This quest is designed to teach you how to apply AWS Identity and Access Management, in concert with several other AWS Services, to address real-world application and service security management scenarios.
Enforcing the principle of least privilege in Security Groups is an important component in the overall security of an application. This task can become more complicated as an application grows in scope and complexity. In this lab we will walk through using VPC Flow Logs and the Amazon Elasticsearch Service to visualize the usage of Security Groups in order to help identify which rules might be too permissive.
This lab demonstrates the steps to audit your AWS resources with Trusted Advisor to ensure your configuration complies with basic security best practices. The topics covered will also include working with security groups, multifactor authentication (MFA), and AWS Identity and Access Management (IAM).
Security is a top priority for Amazon Web Services (AWS). AWS provides many tools and services to meet your unique security needs. This lab will present a solution, among many, to enhance your security. This lab walks through a method to automatically update your Virtual Private Cloud (VPC) Security Groups to only allow access from Amazon CloudFront and AWS Web Application Firewall (WAF). Defining Security Groups rules this way prevents malicious requests from by-passing AWS WAF security rules and accessing your EC2 instances directly.
In this lab you will learn how to use AWS Config with a Lambda function to detect changes to the ingress permissions of an EC2 security group and automatically reverse changes that are made. In an different lab, Monitoring Security Groups with Amazon CloudWatch Events, you will do something similar but with different services. Both of these labs illustrate techniques that could be used to provide additional layers of protection to infrastructure controls. Prerequisites: To successfully complete this lab, you should be familiar with EC2 security groups. Python programming skills are helpful, although full solution code is provided. It would be helpful to have taken the Introduction to AWS Lambda lab at qwiklabs.com.
This lab continues to build Windows application development skills, this time leveraging the Security Token Service (STS) to provide secure access to cloud storage in S3. After demonstrating the basic steps of installing Visual Studio Community Edition and the AWS Toolkit for .NET, the student builds a simple console application in C# using the AWS SDK for .NET. The lab will then demonstrate how to use STS to obtain temporary credentials to access protected S3 resources.
In this lab you will learn how to use AWS CloudWatch events with a Lambda function to detect changes to the ingress permissions of an EC2 security group. In an different lab, Monitoring Security Groups with AWS Config, you will do something similar but with different services. Both of these labs illustrate techniques that could be used to provide additional layers of protection to infrastructure controls. Prerequisites: To successfully complete this lab, you should be familiar with EC2 security groups. Python programming skills are helpful, although full solution code is provided. It would be helpful to have taken the Introduction to AWS Lambda lab.
This lab leads you through the steps to perform basic audits of core AWS resources. You will use the AWS Management Console to understand how to audit the use of multiple AWS services, Amazon EC2, Amazon VPC, Amazon IAM, Amazon Security Groups, AWS CloudTrail and AWS CloudWatch. This lab will help you understand how you can extend your existing auditing objectives related to organizational Governance, Asset Configuration, Logical Access Controls, Operating Systems, Databases and Applications security configurations within AWS. The skills learned will help provide visibility; testability and automated audit evidence gather capabilities.
In this lab you will use the AWS Management Console to bundle custom Amazon Elastic Block Store (EBS)–backed Amazon Machine Images (AMIs). You will learn how to map additional Amazon EBS and/or ephemeral volumes in your AMI. Lastly you will look at some security best practices to create AMIs that are suitable for public sharing.
In this lab you will enable client-side at-rest encryption using AWS KMS-managed key for data stored in Amazon S3 with the EMR File System (EMRFS). Within Amazon EMR you will create security configuration to encrypt the object written to S3 with client-side encryption using the AWS KMS-managed key specified by you, and decrypt objects with the same key that was used to encrypt them. This will allow you to more easily leverage frameworks like Apache Spark, Apache Tez, and Apache Hadoop MapReduce on Amazon EMR to run big data analytics, stream processing, machine learning, and ETL workloads on confidential data.