anthonykasza/The Fundamentals of AWS Cloud Security

## The Fundamentals of AWS Cloud Security
The Fundamentals of AWS Cloud Security
======================================
AWS re:Inforce 2019, Becky Weiss
https://www.youtube.com/watch?v=-ObImxw1PmI

AWS IAM
-------
- identity and access
- grant entities (services or humans) permission to make API calls on behalf of you or your account
- every AWS service uses IAM to authenticate and authorize API calls
- IAM is also used for humans to log into the AWS web portal
- IAM supports federated identities using roles/principals - AWS IAM uses other credential providers (Active Director, Google, Facebook, Twitter, etc)
- IAM roles operate using tokens (short-term, auto-expiring credentials)
- IAM roles can also be used across AWS accounts, permissions need adjusted within both accounts (resource-based policies, attached to the resource instead of the principal, allow this)
- API calls are signed using the secret portion of IAM credentials
- AWS-managed policies are permissions applied to roles which permit the role to do some thing/task
- IAM policies include 1 or more Statements which can include: Effect (allow or deny), Actions (can be wildcarded), Resources (what can you take an action again, can also be wildcarded), Conditions (finer grained conditional policies)
- AWS Organizations helps to create OU trees and groups

AWS KMS
-------
- data encryption/decryption at rest
- integrates with a ton of AWS services (including S3) to handle data encryption/decryption

AWS VPC
-------
- network/subnet/traffic based security
- your virtual network for your infrastructure in the cloud
- AWS regions are physically isolated regions with multiple zones (fault domains). VPCs can span AZs in a region
- VPCs can be subnetted into public and private subnets
- security groups are stateful firewalls (ingress/egress rules) that can be applied to subnets within VPCs
- routing: public subnets can route to the public Internet, private subnets cannot route to the public Internet. just because a public subnet has a route to the public internet doesn't mean it can reach the Internet (such as in the case where the subnet has a security group applied to it which restricts traffic)
- VPC endpoint is the binding of a local IP address in a subnet to an AWS service (which is typically only accessible via a publicly routable IP address). it allows for private subnets to use AWS services which are only reachable via the Internet. A VPC endpoint for CloudWatch, for example, will allow a private subnet in a VPC to send logs to CloudWatch (even overwriting the DNS name in the subnet so CloudWatch's names resolve to the VPC endpoint local IP address)
	The Fundamentals of AWS Cloud Security
	======================================
	AWS re:Inforce 2019, Becky Weiss
	https://www.youtube.com/watch?v=-ObImxw1PmI

	AWS IAM
	-------
	- identity and access
	- grant entities (services or humans) permission to make API calls on behalf of you or your account
	- every AWS service uses IAM to authenticate and authorize API calls
	- IAM is also used for humans to log into the AWS web portal
	- IAM supports federated identities using roles/principals - AWS IAM uses other credential providers (Active Director, Google, Facebook, Twitter, etc)
	- IAM roles operate using tokens (short-term, auto-expiring credentials)
	- IAM roles can also be used across AWS accounts, permissions need adjusted within both accounts (resource-based policies, attached to the resource instead of the principal, allow this)
	- API calls are signed using the secret portion of IAM credentials
	- AWS-managed policies are permissions applied to roles which permit the role to do some thing/task
	- IAM policies include 1 or more Statements which can include: Effect (allow or deny), Actions (can be wildcarded), Resources (what can you take an action again, can also be wildcarded), Conditions (finer grained conditional policies)
	- AWS Organizations helps to create OU trees and groups

	AWS KMS
	-------
	- data encryption/decryption at rest
	- integrates with a ton of AWS services (including S3) to handle data encryption/decryption

	AWS VPC
	-------
	- network/subnet/traffic based security
	- your virtual network for your infrastructure in the cloud
	- AWS regions are physically isolated regions with multiple zones (fault domains). VPCs can span AZs in a region
	- VPCs can be subnetted into public and private subnets
	- security groups are stateful firewalls (ingress/egress rules) that can be applied to subnets within VPCs
	- routing: public subnets can route to the public Internet, private subnets cannot route to the public Internet. just because a public subnet has a route to the public internet doesn't mean it can reach the Internet (such as in the case where the subnet has a security group applied to it which restricts traffic)
	- VPC endpoint is the binding of a local IP address in a subnet to an AWS service (which is typically only accessible via a publicly routable IP address). it allows for private subnets to use AWS services which are only reachable via the Internet. A VPC endpoint for CloudWatch, for example, will allow a private subnet in a VPC to send logs to CloudWatch (even overwriting the DNS name in the subnet so CloudWatch's names resolve to the VPC endpoint local IP address)