Summary and Quiz
Get a refresher of what you’ve learned about the security and compliance services provided by AWS in this chapter and take a quiz to validate your knowledge.
In this lesson, we’ll summarize what we’ve learned so far in this chapter and test our knowledge with a short quiz.
Summary
In this chapter, we learned about security services offered by AWS. Here’s a brief summary of the services we covered:
AWS KMS
KMS is used to manage encryption keys in AWS. There are two main types of KMS keys:
AWS-managed keys: These keys are generated and managed by AWS. They are generally related to an AWS service like S3, EBS.
Customer-managed keys: These keys are generated and managed by users. We have complete control over the configuration of these keys.
WAF
AWS WAF is a network firewall used to protect our applications from malicious access. We can configure related web ACLs to defend our resources from specific types of attacks, including XSS scripting, SQL injections, and Cross-site request forgery. WAF analyzes the request sent to the application and blocks any request that does not comply with the set ACL rules.
Amazon Detective
Amazon Detective helps organizations identify security issues, conduct efficient investigations, and proactively respond to potential threats by continuously analyzing and correlating log data from various AWS services, such as AWS CloudTrail and Amazon VPC Flow Logs. It does not resolve any security issues. Rather, it just identifies them and recommends the actions using which the security threats can be mitigated.
AWS Directory Service
With AWS Directory Service, organizations can centralize user identities and access management, simplifying authentication and authorization across AWS resources and applications.
Secret Manager
Secret Manager can be used to store our passwords and credentials. All stored secrets within AWS Secrets Manager undergo encryption via AWS Key Management Service (KMS), which delivers resilient encryption standards and proficient key management capabilities.
Amazon Macie
Amazon Macie helps organizations maintain their data assets’ confidentiality, integrity, and availability in AWS environments. It is a fully managed data security and privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data stored in AWS.
SecurityHub
AWS Security Hub is a security service that provides us with a comprehensive view of the security state of our AWS account. It collects data from various AWS accounts, services, and other third-party products to determine the security issues in our account.
AWS Firewall Manager
AWS Firewall Manager helps us manage firewalls in our account from a single place. It can also be implemented at an organizational level allowing us to secure multiple AWS accounts from a single point and enabling us to stay consistent related to our firewall policies.
AWS GuardDuty
AWS GuardDuty is a regional service that is fully managed by AWS. GuardDuty helps us protect our AWS environments by identifying potential security issues such as unusual API calls, compromised EC2 instances, unauthorized access attempts, and potentially malicious IP addresses.
AWS Inspector
AWS Inspector is a security assessment service that helps users automate the process of assessing the security and compliance of our AWS resources. It allows users to identify security vulnerabilities, compliance issues, and deviations from security best practices within our EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and Lambda functions.
AWS Network Firewall
AWS Network Firewall is a fully managed firewall that is used to protect the resources inside virtual private clouds created using Amazon VPC. Through this service, we can monitor and filter the incoming and outgoing traffic for our VPC through resources such as AWS Direct Connect, internet gateways, or NAT gateways.
AWS Shield
AWS Shield is a protection service that protects applications hosted in the AWS cloud from Distributed Denial of Service (DDoS) attacks. It operates on the OSI model’s network, transport, and application layer (3rd, 4th, and 7th layer).
AWS Resource Access Manager
AWS Resource Access Manager (RAM) is a service that allows us to securely share our AWS resources over multiple AWS accounts. These accounts can be within the same organization or different organizations.
AWS CloudHSM
AWS Cloud Hardware Security Modules (CloudHSMs) are cloud-based cryptographic devices that provide secure key storage and cryptographic operations to help us meet our encryption and compliance requirements. While creating an AWS HSM we specify an HSM user and then using that user's credentials we can use the HSM.
AWS Audit Manager
AWS Audit Manager is a service that allows us to audit our AWS resources and simplifies how we manage and assess risk in compliance with industry standards. It automates the process of collecting evidence, allowing us to ensure the policies, activities, and procedures we have created are working as expected.
AWS Artifact
AWS Artifact is an AWS managed repository of security and compliance reports and select online agreements. We can utilize these reports to demonstrate our AWS infrastructure's compliance.
Test your knowledge
Let’s take a quiz to make sure we’ve not missed out on anything:
What is the fundamental purpose of AWS Key Management Service (KMS) within the AWS ecosystem?
Managing user access permissions within AWS services.
Encrypting data at rest and in transit within the AWS environment.
Providing secure storage for sensitive information such as passwords.
Optimizing performance and scalability of AWS resources.
Congratulations! We’ve successfully gone through the essential concepts of the AWS security and compliance services and refreshed our knowledge of it.
Get hands-on with 1300+ tech skills courses.