118

resources, 118

review, 113–114

ServiceLens service, 111–112

Synthetics service, 112–113

CloudWatch Logs access to, 445

agents, 206–218

CloudTrail logs monitoring, 193–202

CloudWatch Logs Insights, 205–206

components, 205

description, 180

incident response, 37–38

overview, 203–204

working with, 50

CloudWatch Logs Insights, 205–206

clusters in AWS CloudHSM activating, 276–277

creating, 272–273

CSRs, 275

EC2 instance connections, 273–274

initializing, 275–276

CMKs. See customer master keys (CMKs) CMM (cryptographic materials manager)

AWS Encryption SDK, 331–334

data key caching, 343–346

keyrings, 335–336

CMPs (Cryptographic Materials Providers), 350–357

CNAME (Canonical Name) records, 311–312

CNG (Cryptography API: Next Generation) API, 283

CO (Crypto Officer) in AWS CloudHSM, 278

code in Operational Excellence pillar, 3

CodeCommit service, 585

Cognito service applications, 516

components, 543

user pools, 389–390

collections in Amazon DynamoDB, 348–349

Command Line Interface (CLI)

authentication, 512–513

AWS Encryption SDK, 342–343

Command type field in CloudHSM

logs, 285

compliance

CloudWatch Logs Insights, 206

Config for, 120

enhanced. See enhanced security monitoring and compliance services

compromised credentials, remediating, 73–77, 151

compromised EC2 instances, remediating, 70–72

Condition field in authorization

documents, 521

conditions

IAM, 525–527

Web Application Firewall, 401–403

Config service aggregators, 122–124

configuration history, 126

configuration items, 124–126

configuration recorder, 128

configuration snapshots, 126–128

configuration streams, 128–129

conformance packs, 140–141

incident response, 33–35

overview, 120–121

rules, 129–140

setting up]], 121–122

configuration

CloudFront, 481–482 CloudTrail, 180–184

CloudWatch alarms, 103–104, 151

monitoring for, 89

S3 lifecycle policies, 575–581

Security Hub, 163–164

Session Manager remote access, 503–505

Configure Action window, 217

configure tool for AWS CloudHSM, 281

conformance packs in Config service, 140–141

consistency in CAP theorem, 12

console sign-in events, logging, 203

consolidated billing in Organizations, 544–545

constraints for grants, 260

consumption model in Cost Optimization pillar, 12

Container Insights service, 110

containment stage in incident response plans, 30

continuous delivery and continuous integration (CD/CI) development cycle, 89

Contributor Insights service, 110

cookies in CloudFront, 229, 377–378, 481

cost optimization in Trusted Advisor, 166

Cost Optimization pillar

best practices, 13

design principles, 12–13

Could Not Parse Metadata message, 597

cp command, 571

CPUUtilization metric in CloudWatch, 93

create-bucket command, 154

create-key command, 108

create-saml-provider command, 518

create-trail command, 192

credentials

IAM. See Identity and Access Management (IAM)

secrets, 294–297, 303–306

temporary, 537–543

CRLs (certificate revocation lists), 320

cross-account permissions for buckets, 570

cross-site scripting]] (XSS), firewalls for, 399–400

Crypto Officer (CO) in AWS CloudHSM, 278

Crypto User (CU) in AWS CloudHSM, 278

cryptographic materials manager (CMM)

AWS Encryption SDK, 331–334

data key caching, 343–346

keyrings, 335–336

Cryptographic Materials Providers (CMPs), 350–357

Cryptographic Module Validation Program, 239

cryptographic-related services

AWS Certificate Manager. See AWS

Certificate Manager (ACM) overview, 291–293

questions, 326–328

resources, 328

review, 325

Secrets Manager. See Secrets Manager

cryptographic services

CloudHSM. See CloudHSM

KMS. See Key Management Service (KMS) overview, 239–240

questions, 286–289

resources, 289

review, 286

cryptographic tools

AWS Encryption SDK. See AWS Encryption SDK

DynamoDB Encryption Client. See DynamoDB Encryption Client

overview, 329–330

questions, 362–364

resources, 364

review, 361–362

Cryptography API: Next Generation (CNG)

API, 283

cs fields in CloudFront access logs, 228–230

CSRs, cluster, 275

CU (Crypto User) in AWS CloudHSM, 278

curl command, 485–488, 514

custom data identifiers in Amazon Macie, 159–161

custom domains in API Gateway, 390–391

custom headers in CloudFront, 376

custom metrics in CloudWatch, 94–98

custom rules in Config, 132–140

custom services, VPC endpoints for, 445–446

customer gateways in Direct Connect, 453–455

customer-managed CMKs, 241–242

customer managed policies, 522

customer master keys (CMKs), 239–240

aliases, 242–243, 249–250

asymmetric, 267

authentication and access control, 256–261

AWS-managed, 242–243

AWS-owned, 243

creating, 255

custom key store, 268–270

customer-managed, 241–242

deleting, 256, 265–266

envelope encryption, 251–252

grants, 259–260

key identifiers, 249–250

key material origin, 250–251

key specs, 251

key usage, 251

keyrings, 337

modifying]], 256, 264–265

monitoring, 270

overview, 240–241

policies, 257–260

rotation, 267–268

symmetric, 261–264, 266–267

usage auditing]], 254

customer trust, monitoring for, 88

D

DAST (dynamic application security testing) tools, 503

data at rest

protecting, 23

Security pillar, 6

data [[center operations in Cost Optimization pillar, 12

data events in CloudTrail, 181

data identifiers in Macie, 159–161

data in transit

protecting, 23

Security pillar, 6

data keys

AWS Encryption SDK, 330–332

caching, 343–347

CMKs, 240–242

keyrings, 335–339

overview, 243–245, 332

pairs, 246–248

data protection

backup, replication, and recovery, 23–24

classification, 21–22

data at rest, 23

data in transit, 23

Security pillar, 7

tokenization and encryption, 22

date conditions in identity-based

policies, 525

date field in CloudFront access logs, 228

DDoS attacks. See Distributed Denial of

Service (DDoS) attacks

DDoS response teams (DRTs), 405–406

debugging CloudWatch Logs Insights, 206

Decrypt API, 247

dedicated connections in Direct Connect, 449–450

deleting

CMKs, 256, 265–266

secrets, 298

de[[limiters for buckets, 560

deployment of ACM certificates, 308

describe-instances command, 476–478, 485

describe-network-acls command, 477

describe-route-tables command, 477

describe-security-groups command, 479

DescribeTable operation in DynamoDB

Encryption Client, 360

design principles

Cost Optimization pillar, 12–13

Operational Excellence pillar, 3–5

Performance Efficiency pillar, 10

Reliability pillar, 8–9

Security pillar, 6–7

detective controls auditing]] controls, 18–19

logs, 17–18

overview, 17

Security pillar, 7

Detective service, 43–44

DevOps and DevSecOps, 89, 502–505

DHCP (Dynamic Host Configuration

Protocol), 417, 428–430

dimensions in CloudWatch metrics, 94

Direct Connect

connection types, 449–451

customer gateways, 453–455

global infrastructure locations, 414

transit gateway, 464

virtual private interfaces, 451–454

VPC connections, 446–455

VPNs, 459–460

discovering sensitive data in Amazon Macie, 157–162

Distributed Denial of Service (DDoS) attacks

API Gateway for, 382

CloudFront for, 373, 379

CloudWatch for, 93

Route 53

for, 367–368

Shield for, 31, 403–406

Distributed Reflection Denial of Service

(DRDoS) attacks, 372

DNS. See Domain Name System (DNS) Do nothing attribute in Amazon DynamoDB

Encryption Client, 353

documentation in Operational Excellence pillar, 3–4

domain_name field in Elastic Load Balancer log access, 226

domain name servers in DNS resolution, 368

Domain Name System (DNS)

attacks on, 371–372

hosted zones, 370–371

interface endpoints, 442

query logs, 142

records for ACM certificates, 311–312

Route 53, 368–370

VPCs, 428–430

website delivery, 479–481

domain names

ACM certificates, 308

CloudFront, 376

domain validation (DV) for ACM

certificates, 308

domains in public certificates, 315

DRDoS (Distributed Reflection Denial of Service) attacks, 372

DRTs (DDoS response teams), 405–406

dstaddr field in VPC flow logs, 223

dstport field in VPC flow logs, 223

DV (domain validation) for ACM certificates, 308

dynamic application security testing (DAST) tools, 503

dynamic credentials in IAM, 15

Dynamic Host Configuration Protocol

(DHCP), 417, 428–430

DynamoDB Encryption Client, 329–330

attribute actions, 353

client-side vs. server-side, 348

CMPs, 351, 355–357

DynamoDB Encryption Context, 354–355

encrypted and signed fields, 348–350

item encryptors, 352–353

material descriptions, 353–354

operation, 350–351

overview, 347–348

programming languages, 357–361

provider stores, 355

DynamoDB Encryption Context, 354–355

DynamoDBEncryptor, 357

DynamoDBMapper, 357

E

e-mail addresses

accounts, 544

S3 groups, 561–562

e-mail notifications for alerts, 63–65

e-mail validation for ACM

certificates, 312

EBS (Elastic Block Store)

CMKs, 241

grants, 259–260

public snapshots, 167

EC2 instances

abuse notice responses, 65

automating commands for, 80–82

CloudWatch alarms, 102–103

cluster connections, 273–274

compromised, 70–72

elastic IPs, 484–486

Elastic Load Balancer, 438

grants, 259–260

IAM credentials, 514–515

Internet [[Gateway, 483–491

metrics, 208–218

monitoring, 194

NACLs, 432–433, 487–488

NAT gateway, 490–491

public subnets, 475–479

route tables, 488–489

security groups, 72, 437, 486–487

Session Manager, 503–505

SSH key pairs, 71

SSM endpoints, 496–498

VPC endpoints, 501

VPCs, 420–423

workflows against, 82

EC2 service, monitoring, 93

ec2messages endpoint, 496

ECC (elliptic curve cryptography) key pairs

CMKs, 240, 267

data keys, 246

NIST curves, 282

ECDSA (Elliptic Curve Digital Signature Algorithm)

AWS Encryption SDK, 334, 340

PKCS#11 for, 282

ECMP protocol, 464

economics in Organizations, 582

edge consolidation in transit gateway, 464

edge locations in global infrastructure, 413–414

edge security

API Gateway. See API Gateway CloudFront. See CloudFront

Elastic Load Balancer, 392–398

introduction, 365–367

questions, 407–410

resources, 410

review, 406

Route 53, 367–370

Shield, 403–406

WAF, 398–403

Effect field in authorization documents, 521

efficiency measures in Cost Optimization

pillar, 12

egress

questions, 492–494

review, 491

troubleshooting, 483–491

egress-only Internet [[Gateway, 424–425

Elastic Block Store (EBS)

CMKs, 241

grants, 259–260

public snapshots, 167

Elastic Compute Cloud (EC2). See EC2 instances

Elastic IP addresses

EC2 instances, 484–486

VPCs, 431

Elastic Load Balancer (ELB)

Application, 393–394

Classic, 392

description, 392

EC2 instances, 438

logs, 177, 223–227, 396

Network, 395

requests, 397–398

security policies and forward secrecy, 395–396

Server Name Indicator, 396–397

Elastic Network Interface (ENI), 430

ELB. See Elastic Load Balancer (ELB)

elb field in Elastic Load Balancer log access, 225

elb_status_code field in Elastic Load Balancer log access, 226

elliptic curve cryptography (ECC) key pairs

CMKs, 240, 267

data keys, 246

NIST curves, 282

Elliptic Curve Digital Signature Algorithm (ECDSA)

AWS Encryption SDK, 334, 340

PKCS#11 for, 282

Enable Private DNS Name option, 446

Encrypt and sign attribute for DynamoDB Encryption Client, 353

encrypted-volumes

Config rules, 130–131

Macie, 159–160

EncryptedResource class, 360

EncryptedTable class, 360

encryption. See also AWS Encryption SDK;

cryptographic-related services; cryptographic services; cryptographic tools

data protection, 22

S3, 574

encryption context

AWS Encryption SDK, 334–335

data key caching, 346

DynamoDB Encryption Client fields, 348–350

Encryption SDK, 329–330

EncryptionContextEquals constraint, 260

EncryptionContextSubset constraint, 260

end field in VPC flow logs, 223

endpoints

API Gateway, 384–385

gateways, 443

interface, 441–442

policies, 444–446

VPCs, 440–446

enhanced security monitoring and compliance services, 119

GuardDuty, 141–151

Macie, 152–162

questions, 170–173

resource configuration monitoring. See Config service

resources, 173

review, 169–170

Security Hub, 162–165

Trusted Advisor, 165–168

envelope encryption, 251–252, 330

eradication stage in incident response plans, 30

Error Code field in S3 access logs, 232

error_reason field in Elastic Load Balancer log access, 227

event history, 588

event investigation, 29

event indicators, 45–47

incident response. See incident response questions, 55–57

resources, 58

review, 54–55

root cause analysis, 47–54

event preparation in Security pillar, 7

event remediation and planning

abuse notices, 60–69

automating. See automation compromised EC2 instances, 70–72

credentials, 73–77

incident avoidance, 77–82

questions, 83–85

resources, 85

review, 82–83

EventBridge

alerts, 63–69

Macie findings, 161–162

rules and targets, 67–68

events

CloudTrail, 142, 179, 181

CloudWatch, 91, 104–110

CloudWatch Logs, 205

non-API service, 203

Secrets Manager, 306–307

sign-in, 203

evolution in Operational Excellence pillar, 5

excluded items in Trusted Advisor, 167

expenditures in Cost Optimization pillar, 12–13

experimentation in Performance Efficiency pillar, 10

expiration actions in S3 lifecycle, 572–574, 577, 579–581

expired status in public certificates, 316

F

failed authorization, monitoring, 194

failed login attempts, monitoring, 208–218

failed status in public certificates, 316

Failed to Assume Role: Issuer Not Present in Specified Provider message, 597

failure anticipation in Operational Excellence pillar, 4

failure management in Reliability pillar, 9

failure recovery in Reliability pillar, 8

failures, learning from, 4–5

Falcon Endpoint Protection Premium, 502

fault tolerance for Trusted Advisor, 166

faults, monitoring for, 89

federation

IAM, 16, 516–520

troubleshooting, 595–597

Field-level Encryption Config setting in CloudFront, 375

filters

CloudWatch Logs metrics, 205

S3 objects, 560

Web Application Firewall, 401

findings

GuardDuty, 143–144

Macie, 158–162

root cause analysis, 51–54

Security Hub, 165

fine-grained authorization, 16–17

Firewall Manager, 33

firewalls. See Web Application Firewall (WAF)

fle-encrypted-fields field in CloudFront access logs, 230

fle-status field in CloudFront access logs, 230

flood attacks

DNS, 371–372

firewalls for, 400

folders in S3, 559–560

follow-up stage in incident response plans, 30

forward secrecy

benefits, 77–78

Elastic Load Balancer, 395–396

forwarding resolvers in DNS resolution, 368

foundations in Reliability pillar, 9

FULL_CONTROL permissions for access control lists, 539–540

FullAWSAccess policy, 545–546, 584

G

gateways

API Gateway. See API Gateway Direct Connect, 453–455

endpoints, 443

Internet. See Internet [[Gateway NAT, 490–491, 497

transit. See transit gateway

General Data Protection Regulation (GDPR), 152

generate-client-certificate command, 392

generate-credential-report command, 585–586

GenerateDataKey operations, 244, 253

GenerateDataKeyPair call, 246

GenerateDataKeyWithoutPlaintext call, 244, 247

GENERIC_SECRET keys, 282

geo match conditions in WAF, 401

Geo Restriction in CloudFront, 380–381

get-bucket-policy command, 482

get-credential-report command, 586

get-distribution-config command, 482

get-object command, 570

get-query-execution command, 594

get-query-results command, 594–595

get-random-password command, 297

get-role command, 567

GetFederationToken action, 537

getLocalCryptographicMaterialsCache function, 346

GetSessionToken action, 538

GitHub, accidental commits to, 76–77

Glacier, 572–574

Glacier Deep Archive, 572–574

global infrastructure

availability zones, 412–413

description, 411

Direct Connect locations, 414

edge locations, 413–414

Local Zones, 414

Outposts, 414

public vs. VPC attached services, 415

regions, 411–412

service availability, 415–416

Wavelength zones, 414

global operations in Performance Efficiency pillar, 10

governance and risk auditing]] in CloudTrail, 177–193

grants

CMKs, 259–260

creating, 253

encryption context, 252

tokens, 253–254

groups

CloudWatch Logs, 205

IAM, 510

security. See security groups

GuardDuty

attack simulation, 144–151

configuration, 151

data sources, 142–143

DNS threats, 429

enabling, 143

findings, 143–144

incident response, 40–41

overview, 141–142

root cause analysis, 51–52

H

hardware security modules (HSMs). See CloudHSM

headers in CloudFront, 376

health check canaries, 112–113

HIDS (host IDS), 501–502

hierarchical grouping in Organizations, 546–547

high-resolution metrics in CloudWatch, 99

history

configuration, 126

event, 588

host-based logs, 176

host-based security

DevOps, 502–505

overview, 495–501

questions, 506–508

resources, 508

review, 506

Host Header field in S3 access logs, 232

Host Id field in S3 access logs, 232

host IDS (HIDS), 501–502

host-level boundaries, protecting, 19–20

hosted connections in Direct Connect, 449–450

hosted zones in DNS, 370–371

HTTP flooding]], firewalls for, 400

HTTP Only option in CloudFront, 375

HTTP protocol

API Gateway, 382, 385

CloudFront, 481

HTTP status field in S3 access logs, 232

HTTPCode_ELB_4XX_Count metric in CloudWatch, 93

HTTPS protocol in CloudFront, 375

human interaction in Security pillar, 6

Hyperplane technology, 423

I

IAM. See Identity and Access Management (IAM)

Iam-password-policy, 130

identification stage in incident response plans, 30

identifiers in IAM, 511–512

Identity and Access Management (IAM)

Amazon Cognito, 543

applications, 515–516

ARNs, 510–511

authentication, 509–520, 585–587

authorization, 520–537

bucket policies, 562–568

CLI, 513

CloudTrail log access, 183

CMKs, 258–259

compromised EC2 instances, 70

credentials, compromised, 151

credentials, EC2 instances, 514–515

credentials, protecting, 15–16

credentials, remediating, 73–77

credentials, role, 513–515

credentials, temporary, 537–543

endpoint policies, 444

event parsing, 65–67

federation, 516–520

fine-grained authorization, 16–17

identifiers, 511–512

Organizations, 543–547

overview, 14–15

privilege escalation]], 194–199

questions, 550–557

resources, 557

review, 550

roles, 513–515

root users, 510

secrets, 301

single sign-on, 548–549

Trusted Advisor, 166

users and groups, 510

identity-based policies

authorization, 522–529

conditions, 525–527

NotAction and NotResource elements, 527–529

operation, 523–524

identity foundation in Security pillar, 6

identity in Security pillar, 7

identity pools in Amazon Cognito, 543

IDS/IPS (intrusion detection system/intrusion prevention system), 501

If exists conditions in identity-based policies, 525

images

SSA agent, 496

updating, 502–503

importing public certificates, 313–314

inactive status in public certificates, 316

inbound rules for security groups, 436–437

inbound traffic restrictions for networks, 433–434

incident response

Amazon Detective, 43–44

Amazon EMR, 39

Amazon [[Kinesis, 39–40

Athena, 39

clean rooms, 24–25

CloudTrail, 35–37

CloudWatch Logs, 37–38

Config, 33–35

Firewall Manager, 33

GuardDuty, 40–41

Macie, 44–45

Security Hub, 41–42

Security pillar, 7–8

Shield, 31–32

VPC flow logs, 38

WAF, 32–33

incident response plans (IRPs) stages, 29–30

incidents, avoiding, 77–82

infrastructure

global. See global infrastructure

monitoring in CloudWatch, 90–92

network. See network infrastructure

infrastructure protection, 19

network- and host-level boundaries, 19–20

Security pillar, 7

service-level protection, 21

system security configuration and maintenance, 20–21

ingress

questions, 492–494

review, 491

troubleshooting, 475–482

initialization vectors (IVs) in AWS Encryption SDK, 340

injection attacks, firewalls for, 400–401

inline policies for authorization, 522

Insights events in CloudTrail, 181–182

instance compromise, GuardDuty for, 141

INSUFFICIENT_DATA state in CloudWatch alarms, 100

integration types in API Gateway, 385

integrity for CloudTrail logs, 192–193

interface endpoints, 441–442

interface-id field in VPC flow logs, 223

Internet [[Gateway

EC2 instances, 483–491

egress-only, 424–425

Systems Manager, 497

VPCs, 420–422

intrusion detection system/intrusion prevention system (IDS/IPS), 501

inventory, Config for, 120

investigation stage in incident response plans, 30

IP addresses

CloudFront, 378

DNS resolution. See Domain Name System (DNS)

EC2 instances, 484–486, 514

GuardDuty, 142

identity-based policy conditions, 525

public subnets, 475–479

S3 objects, 160–161

site-to-site VPNs, 458

VPCs. See virtual private clouds (VPCs) WAF, 401

IRPs (incident response plans) stages, 29–30

isolation in Organizations, 583

issuing private certificates, 322–323

item encryptors in Amazon DynamoDB Encryption Client, 352–353

IVs (initialization vectors) in AWS Encryption SDK, 340

J

Java Cryptographic Extension (JCE) provider framework, 282

Java programming language

Amazon DynamoDB Encryption Client, 357–359

AWS CloudHSM, 282

AWS Encryption SDK, 340–341

master keys, 333

JavaScript programming language

AWS Encryption SDK, 340–342

keyrings, 333

JCE (Java Cryptographic Extension) provider framework, 282

jq tool, 589

JSON documents

authorization, 520–522

CloudTrail logs, 178

snapshots, 127–128

K

Key Encryption Keys (KEKs), 251

Key field in S3 access logs, 232

key identifiers (KeyIds), 249–250

key management infrastructure (KMI), 255

Key Management Service (KMS)

CloudTrail, 180

CloudTrail logs, 191

CMKs. See customer master keys (CMKs) cryptographic operations, 249

data keys, 243–248

description, 105

DynamoDB Encryption Client, 355–356

encryption context, 252–253

endpoint policies, 444–445

envelope encryption, 251–252

grants, 253–254

key identifiers, 249–250

key management infrastructure, 255

key material origin, 250–251

key policies, 253

overview, 239–240

key_mgmt_util utility, 279–281

key storage providers (KSPs), 283

key wrap templates, 279

KeyIds (key identifiers), 249–250 keyrings

AWS Encryption SDK, 333, 335–339

KMS, 337–338

master key compatibility, 337

multi-keyrings, 339

operation, 335–336

overview, 335

raw, 338–339

keys

CloudHSM, 279–280

conditions, 525–526

Kinesis in incident response, 39–40

KMI (key management infrastructure), 255

KMS. See Key Management Service (KMS)

kms:CallerAccount condition, 259

kms:Decrypt permission, 338

kms:Encrypt permission, 338

kms:GenerateDataKey permission, 338

kms:GrantIsForAWSResource condition, 259

KSPs (key storage providers), 283

L

Lambda authorizer, 386–389 Lambda functions

API Gateway, 385

CloudWatch events, 106

event parsing, 65–67

secrets, 304

Lambda@Edge feature, 381

layers in Security pillar, 6

least privilege concept in IAM, 15

Letter of Authorization and Connecting Facility Assignment (LOA-CFA), 449–451

libraries in AWS CloudHSM, 281–283 Lifecycle Manager, 578

lifecycle policies in S3, 572–581

lifetime of private certificates, 319

list-buckets command, 561

list-distributions command, 480

list-queues command, 198

listeners in Application Load Balancers, 394

LOA-CFA (Letter of Authorization and Connecting Facility Assignment), 449–451

load shedding in API Gateway, 386

Local Zones in global infrastructure, 414

LocalCryptoMaterialsCache constructor, 345–346

Log Delivery Group for access control lists, 539

log-delivery-write ACLs, 541

log-status field in VPC flow logs, 223

Log type field in AWS CloudHSM logs, 285

login attempts, monitoring, 208–218 loginHSM command, 277

logrotate tool, 284

logs

ACM certificates, 310

capabilities, 176–177

capturing and analyzing, 17–18

CloudFront, 224, 227–230

CloudHSM, 284–286

CloudTrail. See CloudTrail

CloudWatch. See CloudWatch

Elastic Load Balancer, 223–227, 396

event indicators, 45–46

introduction, 175

questions, 233–237

resources, 237

review, 233

root cause analysis, 48–50

S3 access, 231–232

sources, 176

VPC flow logs, 38, 50, 219–223

long-term retention of CloudWatch Logs, 204

lookup-events command, 589–590

M

Macie

custom data identifiers, 159–161

findings, 161–162

incident response, 44–45

overview, 152–153

root cause analysis, 51, 54

S3 object discovery, 160–161

sensitive data, 153–159

malicious IP addresses, GuardDuty for, 142

malicious network requests, blocking, 435

managed policies for authorization, 522

managed rules in Config, 130–131

managed services in Cost Optimization pillar, 12

management events in CloudTrail, 181

management security groups, 438–440

Mapping service, 416

master keys

CMKs. See customer master keys (CMKs)

description, 332

keyrings, 337

providers, 333

master Security Hub accounts, 163

Match Viewer option in CloudFront, 375

matched_rule_priority field in Elastic Load Balancer log access, 226

material descriptions in DynamoDB Encryption Client, 353–354

mechanical sympathy in Performance Efficiency pillar, 10

member Security Hub accounts, 163

memory metrics in EC2 instances, 208–218

metadata in configuration items, 124–126

metrics

CloudHSM, 285–286

CloudWatch, 92–99

CloudWatch Logs, 205

CloudWatch Logs agent, 207

EC2 instances, 208–218

MFA (multifactor authentication)

description, 510

IAM, 15–16, 585

root accounts, 166

Mock option in API Gateway, 385

modifying]] secrets, 296

MofN access control, 279

monitoring

CloudHSM, 284–286

CloudTrail logs, 193–202

CloudWatch. See CloudWatch

CMKs, 270

event indicators, 45–46

Performance Efficiency pillar, 11

public certificates, 316–317

resource configuration. See Config service

Secrets Manager, 306–307

Trusted Advisor checks, 167–168

most recent providers in DynamoDB Encryption Client, 356

multi-keyrings, 335, 339

multiaccount strategy in Organizations, 582–583

multifactor authentication (MFA)

description, 510

IAM, 15–16, 585

root accounts, 166

multiple accounts

GuardDuty, 151

Macie, 152

Security Hub, 163–164

multiple regions in CloudTrail logs, 183–184

N

NACLs (Network Access Control Lists)

EC2 instances, 487–488

incident avoidance, 77

VPCs, 431–435

name servers for DNS resolution, 368

names

accounts, 544

ACM certificates, 308–309

CloudWatch metrics, 93

IAM, 511–512

users, 510

namespaces for CloudWatch metrics, 93

NAT (Network Address Translation) gateways

overview, 422–424

Systems Manager, 497

VPCs, 490–491

Network Access Control Lists (NACLs)

EC2 instances, 487–488

incident avoidance, 77

VPCs, 431–435

Network Address Translation (NAT) gateways overview, 422–424

Systems Manager, 497

VPCs, 490–491

network connections, on-premises, 446–459

network infrastructure, 411

access control, 431–440

global, 411–416

questions, 471–474

review, 469–471

transit gateway, 464–469

VPCs. See virtual private clouds (VPCs)

network-level boundaries, protecting, 19–20

Network [[Load Balancers (NLBs)

vs. ALB, 397–398

description, 395

interface endpoints, 441

NetworkIn metric in CloudWatch, 93

NewConnectionCount metric in CloudWatch, 93

NLBs (Network [[Load Balancers)

vs. ALB, 397–398

description, 395

interface endpoints, 441

non-API service events, logging, 203

noncompliant security groups, remediating, 136–140

Not Authorized to Perform sts:AssumeRoleWithSAML message, 596

NotAction elements in identity-based policies, 527–529

notifications

alerts, 63–65

auditing]] controls, 18–19

CloudTrail, 203

Trusted Advisor, 167

NotResource elements in identity-based policies, 527–529

nslookup command, 479

numeric operations in identity-based

policies, 525

O

OAIs (Origin Access Identities), 482

Object Size field in S3 access logs, 232

objects in S3. See also buckets

ACLs, 561

lifecycle policies, 572–578

overview, 559–560

permissions, 562–565

security controls, 565–572

OCSP (Online Certificate Status Protocol), 292–293

OK state in CloudWatch alarms, 100

on-premises network connections in VPCs, 446–459

one-time contacts in event indicators, 47

Online Certificate Status Protocol (OCSP), 292–293

Opcode field in AWS CloudHSM logs, 285

OpenSSL, 283

Operation field in S3 access logs, 232

Operational Excellence pillar

best practices, 5

design principles, 3–4

operational failures in Operational Excellence pillar, 4–5

operational troubleshooting in CloudWatch Logs Insights, 206

operations

Operational Excellence pillar, 4–5

Organizations, 582

OR [[operator for identity-based policies, 526

Organizations service

accounts, 544–545

consolidated billing, 544–545

hierarchical grouping, 546–547

overview, 543–544

SCPs, 533–534, 545–546, 582–584

services integration, 547

tag policies, 546

trails, 182

Origin Access Identities (OAIs), 482

origins in CloudFront, 374–376, 481

OSSEC Server Intrusion Detection System, 502

outbound rules in security groups, 436–437

outcomes, monitoring for, 89

Outposts in global infrastructure, 414

Outreach in event indicators, 46–47

OWASP Top 10 list of vulnerabilities, 401

P

packets field in VPC flow logs, 223

partition tolerance in CAP theorem, 12

partitions in ARNs, 511

partners tools, 46

pass-through JCE key stores, 282

passwords

IAM. See Identity and Access Management (IAM)

secrets, 294–297

patches

description, 496

Systems Manager, 498–500

peering in VPCs, 425–427

PEM (Privacy Enhanced Mail) coding, 314

pending automatic renewal status for public certificates, 316

pending validation status for public certificates, 316

perfect forward secrecy, 77–78

performance

monitoring for, 89

Trusted Advisor, 166

Performance Efficiency pillar

best practices, 10–12

design principles, 10

periods in CloudWatch metrics, 94

permissions

access control lists, 539–540

boundaries, in resource-based policies, 531–533

buckets, 166–167, 570

CMKs, 257–258

compromised credentials, 75

IAM. See Identity and Access Management (IAM)

KMS keys, 253

secrets, 296, 301

Personal Health Dashboard, 61–69

PKCS#11 library, 282–283

pkpspeed tool, 281

plaintext

data keys, 244–248

encryption context, 252

envelope encryption, 251

policies

API Gateway resources, 389

authorization, 520–522

authorization, identity-based, 522–529

authorization, resource-based, 529–537

buckets, enforcing, 565–572

buckets, overview, 562–565

buckets, troubleshooting, 559–565

CMKs, 257–260

Elastic Load Balancer, 395–396

endpoints, 444–446

interface endpoints, 443

KMS keys, 253

member accounts tags, 546

S3 lifecycle, 572–581

SCP. See service control policies (SCPs) secrets, 301–303

session, 534–537

tag, 546

policy findings in Macie, 159

pre-shared keys in site-to-site VPNs, 459

PRECO (Precrypto Officer) in AWS CloudHSM, 278

prefixes]]

buckets, 560

IAM IDs, 512

premortem exercises in Operational Excellence pillar, 4–5

preparation in Operational Excellence pillar, 5

preparation stage in incident response plans, 30

pricing in Macie, 152

Principal field in authorization documents, 521

principals in IAM, 14–15

Privacy Enhanced Mail (PEM) coding, 314

private ACLs, 541

private CAs, 292

private certificates

ACM, 317–325

CAs, 318–321

creating, 323–325

issuing and revoking, 322–324 monitoring, 325

overview, 317–319

private data keys, 246–248

private endpoints in API Gateway, 385

private hosted zones in DNS, 370

private VIFs, 451

PrivateLink technology

endpoints, 441, 443

VPC links, 390

privilege escalation]], monitoring, 194–202

ProcessedBytes metric in CloudWatch, 93

profits, monitoring for, 88

programming languages

AWS Encryption SDK, 340–343

DynamoDB Encryption Client, 357–361

protecting sensitive data in Macie, 152–162

protocol field in VPC flow logs, 223

provider stores in DynamoDB Encryption Client, 355

public certificates

ACM, 308–317

characteristics, 308–310

importing, 313–314

managing, 310–313

monitoring, 316–317

renewing, 315–316

requesting, 313

public data keys, 246–248

public hosted DNS zones, 370

public IP addresses for EC2 instances, 484–486

public-read ACLs, 541

public-read-write ACLs, 541

public services in global infrastructure, 415

public snapshots

Elastic Block Store, 167

RDS database, 167

public subnets for bastion hosts, 475–479

public VIFs, 451–452

publishing CloudWatch metrics, 95–98

put-bucket-lifecycle command, 581

put-metric-data command, 98–99

put-object command, 571

PutObject method, 444

Python programming language

AWS Encryption SDK, 340, 342

DynamoDB Encryption Client, 359–361

master keys, 333

Q

queries for CloudWatch Logs, 204

query strings in CloudFront, 481

R

rate-based rules for WAF, 402–403

raw keyrings, 338–339

RCA. See root cause analysis (RCA)

RDK (Rule Development Kit), 132–135

rds-instance-public-access-check rule, 130

RDS (Relational Database Service) database

logs, 177

public snapshots, 167

READ_ACP permissions for access control lists, 539

read-only JCE key stores, 282

READ permissions for access control lists, 539

real-time application, CloudWatch Logs monitoring for, 204

Reboot counter field in AWS CloudHSM logs, 285

received_bytes field in Elastic Load Balancer log access, 226

recent changes in Trusted Advisor, 167

reconnaissance, GuardDuty for, 141

recorder, configuration, 128

recovery

data protection, 23–24

incident response plans, 30

Reliability pillar, 8

recursive resolvers in DNS, 368–369

redirect_url field in Elastic Load Balancer log access, 227

Referer field in S3 access logs, 232

refreshing Trusted Advisor, 167

regional endpoints in API Gateway, 384

regions

ARNs, 511

CloudTrail logs, 183–184

CloudTrail trails, 180

global infrastructure, 411–412

regular rules for WAF, 402

RejectedConnectionCount metric in CloudWatch, 93

related events in configuration items, 125

Relational Database Service (RDS) database logs, 177

public snapshots, 167

relationships, resource, 125

Reliability pillar

best practices, 9

design principles, 8–9

remediation

automating. See automation

Config, 131–132, 136–140

event. See event remediation and planning

remote access with Session Manager, 503–505

Remote IP field in S3 access logs, 232

renewing

ACM certificates, 308

public certificates, 315–316

ReplicateObject method, 444

replication

data protection, 23–24

secrets, 303–304

Representational State Transfer (REST) APIs, 382–383

request field in Elastic Load Balancer log access, 226

request_creation_time field in Elastic Load Balancer log access, 226

Request ID field in S3 access logs, 232

request_processing_time field in Elastic Load Balancer log access, 225

Request-URI field in S3 access logs, 232

request validation for API Gateway, 385

Requested DurationSeconds Exceeds MaxSessionDuration Set for This Role message, 597

requested material descriptions in DynamoDB Encryption Client, 354

Requester field in S3 access logs, 232

Require Acceptance For Endpoint option, 446

resource attributes in configuration items, 125

resource-based policies

authorization, 529–537

Organizations SCPs, 533–534

permission boundaries, 531–533

session, 534–537

resource configuration monitoring. See Config service

Resource field in authorization documents, 521

resource owners in S3, 560–561

resource policies

API Gateway, 389

secrets, 301–303

resources

ARNs, 511

Cost Optimization pillar, 13

Response field in CloudHSM logs, 285

response_processing_time field in Elastic Load Balancer log access, 225

Response Signature Invalid message, 597

REST (Representational State Transfer) APIs, 382–383

Restrict Viewer Access setting in CloudFront, 375

retention of CloudWatch Logs, 204

reversible changes in Operational Excellence pillar, 4

reviews in Performance Efficiency pillar, 11

revoke-certificate command, 324

revoked status for public certificates, 316

revoking private certificates, 322–324

risk auditing]] in CloudTrail, 177–193

roles

accounts, 544

endpoint policies, 444

IAM, 15, 513–515

RoleSessionName in AuthnResponse Must Match message, 596

RoleSessionName is Required in AuthnResponse message, 596

root CAs, 319

root cause analysis (RCA)

Abuse notices, 47–48

event investigation, 47–54

findings review, 51–54

log review, 48–50

root OUs, 546

root users and accounts authentication, 15, 166, 510

Rootaccount-mfa-enabled rule, 130

rotation

CMKs, 267–268

secrets, 294–295, 303–306

Route 53

DNS attacks, 371–372

DNS hosted zones, 370–371

overview, 367–370

route propagation in transit gateway, 468

route tables

EC2 instances, 488–489

public subnets, 477

transit gateway, 466–467

VPCs, 418–420

routing

site-to-site VPNs, 458

transit gateway, 464

RSA key pairs

CMKs, 240

KMS support, 246

RSA keyrings, 338–339 RSA keys

JCE for, 282

OpenSSL, 283

PKCS#11 for, 282

public certificates, 309

Rule Development Kit (RDK), 132–135

rules

ACLs, 477–478

Application Load Balancers, 394

CloudWatch events, 105–109

Config, 129–140

EventBridge, 67–68

NACLs, 487–488, 491

Secrets Manager, 307

security groups, 436–437, 479

WAF, 401–403

Run Command

CloudWatch Logs agent, 211–213

Systems Manager, 79–82

S

S3. See Simple Storage Service (S3)

S3 Glacier, 572–574

S3 Glacier Deep Archive, 572–574

SaaS (Software as a Service), 548

SAML (Security Assertion Markup Language) authentication troubleshooting, 595–597

federation, 516–519

single sign-on, 548–549

SAST (static application security testing) tools, 503

sc fields in CloudFront access logs, 228, 230

scaling in Reliability pillar, 8

schedule-key-deletion command, 108

schedules for CMK deletions, 265–266

SCPs (service control policies), 16–17

Organizations, 533–534, 545–546

overview, 584–585

secret keys in authentication, 513

Secrets Manager

authentication and access control, 301–303

description, 292

monitoring, 306–307

overview, 293–294

rotation, 294–295

rules, 307

secrets management, 296–300

secrets overview, 294

secrets rotating and replicating, 303–306

secured services, 294

staging labels, 295–296

secretsmanager-rotation-enabled-check rule, 307

secretsmanager-scheduled-rotation-successcheck rule, 307

Secure Shell (SSH)

brute-force attacks, 151

CloudFront, 481

failed login attempts, monitoring, 208–218

key pairs in EC2, 71

Secure Sockets Layer (SSL) protocol

certificates, 377

CloudFront, 374–375

pinning, 309–310

secured services in Secrets Manager, 294

security analysis, Config for, 120

Security Assertion Markup Language (SAML)

authentication troubleshooting, 595–597

federation, 516–519

single sign-on, 548–549

security groups

EC2 instances, 72, 486–487

interface endpoints, 442

network access, 436–440

public subnets, 479

remediating, 136–140

Trusted Advisor, 166

Security Hub

configuring, 163–164

enabling, 164

findings, 165

incident response, 41–42

overview, 162–163

root cause analysis, 51, 53

security information and event management (SIEM) tools, 162

security overview, 1–2

Cost Optimization pillar, 12–13

Operational Excellence pillar, 3–5

Performance Efficiency pillar, 10–12

questions, 26–27

Reliability pillar, 8–9

resources, 28

review, 25

Security pillar, 5–8

shared responsibility model. See shared responsibility model

Security pillar, 5, 13–14

best practices, 7–8

data protection, 21–24

design principles, 6–7

detective controls, 17–19

IAM, 14–17

incident response, 24–25

infrastructure protection, 19–21

Security Token Service (STS)

IAM, 16

role credentials, 513

temporary credentials, 537–543

SecurityAdminAccess role, 535

selection in Performance Efficiency pillar, 11

sensitive data in Macie, 152–162

sensitive information in accidental commits, 76–77

sent_bytes field in Elastic Load Balancer log access, 226

Sequence No field in AWS CloudHSM logs, 285

Server Message Block (SMB) protocol, 435

Server Name Indicator (SNI), 396–397

serverless architectures in Performance Efficiency pillar, 10

service control policies (SCPs), 16–17

Organizations, 533–534, 545–546

overview, 584–585

service-level protection, 21

service limits in Trusted Advisor, 166–167

service logs, 176

service names for interface endpoints, 442

ServiceLens service, 110–112

Session handle field in AWS CloudHSM logs, 285

Session Manager, remote access with, 503–505

session policies, resource-based, 534–537

shared responsibility model, 2, 13–14

data protection, 21–24

detective controls, 17–19

IAM, 14–17

incident response, 24–25

infrastructure protection, 19–21

shared VPCs, 427–428

sharing

AWS CloudHSM keys, 279

CloudTrail logs, 184–190 Shield service

DDoS response team, 405–406

features, 403–404

incident response, 31

Shield Advanced service

features, 405

incident response, 31

shuffle-sharding, 367, 372

SId field in authorization documents, 521

SIEM (security information and event management) tools, 162

sign-in events, logging, 203

Sign only attribute in DynamoDB Encryption Client, 353

Signature Version field in S3 access logs, 232

signed cookies in CloudFront, 377–378

signed fields in DynamoDB Encryption Client, 348–350

signed URLs in CloudFront, 377–378

Simple Notification Service (SNS) topics alerts, 63–65

CloudTrail, 180

CloudWatch alarms, 102

configuration streams, 128–129

Simple Storage Service (S3)

access control lists, 538–541

access logs, 231–232

buckets. See buckets

CloudFront, 380–381, 482

data keys, 244

endpoint policies, 444–445

groups, 561

lifecycle policies, 572–581

logs, 177

Macie, 152–162

objects. See objects in S3

resource owners, 560–561

sensitive data, 153–155

Single Sign-On (SSO), 16, 516–517, 548–549

site-to-site VPNs, 455–459

SMB (Server Message Block) protocol, 435

snapshots

configuration, 126–128

Elastic Block Store, 167

SNI (Server Name Indicator), 396–397

SNS topics. See Simple Notification Service (SNS) topics

Software as a Service (SaaS), 548

software libraries in CloudHSM, 281–283

software VPNs, 460–461

software vulnerabilities in DNS, 372

Specified Provider Doesn’t Exist message, 597

SQL injection, firewalls for, 400–401

srcaddr field in VPC flow logs, 223

srcport field in VPC flow logs, 223

SSH. See Secure Shell (SSH)

ssl-cipher field in CloudFront access logs, 230

ssl_cipher field in Elastic Load Balancer log access, 226

ssl-protocol field in CloudFront access logs, 230

ssl_protocol field in Elastic Load Balancer log access, 226

SSL (Secure Sockets Layer) protocol certificates, 377

CloudFront, 374–375

pinning, 309–310

SSL/TLS offloading in AWS CloudHSM, 271

SSM agent, 496

ssmmessages endpoint, 496

SSO (Single Sign-On), 16, 516–517, 548–549

stacks in CloudFormation, 72

staging labels for secrets, 295–296

stand-alone policies for authorization, 522

start field in VPC flow logs, 223

start-query-execution command, 593

stateful access network control, 431

stateless access network control, 431

Statement field in authorization documents, 520

static access keys with compromised credentials, 74

static application security testing (SAST) tools, 503

static credentials in IAM, 15

static materials providers in DynamoDB Encryption Client, 356–357

static thresholds for CloudWatch alarms, 102

statistics in CloudWatch metrics, 94

StatisticSet, 98

status for public certificates, 316

storage

CloudTrail, 182

S3. See Simple Storage Service (S3)

streams

CloudWatch Logs, 205

configuration, 128–129

string operations in identity-based policies, 525

STS (Security Token Service)

IAM, 16

role credentials, 513

temporary credentials, 537–543

subdomains for public certificates, 315

subnets

bastion hosts, 475–479

interface endpoints, 442

NAT gateway, 490–491

VPCs, 418

subordinate CAs, 319

success status for public certificates, 316

supply and demand in Cost Optimization pillar, 13

Support API in Trusted Advisor, 167

symmetric CMKs, 240

creating, 261–264

overview, 266–267

symmetric keys, 330–331

Synthetics service, 110, 112–113

system logs, monitoring, 206–218

system security configuration and maintenance, 20–21

systems, monitoring, 204

Systems Manager

CloudWatch Logs agent, 213

gateways, 497

incident avoidance, 79–82

Managed Instances dashboard, 210

patching]] baselines, 498–500

SSM agent, 496

T

TableInfo class, 359–360

tag policies for member accounts, 546

target_group_arn field in Elastic Load Balancer log access, 226

target groups in Application Load Balancers, 394

target_processing_time field in Elastic Load Balancer log access, 225

target_status_code field in Elastic Load Balancer log access, 226

target_status_code_list field in Elastic Load Balancer log access, 227

target:port field in Elastic Load Balancer log access, 225

target:port_list field in Elastic Load Balancer log access, 227

targets

CloudWatch events, 105

EventBridge, 67–68

TDE (Transparent Data Encryption), 271

technologies in Performance Efficiency pillar, 10

temporary access keys for compromised credentials, 74

temporary credentials

access control lists, 538–543

STS, 537–543

Tenable Flawcheck tool, 503

testing CloudWatch rules, 108–110

threats

firewalls for, 399–401

GuardDuty detection of, 141–151

throttling in API Gateway, 79, 386

Time field

AWS CloudHSM logs, 285

CloudFront access logs, 228

S3 access logs, 232

time stamps in CloudWatch metrics, 93

time-taken field in CloudFront access logs, 229

time-to-first-byte field in CloudFront access logs, 230

time-to-live (TTL) periods in API Gateway, 79

time to market improvements, monitoring for, 88

timed out status for public certificates, 316

timestamp field in Elastic Load Balancer log access, 225

TLDs (top-level domains) in Route 53, 367

TLS/SSL protocol for Elastic Load Balancer, 395

TLS (Transport Layer Security) version in API Gateway, 390–391

TLS version field in S3 access logs, 232

tokens

data protection, 22

grants, 253–254

top-level domains (TLDs) in Route 53, 367

topics

alerts, 63–65

CloudTrail, 180

CloudWatch alarms, 102

configuration streams, 128–129

Total Time field in S3 access logs, 232

trace_id field in Elastic Load Balancer log access, 226

traceability in Security pillar, 6

trade-offs in Performance Efficiency pillar, 12

trails. See CloudTrail

transit gateway

associations, 467–468

attachments, 466

components, 464–465

overview, 464

route propagation, 468

route tables, 466–467

routing example, 468–469

transit VIFs, 452–453

transit VPNs, 461–462

transition actions in S3 lifecycle, 572–581

transparency logs for ACM certificates, 310

Transparent Data Encryption (TDE), 271

Transport Layer Security (TLS) version in API Gateway, 390–391

Trend Micro Deep Security ISP, 502

Triple DES keys, PKCS#11 for, 282

troubleshooting

authentication, 585–595

bucket policies, 559–565

CloudFront bucket access, 482

CloudWatch Logs agent, 218–219

egress, 483–491

federation, 595–597

ingress, 475–482

operational, 206

Organizations, 582–585

questions, 598–602

resources, 602

review, 598

SCPs, 584–585

Trusted Advisor

checks, 167–168

introduction, 165–166

trusted IP lists in GuardDuty, 142

trusted keys in CloudHSM, 279

TTL (time-to-live) periods in API Gateway, 79

Turn-Around Time field in S3 access logs, 232

two-factor authentication (2FA), 510

type field in Elastic Load Balancer log access, 225

U

Unauthenticated User in CloudHSM, 278

units in CloudWatch metrics, 94

updating base images, 502–503

URIs for S3 groups, 561–562

URLs in CloudFront, 377–378

usage plans in API Gateway, 386

user_agent field in Elastic Load Balancer log access, 226

User-[[Agent field in S3 access logs, 232

user behavior, monitoring for, 90

user management in AWS CloudHSM, 278–279

user pools

Amazon Cognito, 543

API Gateway, 389–390

users in IAM, 15, 510

V

validate-logs command, 193

validity period for ACM certificates, 308

values for CloudWatch metrics, 93

verification for data keys, 248

Version field

authorization documents, 520

VPC flow logs, 223

Version Id field in S3 access logs, 232

Viewer Protocol Policy setting in CloudFront, 375

VIFs (virtual interfaces), 451–454

virtual private clouds (VPCs)

access and access control, 475–482

attached services, 415

CloudHub, 461, 463

DNS resolution, 428–430

Elastic IP addresses, 431

Elastic Network Interface, 430

endpoints, 440–446, 501

flow logs. See VPC flow logs

Internet [[Gateway, 420–422, 424–425, 483–484

logs, 177

NACLs, 431–435

NAT gateway, 422–424, 490–491

on-premises network connections, 446–459

Organizations, 583

overview, 416–417

peering, 425–427

route tables, 418–420

secrets, 304

security groups, 436–440

shared, 427–428

subnets, 418

Systems Manager, 497–498

virtual private gateways (VPGs), 457

virtual private interfaces, 451–454

virtual private networks (VPNs)

Direct Connect, 459–460

site-to-site, 455–459

software, 460–461

transit, 461–462

visibility, monitoring for, 88

VPC flow logs

basics, 220–221

data, 221–222

fields, 222–223

GuardDuty data source, 142

incident response, 38

overview, 219–220

root cause analysis, 50

traffic logged, 222

VPC links in API Gateway, 385, 390

VPCs. See virtual private clouds (VPCs)

W

WAF. See Web Application Firewall (WAF) Wavelength zones in global infrastructure, 414

Web ACL Capacity Units (WCUs), 402

Web API attacks, 382

Web Application Firewall (WAF)

Classic, 401–402

incident response, 32–33

overview, 398

threats, 399–401

versions, 398–399

WAFv2, 402–403

web applications with CloudFront, 479–482

web servers, launching, 145–147

WebACLs container, 401

Web[[Socket APIs, 382

Well-Architected Framework, 1

WHOIS contacts for ACM certificates, 312

wildcard certificates in ACM, 292

wildcard domains in public certificates, 315

wildcard names in ACM certificates, 309

workflows

auditing]] controls, 18–19

EC2 instances, 82

workload behavior, monitoring for, 90

Wrapped Materials Provider (Wrapped CMP), 356

wrapping AWS CloudHSM keys, 279–280

WRITE permissions for access control lists, 539

WRITE_ACP permissions for access control lists, 539

X

X.509 certificates

ACM, 292

private certificates, 318

x-edge-detailed-result-type field in CloudFront access logs, 230

x-edge-location field in CloudFront access logs, 228

x-edge-request-id field in CloudFront access logs, 229

x-edge-response-result-type field in CloudFront access logs, 230

x-edge-result-type field in CloudFront access logs, 229

x-forwarded-for field in CloudFront access logs, 229

x-host-header field in CloudFront access logs, 229

XSS (cross-site scripting]]), firewalls for, 399–400

Y

YAML templates conformance packs, 140–141

Your Request Included an Invalid SAML Response To Logout message, 596

Z

zones, DNS, 370–371

Fair Use Sources

Fair Use Sources:

© 1994 - 2024 Cloud Monk Losang Jinpa or Fair Use. Disclaimers

SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.

aws_certified_security_specialty_all-in-one_exam_guide_exam_scs-c01_index.txt · Last modified: 2024/04/28 03:36 (external edit)