AWS Certified Security – Specialty Certification

Course

Intro Video

Photo of Adrian Cantrill

Adrian Cantrill

Training Architect

Length

31:32:36

Difficulty

Advanced

Course Details

The AWS Certified Security Specialty is a certification based around securing applications in AWS. It is one one three specialty certifications offered by AWS. The certification focuses on five components or domains when designing and operating security in the cloud. These are:

Identity and Access ManagementDetective ControlsInfrastructure ProtectionData ProtectionIncident Response

This course has been developed to provide you with the requisite knowledge to not only pass the AWS Certified Security Specialty certification exam but also gain the hands-on experience required to become a qualified AWS security specialist working in a real-world environment.

Please connect with us at slack.linuxacademy.com in the #security channel if you have questions or feedback.

Syllabus

Course Introduction

Getting Started

Course Introduction

00:02:49

Lesson Description:

Introduction This lesson introduces the AWS Certified Security Specialty course. To access the Security Specialty Runbook: https://interactive.linuxacademy.com/diagrams/SecuritySpecialtyRunbook.html As of October 11, 2018, AWS no longer requires you to hold an Associate or Foundational certification to sit for any Professional or Specialty certification exam. However, to ensure your success, we highly recommend you follow Linux Academy's suggested prerequisites (for both our coursework and AWS exams). These prerequisite suggestions can be found in the "details'' section of the course syllabus.

About the Training Architect

00:02:15

Lesson Description:

Course Author This video introduces Adrian, the course instructor. Social Media Contacts https://twitter.com/@adriancantrill https://www.linkedin.com/in/adriancantrill/

Introduction to the Security Runbook Interactive Diagram

00:04:39

Lesson Description:

In this lesson I step through the Security Specialty Runbook - the interactive learning aid created for this course. The document is available here : https://interactive.linuxacademy.com/diagrams/SecuritySpecialtyRunbook.html and I'd encourage you to download it and watch through this lesson as a primer for the course.

Course Features and Tools

00:11:02

Lesson Description:

This lesson introduces all of the tools available to the student as they go through the AWS Certified Security Specialty preparation course. Lesson Links https://bit.ly/2xD4jsQ https://www.linkedin.com/in/mrichman/

Domain 1 : Incident Response

Domain 1 - Introduction

Domain 1 - Introduction

00:06:12

Lesson Description:

A quick introduction into the topics covered in domain 1 of the course, and perhaps more importantly, why these topics are essential for any security professional.

1.1 - Given an AWS Abuse Notice, Evaluate a Suspected Compromised Instance or Exposed Access Keys

AWS Abuse Notification

00:17:04

Lesson Description:

AWS is externally monitoring traffic traveling in and out of the AWS infrastructure. They will take action and notify account holders if patterns are found, such as port scanning, penetration testing, IP spoofing, and interception. These detections can sometimes be false positives as legitimate business functions can appear like attacks. As a security specialist, it is vital that you follow the AWS Acceptable Use Policy and that any security testing of our environments has prior authorization from AWS. Important Links: AWS Acceptable Use Policy (https://aws.amazon.com/aup/)NOTE, some tests now do not require prior approval. For details, see: https://aws.amazon.com/security/penetration-testing/)

Responding to AWS Abuse Notifications

00:15:18

Lesson Description:

Once we have received an AWS Abuse notification, it is vital that we take action to remedy the situation and respond to AWS. The response depends on what resources have been compromised or exposed. This video offers some response options as well as discusses some best practices to avoid compromise and exposure altogether.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

1.2 Verify that the Incident Response plan includes relevant AWS services.

What is Incident Response?

00:08:20

Lesson Description:

Before diving into what services we can use for each phase of incident response, we need to discuss the overall framework and where it came from. This video discusses incident response at a very high-level and introduces the phases of the IR framework. lesson Links https://nvd.nist.gov/800-53/Rev4/family/Incident%20Responsehttps://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Incident Response Framework: Part 1

00:21:50

Lesson Description:

A high-level discussion of the Incident Response framework is necessary so that we have an understanding of how the different services and details fit into the framework later on. We will be referring back to the phases of this framework throughout the course. This video discusses the first three phases: preparation, identification, and containment.

Incident Response Framework: Part 2

00:13:35

Lesson Description:

A high-level discussion of the Incident Response framework is necessary so that we have an understanding of how the different services and details fit into the framework later on. We will be referring back to the phases of this framework throughout the course. This video discusses the remaining four phases: investigation, eradication, recovery, and follow-up.

1.3 Evaluate the Configuration of Automated Alerting and Execute Possible Remediation of Security-Related Incidents and Emerging Issues

Automated Alerting

00:30:08

Lesson Description:

One of the benefits of cloud computing is the automatic scalability and reliability. Security in the cloud should be no different. We can use automation to help make our jobs easier and to fill in the gaps that human error can sometimes create. This video discusses automated alerting and a way we can categorize actions in the process and provides two examples of how we can get automated email notifications whenever we create an IAM user.

Automated Incident Response

00:12:02

Lesson Description:

Continuing with our discussion of security automation in AWS. We can use many different triggers and responders in our automation chains. The possibilities for automating exposure remediation are almost endless. This video discusses three stages of automation as well as some examples of how to use automated response in AWS.

CloudTrail Automation Example

00:11:10

Lesson Description:

CloudTrail is very important in the security realm because it records every API call executed on our resources. Making sure that you enable CloudTrail logging is a best security practice. This video is a walkthrough of how to set up automation that starts logging if CloudTrail is stopped. Lambda function code: import json import boto3 import sys print('Loading function') """ Function to define Lambda Handler """ def lambda_handler(event, context): try: client = boto3.client('cloudtrail') if event['detail']['eventName'] == 'StopLogging': response = client.start_logging(Name=event['detail']['requestParameters']['name']) except Exception, e: sys.exit();

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Domain 2 : Logging and Monitoring

Domain 2 - Introduction

Logging and Monitoring Introduction

00:02:02

Lesson Description:

In this video, I'll introduce the topics covered in domain 2 of the course, including the flip of objectives 2.1/2.2/2.3 and 2.4.

2.3 Design and Implement a Logging Solution

CloudTrail Logging

00:22:51

Lesson Description:

CloudTrail is very important in the security realm because it records every API call executed on our resources. We can also create trails that allow us to store logs longer than 90 days and use them to trigger automation events. It is a best security practice to make sure CloudTrial logging is always enabled. This video gives information about what CloudTrail does and how to configure it.

CloudWatch Logs: CloudTrail

00:14:14

Lesson Description:

CloudWatch Logs is a service that helps us to aggregate logs from several different resources into one location. These resources include CloudTrail, VPC Flow Logs, CloudWatch Agent for EC2, and DNA Query Logs. In this video, we will discuss CloudWatch Logs and walk through how to send CloudTrail into a Log Group.

CloudWatch Logs: VPC Flow Logs

00:16:59

Lesson Description:

Flow logs from our VPCs give us IP traffic information we can use to determine what hosts are communicating with our resources and what conversations and ports are accepted. Flows are also a great tool to see just how often hosts on the internet are probing our resources for vulnerabilities. This video is a walkthrough of the configuration of VPC flow logs and a brief look at what information these logs contain.

CloudWatch Logs: Agent for EC2

00:22:47

Lesson Description:

OS-Level metrics and Logs are not sent to CloudWatch from EC2 by default. These metrics include memory, disk-use percentages, and swap file usage. For you to be able to incorporate these in your logging, the CloudWatch Agent must be installed. This video walks through a CloudWatch Agent install and configuration and shows examples of the logs. Commands to install CloudWatch Agent: wget https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip unzip AmazonCloudWatchAgent.zip sudo ./install.sh sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json -s Fetching Config From SSM sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c ssm: AmazonCloudWatch-linux -s SSM Commands Run AWS-ConfigureAWSPackage and AmazonCloudWatch-ManageAgent

CloudWatch Logs: DNS Query Logs

00:09:46

Lesson Description:

DNS Query logs responses from different DNS edge locations around the world. The domain can be registered using R53 or another registrar but it must use R53 as a nameserver provider for this to work. This video shows how to enable DNS query logging and shows some examples. The locations in the logs match airport codes.

S3 Access Logs

00:10:18

Lesson Description:

S3 access logs are a collection of access requests for whatever buckets we have them enabled on. It is important to know these are not near-real-time logs and take a while to report. There is some good information in these logs, but this same information is available in easier forms with other services, for the most part. This video walks through the process of configuring S3 access logs and what permissions are necessary.

Multi-Account: Centralized Logging

00:22:04

Lesson Description:

The security best practice of dividing our business into multiple accounts presents a challenge when it comes to obtaining logs. We must become very familiar with resource policies and cross-account roles for us to be able to collect the logs effectively. This lesson shows how to set up CloudTrail API logging with three accounts logging to a single, secured bucket in a security account.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

2.4 Troubleshoot Logging Solutions

Troubleshoot Logging

00:25:39

Lesson Description:

Troubleshooting logging solutions in AWS is a straightforward process. To determine where the problem is, start at the beginning and work through step by step, checking configurations along the way. This video presents some of the common issues that can cause problems with logging in AWS. Lesson Links https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-records-examples

Multi-Account: Troubleshoot Logging

00:11:24

Lesson Description:

Many factors can be wrong with multi-account logging. The most common of these involves permissions. Resource policies such as bucket and key policies must be correct for us to collect logs from other accounts. This lesson discusses some of the potential issues we face and some of the problems I experienced in building environments for this course. It also is a reminder to use a methodical, end-to-end approach when troubleshooting these issues.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

2.1 Design and implement security monitoring and alerting.

S3 Events

00:18:59

Lesson Description:

S3 events can be used to create notifications based on object actions. When an object event occurs, we can then use SNS, SQS, or Lambda to notify and possibly take actions on that object. This video discusses the basics and walks through a sample configuration using SNS as the notification service. Snippet Added to SNS Topic Policy { "Sid" : "s3eventsD", "Effect" : "Allow", "Principal" : { "Service" : "s3.amazonaws.com" }, "Action" : [ "SNS:Publish" ], "Resource" : "arn:aws:sns:us-east-1:ACCOUNTID:TOPIC" }, Files for second demo https://github.com/linuxacademy/la-aws-security_specialty/tree/master/S3Events

CloudWatch Logs: Metric Filters and Custom Metrics

00:14:11

Lesson Description:

Once CloudWatch Logs collects the logs, we can then use filters to create custom metrics. We can also alert SNS using those same filters, creating a monitoring workflow from the collection of logs. This video discusses and shows how to accomplish this.

CloudWatch Events

00:20:40

Lesson Description:

CloudWatch Events allow us to create rules that we can trigger by services and API calls or through scheduling. These rules can then interact with many different services in our environment. CloudWatch Events are the central block in many automation workflows we can build as well. This lesson dives into the specifics and shows some examples of how we can use this service. Links https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/iam-access-control-identity-based-cwe.html Lambda Function import boto3 def lambda_handler(event, context): # set the region to the region the event occured in region=event['region'] instances=[event['detail']['instance-id']] print 'detected stopped instance : ' + str(instances) ec2 = boto3.client('ec2', region_name=region) ec2.start_instances(InstanceIds=instances) print 'started your instances: ' + str(instances)

Multi-Account: CloudWatch Event Buses

00:14:45

Lesson Description:

CloudWatch Event Buses are convenient ways for us to share CloudWatch Events across accounts. In a multi-account environment, we can configure CloudWatch Events in all of the secondary accounts to send to the primary account's Event bus. We can set up automation based on these events and interact with all the resources in our organization regardless of which account event the event was sent from. This lesson looks at an example of centralizing event triggers and rules to manage organization.

AWS Config

00:23:20

Lesson Description:

AWS Config can inventory our resources and track configurations of those resources over time. We can also set up rules that will evaluate our resources and alert us to those that are not compliant with our rules. This lesson looks at how we enable AWS Config and will show both the historical configurations as well as using Config as a configuration compliance tool.

AWS Inspector

00:21:33

Lesson Description:

AWS Inspector allows us to run vulnerability scans on our EC2 instances. The instances can be evaluated using security best practices, runtime behaviors, common vulnerabilities, and CIS security configuration benchmarks. This lesson shows how Inspector is used to evaluate EC2 instances and discusses some of its findings. Links https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rule-packages_across_os.html https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cves.html https://docs.aws.amazon.com/inspector/latest/userguide/inspector_cis.html https://docs.aws.amazon.com/inspector/latest/userguide/inspector_security-best-practices.html https://docs.aws.amazon.com/inspector/latest/userguide/inspector_runtime-behavior-analysis.html

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

2.2 Troubleshoot security monitoring and alerting.
Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

Domain 3: Infrastructure Security

3.1 Design Edge Security on AWS

CloudFront

00:31:30

Lesson Description:

CloudFront CloudFront is a Content Delivery Network (CDN) provided via AWS Edge Locations. It's often the entry point for customers, and potentially attackers. In this lesson, we walk through and demo some of the important security related aspects of the product. Lesson Links https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

Restricting S3 to CloudFront

00:11:11

Lesson Description:

Restricting S3 to CloudFront In this lesson we build on the CloudFront foundations introduced in the previous lesson. We'll walk through the concept of Origin Access Identities (OAI) and how they can be used to secure S3 against direct access.

Signed URLs and Cookies

00:26:44

Lesson Description:

Signed URLs and Cookies Signed URLs and Cookies provide a very granular level of control over content distribution, and support advanced content restriction. In this lesson I talk through and demo the usage of signed URLs and discuss when Cookies are and aren't appropriate. Lesson Links https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html

CloudFront Geo Restriction

00:09:27

Lesson Description:

CloudFront Geo Restriction Security of content is often more about controlling where your content is viewed than who it's viewed by. In this lesson we'll explore the two main ways that content distirbution can be controlled: the in-built CloudFront method, and extending the functionality using 3rd-Party solutions.

Forcing S3 Encryption

00:14:18

Lesson Description:

Forcing S3 Encryption S3 provides a host of methods for encrypting objects. In this lesson we'll explore a few ways to enforce encryption on objects under our control, using bucket policies and default encyryption settings.

S3 Cross Region Replication (CRR) - Security

00:17:10

Lesson Description:

S3 Cross Region Replication (CRR) - Security S3 is capable of replicating objects between regions using CRR. As Security Engineers, we need to be aware of the security implications. In this lesson we'll examine those implications using four scenarios: Single AccountCross AccountCross Account (Owner Change)KMS Secured Objects Lesson Links https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-how-setup.html https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-walkthrough-3.html https://docs.aws.amazon.com/AmazonS3/latest/dev/crr-walkthrough-4.html

Web Application Firewall (WAF) and AWS Shield

00:23:07

Lesson Description:

Web Application Firewall (WAF) and AWS Shield In this lesson, we'll explore the architecture and implementation of AWS WAF, and see how Shield fits into the AWS security portfolio. The focus is specifically on the differences between Shield Standard, which is included by default with all AWS services, and Shield Advanced which includes additional features and capabilities. Lesson Links https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

3.2 Design and implement a secure network infrastructure.

VPC Design and Security

00:20:51

Lesson Description:

VPC Design and Security The VPC is the core security entity for AWS private networking. In this lesson I'll talk you through VPC's, how I visualise them, and some of my thoughts around VPC design. We'll focus specifically on multi-tier vs flat architecture.

Security Groups

00:22:12

Lesson Description:

Security Groups are a core security control within AWS. They provide a stateful method of controlling ingress and egress traffic moving around a VPC. In this lesson we'll look at Security Groups in detail, including their architecture. We'll also examine some of their advanced features, like the ability to reference themselves, other security groups, and logical resources inside a VPC.

Network Access Control Lists (NACLs)

00:18:42

Lesson Description:

Network Access Control Lists (NACLs) offer a traditional stateless filtering feature set within AWS. They are attached to subnets, and control the traffic entering and leaving those subnets. In this lesson we'll walk through their functionality from a security engineer's perspective, focusing on their appropriate use and limitations.

VPC Peering

00:35:23

Lesson Description:

VPC Peering provides a scalable, private, secure, and high-bandwidth connection between VPCs. VPC Peers work within the same account, or in a cross-account architecture. They also function, with some limitations, between AWS regions. This lesson focusses on their features and limitations across these scenarios.

VPC Endpoints

00:30:22

Lesson Description:

This lesson looks at the architecture of VPC Endpoints. They are a feature of AWS VPCs which provide access to AWS public endpoints without using an Internet Gateway. We'll compare and contrast Gateway Endpoints and Interface Endpoints and watch how their functionality can be extended via resource and endpoint policies. Lesson Links https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html#vpc-endpoints-policies-s3 https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html

Serverless Security

00:10:23

Lesson Description:

Serverless is a systems architecture which introduces a new set of security concerns and considerations. In this lesson, we'll examine AWS Lambda specifically and how to approach its security within a wider serverless ecosystem. Lesson Links https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html#intro-permission-model-access-policy https://docs.aws.amazon.com/lambda/latest/dg/access-control-overview.html https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

NAT Gateways

00:13:30

Lesson Description:

NAT Gateways are a AWS managed implementation of NAT Instances (NAT Software running on EC2). In this lesson we'll walk through the security changes, limitations, and benefits of NAT Gateways, then we'll compare them to NAT Instances from a security perspective. Lesson Links https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

Egress-Only Internet Gateways

00:13:44

Lesson Description:

Egress-Only Internet Gateways are IPV6-specific versions of regular Internet Gateways. They are stateful, and only allow outgoing VPC originating traffic. In this lesson we look together at why they exist, and when and how to use them in a secure way.

Bastion Hosts / Jump Boxes

00:09:06

Lesson Description:

A Bastion Host, or Jump Box, fills a critical role in the security of most Internet connected environments. In this lesson we discuss why jump boxes exist, how to implement them securely, and what advanced functionality they can provide.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

3.3 Troubleshoot a secure network infrastructure.

Troubleshoot a VPC

00:15:27

Lesson Description:

Troubleshoot a VPC Troubleshooting is a key skill for any AWS security engineer. The ability to identity and correct issues within a VPC, in a safe and secure manner, is a great skill to have. In this lesson we'll step through some common issues relating to VPC fault-finding, from a security perspective.

3.4 Design and implement host-based security.

AWS Host/Hypervisor Security (disk/memory)

00:10:53

Lesson Description:

As a shared environment, the isolation and security of AWS is critical. This lesson looks at how the hypervisor isolates resources, with a specific focus on memory and disk. https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf

Host Proxy Servers

00:05:42

Lesson Description:

In this lesson, we'll explore why running a proxy server on an EC2 instance can, in some cases, be worthwhile. Proxy servers can allow for security filtering and traffic control beyond traditional AWS services.

Host-Based IDS/IPS

00:09:13

Lesson Description:

This lesson looks at IDS & IPS running on EC2 instances. Why bother? And where does it fit into the AWS security services? Lesson Links https://aws.amazon.com/mp/scenarios/security/ids/

Systems Manager

00:18:02

Lesson Description:

AWS Systems manager is an operational management service. In this lesson we'll delve into the aspects of Systems Manager, which are important from a security perspective. Lesson Links https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html

Packet Capture on EC2

00:09:28

Lesson Description:

In this lesson we build upon the features provided by AWS Flow Logs, and install a simple packet capture application in EC2, then review the results.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Identity and Access Management

4.1 Design and Implement a Scalable Authorization and Authentication System to Access AWS Resources.

IAM Policies

00:25:18

Lesson Description:

IAM policies are used extensivly throughout AWS products and services. Being able to understand and create secure IAM policies that are flexible and provide the minimum rights required for a task is essential. As a security engineer you will be solely responsible for creating and evaluating policies and so in this lesson I discuss their architecture in addition to some advanced functionality. Lesson Links https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_columns.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html Example Policy { "Version": "2012-10-17", "Statement": [ { "Action": ["s3:ListBucket"], "Effect": "Allow", "Resource": ["arn:aws:s3:::la-homefolders"], "Condition": {"StringLike": {"s3:prefix": ["${aws:username}/*"]}} }, { "Action": [ "s3:GetObject", "s3:PutObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::la-homefolders/${aws:username}/*"] } ] }

Users, Groups, and Roles

00:29:14

Lesson Description:

IAM Users, Groups, and Roles are the three identities provided by IAM to which identity policies can be applied. Understanding the features, limitations, and appropriate usage of all three is an essential security skill. This lesson steps through each one, and provides some key guidance on when and how each should be used within an AWS environment. Lesson Links https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entities

Permission Boundaries and Policy Evaluation

00:17:21

Lesson Description:

Permissions boundaries are a method to limit the effective permissions of IAM users, groups, and roles within AWS. They are a challenging concept to fully understand, but provide a substantial amount of security control for entities under your management. This lesson looks at permissions boundaries, together with how they impact permission evaluation. We'll also step through the global permissions evaluation process within AWS. Lesson Links https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Organizations and Service Control Policies

00:18:57

Lesson Description:

AWS Organizations is an extension of consolidated billing. It provides billing management for organizations using multiple AWS accounts. In this lesson we'll start by exploring the features of AWS organizations as they relate to a security professional. We'll be looking specifically at cross-account security. In the second part of the lesson, we'll look in detail at Service Control Policies, a feature which allows account level restrictions to be placed on managed accounts.

Resource Policies: S3 Bucket Policies

00:15:38

Lesson Description:

In this lesson I=we delve into S3 bucket policies, focusing mainly on when you would use bucket policies, and how they are different than IAM policies. We'll step through a number of examples designed to demonstrate the features of resource policies applied to S3 buckets. Lesson Links https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html

Resource Policies: KMS Key Policies

00:13:39

Lesson Description:

Following up on the last lesson about S3 Resource policies, in this lesson I take a look at KMS key policies. We discuss the multiple roles available within KMS, Key Admins and Key Usage, and how this separation enhances the security of the platform. Some advanced key policy concepts enter the picture here. We will get acquainted and discuss features and limitations, with a specific focus on the security certification. Lesson Links https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

Cross-Account Access to S3 Buckets and Objects

00:17:53

Lesson Description:

Securing S3 buckets for access via a single account can often be challenging enough. In this lesson we'll step through how to provide access to buckets and objects using Cross-Account policies and roles. We review the pros and cons of each, and discuss appropriate usage. Lesson Links https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-8 https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/ https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/ { "Statement":[ { "Effect":"Allow", "Principal":{"AWS":"311407276115"}, "Action":"s3:PutObject", "Resource":["arn:aws:s3:::la-permissionsdemo/*"] }, { "Effect":"Deny", "Principal":{"AWS":"311407276115"}, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::la-permissionsdemo/*", "Condition": { "StringNotEquals": {"s3:x-amz-acl":"bucket-owner-full-control"} } } ] }

Identity Federation

00:22:40

Lesson Description:

Identity federation is the process of allowing external ID providers (IdP) to authenticate and identify users, and then providing those identified users with access to AWS resources. In this lesson, we'll go over the two main Identity Federation architectures, Web Identity Federation and SAML2.0 Identity Federation. Lesson Links https://web-identity-federation-playground.s3.amazonaws.com/index.html

AWS Systems Manager Parameter Store

00:18:24

Lesson Description:

In this lesson, we return to Systems Manager to look at the Systems Manager Parameter Store. This is a feature allowing the secure management of configuration and secrets within AWS. The Parameter Store is an essential tool for caching and distributing secrets securely to AWS resources. Here in this lesson, we'll get to see it in action. Lesson Links https://aws.amazon.com/blogs/compute/query-for-the-latest-amazon-linux-ami-ids-using-aws-systems-manager-parameter-store/ https://aws.amazon.com/blogs/compute/sharing-secrets-with-aws-lambda-using-aws-systems-manager-parameter-store/

4.2 Troubleshoot an Authorization and Authentication System to Access AWS Resources.

Troubleshooting Permissions Union (IAM//RESOURCE//ACL)

00:09:44

Lesson Description:

Permissions within AWS are controlled with Identity Policies, ACL's, and resource policies. Understanding how to design and interpret these when used in combination is the key to implemententing systems securely within AWS. In this lesson we'll step through how permissions union works. This is a key requirement for any security professional, and for the security specialty exam.

Troubleshooting Cross-Account Roles

00:12:57

Lesson Description:

In this lesson we'll see some common issues facing a security engineer when implementing cross-account roles. There will be a brief review of role architecture, but with a focus on using it between accounts. Lesson Links https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html

Troubleshooting Identity Federation

00:05:52

Lesson Description:

Web and SAML2.0 Federation are both complex architectures. They allow external identities to be used in accessing AWS resources. In this lesson we look at some common troubleshooting steps to identity and fix federation issues.

Troubleshooting KMS CMK's

00:07:20

Lesson Description:

KMS Key Policies are resource policies applied to KMS keys. They have unique characteristics which separate them from other resource policies. In this lesson we look at Key Policies from a troubleshooting perspective. Lesson Links https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#requests-per-second-table

Data Protection

5.1 Design and implement key management and use.

Key Management System (KMS)

00:28:11

Lesson Description:

WS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. It's a FIPS 140-2 level 2 Compliant service and in this lesson I step through its architecture and key points as they relate to real-world usage and the exam. Lesson Links https://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html https://en.wikipedia.org/wiki/FIPS_140-2 https://aws.amazon.com/blogs/security/how-to-protect-the-integrity-of-your-encrypted-data-by-using-aws-key-management-service-and-encryptioncontext/ https://docs.aws.amazon.com/kms/latest/developerguide/grants.html

KMS in a Multi-Account Configuration

00:08:24

Lesson Description:

This lesson takes a closer look at how KMS can be utilized in a multi or cross-account configuration to achieve a reduciton in risk, improvements to logging and auditing and performance improvements.

CloudHSM

00:17:05

Lesson Description:

A CloudHSM is an dedicated appliance allowing for the secure creation, management and usage of CMKs. The hardware is FIPS 140-2 Level 3 compliant, and supports industry standard API access. In this lesson I discuss CLoudHSM Architecture, when to use CloudHSM and the key differences between it and AWS KMS. Lesson Links https://en.wikipedia.org/wiki/FIPS_140-2 https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html

5.2 Troubleshoot key management.

Troubleshooting KMS Permissions

00:08:29

Lesson Description:

KMS Key permissions are a crucial part of securing an AWS account. Being an effective security engineer means understanding the end to end chain of permissions relating to KMS. In this lesson we take a look at just that, with a troubleshooting focus.

KMS Limits

00:10:44

Lesson Description:

KMS like any other AWS Services have limits which require awareness. KMS can be impacted to a greater degree than others, because KMS is used by other AWS services to handle encryption. In this lesson I step through the limits which can cause throttling and how this can impact KMS and other services. Lesson Links https://docs.aws.amazon.com/kms/latest/developerguide/limits.html

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

5.3 Design and implement a data encryption solution for data at rest and data in transit.

Data At Rest: KMS

00:16:11

Lesson Description:

KMS integrates with many other AWS services to provide key creation, management and cryptographic functionality. All services are responsible for their own component of this process and in this lesson I run through how EBS, DynamoDB, RDS and S3 integrate with KMS. Lesson Links https://docs.aws.amazon.com/kms/latest/developerguide/service-integration.html https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html https://docs.aws.amazon.com/kms/latest/developerguide/services-dynamodb.html https://docs.aws.amazon.com/kms/latest/developerguide/services-rds.html https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html

Data At Rest: S3 Client-side Encryption Options

00:06:25

Lesson Description:

SSE-C is an import, but fairly narrow usecase for encryption within S3. It's used when you as the customer need to control and manage the encryption keys used for object level encryption. In this lesson I step through how SSE-C is different from other S3 encryption methods. Lesson Links https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html

Data In Transit: Certificate Manager (ACM)

00:07:23

Lesson Description:

ACM is an essential service which can generate, manage and import X509 SSL/TLS certificates to be used on other AWS services. This lesson is a brief introduction to the service from a security perspective.

Encryption SDKs

00:05:55

Lesson Description:

The AWS Encryption SDK provides a well engineered and secure set of interfaces to KMS and other encryption stacks. This lesson introduces the SDK at a high level. Lesson Links https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/sample-cache-example.html

Compliance Examples

00:08:59

Lesson Description:

AWS Provide a wealth of compliance related resources via its compliance portal and AWS Artifact service. In this lesson I give a brief overview of these resources. Lesson Links https://www.atlas.aws/ https://aws.amazon.com/compliance/ https://aws.amazon.com/compliance/programs/

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Conclusion

Practice Exam

AWS Certified Security Specialty

04:00:00

Final Steps

How to Prepare for the Exam

00:10:50

Lesson Description:

This lesson goes over the steps you can take to ensure your success on the exam. We’ll outline a full strategy for preparing for the exam, including study tips, key terms you should know and helpful test-taking strategies. Lesson Links https://aws.amazon.com/certification/certified-security-specialty/ https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS_Certified_Security_Specialty_Exam_Guide_v1.5.pdf https://d1.awsstatic.com/training-and-certification/docs-security-spec/AWS_Certified_SC-S_Sample%20Questions_v1.0_FINAL.pdf

What's Next After Certification?

00:04:53

Lesson Description:

This lesson discusses your options for continued learning after you've completed the AWS Certified Security Specialty course. Lesson Links Please connect with me using Twitter or LinkedIN if I can help in any way https://twitter.com/@adriancantrill https://www.linkedin.com/in/adriancantrill/ http://slack.linuxacademy.com

Get Recognized!

00:01:01

Lesson Description:

In this video, Linux Academy Founder and CEO Anthony James explains the steps you can take to get recognized after successfully passing your certification exam. Anthony will explain how to connect with him on LinkedIn and Twitter so that he can endorse you for the skills you have mastered by getting your certification.