Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Amazon Web Services AWS Cloud Service-Specific Security

  1. Home
  3. AWS Certified Solutions Architect Associate (SAA-C03)
  5. Amazon Web Services AWS Cloud Service-Specific Security

Standards and Best Practices

  • A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage
  • Deployment tools to manage the creation and decommissioning of AWS resources according to organization standards
  • Inventory and configuration management tools, including AWS Config, that identify AWS resources and then track and manage changes to those resources over time
  • Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments

Amazon Inspector

  • It is an automated security assessment service
  • Improve the security and compliance of applications deployed on AWS.
  • Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After assessment, it produces a detailed list of security findings prioritized by level of severity.

AWS Config

  • It provides a detailed view of the resources associated with your AWS account,
  • It includes
    • how resources are configured
    • how they are related to one another
    •  how the configurations and their relationships have changed over time
  • It continuously monitors and records your AWS resource configurations
  • You can automate the evaluation of recorded configurations against desired configurations.

Monitoring and Logging

  • Deep visibility into API calls through AWS CloudTrail, including who, what, who, and from where calls were made
  • Log aggregation options, streamlining investigations and compliance reporting
  • Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded

AWS CloudTrail

  • It helps you enable governance, compliance, and operational and risk auditing.
  • Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
  • Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.

Monitoring and Logging

  • Deep visibility into API calls through AWS CloudTrail, including who, what, who, and from where calls were made
  • Log aggregation options, streamlining investigations and compliance reporting
  • Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded

AWS CloudTrail

  • It helps you enable governance, compliance, and operational and risk auditing.
  • Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
  • Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
  • CloudTrail is enabled on your AWS account when you create it.
  • CloudTrail is enabled on your AWS account when you create it.

Identity and Access Control

  • AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources
  • AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators
  • AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience

AWS Multi-Factor Authentication

  • With MFA, when a user signs in to an AWS website, they will be prompted for
    • their user name and password (the first factor—what they know)
    • an authentication response from their AWS MFA device (the second factor—what they have)
  • Multiple factors provide increased security for AWS account settings and resources.
  • Enable MFA for AWS account and for individual IAM users created under account.
  • MFA can be also be used to control access to AWS service APIs.

Supported MFA mechanism other than, regular sign-in credentials, are

  • Virtual MFA devices. A software app that runs on a phone or other mobile device and emulates a physical device. The device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user’s virtual MFA device to authenticate.
  • U2F security key. A device that you plug into a USB port on your computer. U2F is an open authentication standard hosted by the FIDO Alliance. When you enable a U2F security key, you sign in by entering your credentials and then tapping the device instead of manually entering a code.
  • Hardware MFA device. A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user cannot type a code from another user’s device to be authenticated.
  • SMS text message-based MFA. A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device. When the user signs in, AWS sends a six-digit numeric code by SMS text message to the user’s mobile device. The user is required to type that code on a second webpage during sign-in. Note that SMS-based MFA is available only for IAM users. You cannot use this type of MFA with the AWS account root user.

Security Support

  • Real-time insight through AWS Trusted Advisor
  • Proactive support and advocacy with a Technical Account Manager (TAM)
Menu