Security & Compliance Services

Summary: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20237316

Refresher: AWS Shared Responsibility Model

AWS Shield: automatic DDoS-attack protection
- Shield Advanced offers premium 24/7 support & extra features
AWS WAF (Web Application Firewall): L7 (application layer) firewall, filters incoming requests based on rules
- Protects from common web exploits (SQL injections, XSS…)
AWS Network Firewall: protect whole VPC against NW attacks
- ❗ SGs protect at resource-level, NACLs protect at subnet-level, AWS Network Firewall protects at VPC-level
AWS Firewall Manager: manage security rules across many accounts (e.g. all accounts in an AWS Organization)
- Centralizes security rules across accounts for SGs, WAF rules, Shield rules…
- Rules applied immediately to existing & new resources as well as existing & new accounts in AWS Organization

Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20056314 and https://aws.amazon.com/security/penetration-testing/

🔧 Penetration testing = purposefully attack your own systems/infrastructure to find how deep you can penetrate (what security vulnerabilities you have)
✅ AWS allows penetration testing for certain infrastructure (list can increase over time):
- EC2 instances, NATGWs, ELBs, RDS, CF, Aurora, APIGW, Lambda functions, Lightsail, EB
- No need to ask AWS to perform simple penetration tests on the above services
❌ AWS prohibits certain attacks (they see them as attacks on their infrastructure)!!
- DNS zone walking via R53 hosted zones
- DoS, DDoS, Simulated DoS, and Simulated DDoS attacks
  - Port flooding, protocol flooding, request flooding…
💡 For any other simulated events, contact [email protected]

AWS KMS (Key Management Service): manage encryption keys for encrypting data at rest
- Default service for encryption at rest, many services use it behind the scenes
- Keys can be managed by customers or AWS