</>Học Dev
Bài học

Tuần 7 - Ngày 3: Security Advanced

Tuần 7 – Ngày 3

Tuần 7 - Ngày 3: Security Advanced

1. AWS Security Services Overview

SECURITYSERVICESDETECTION:GuardDuty(Threatdetection)SecurityHub(Aggregatedfindings)Inspector(Vulnerabilityscanning)Macie(Sensitivedatadiscovery)Detective(Securityinvestigation)PROTECTION:WAF(WebApplicationFirewall)Shield(DDoSprotection)FirewallManager(Centralizedrules)NetworkFirewall(VPC-levelfirewall)IDENTITY:IAM(Users,Roles,Policies)IAMIdentityCenter(SSO)Cognito(Appauthentication)DirectoryService(AD)DATAPROTECTION:KMS(KeyManagement)CloudHSM(HardwareSecurity)SecretsManager(Secretsrotation)CertificateManager(SSL/TLS)

2. AWS KMS Deep Dive

AWSKMSKeyTypes:AWSManagedKeys(aws/service-name)AutomaticrotationyearlyCustomerManagedKeys(CMK)Optionalrotation(yearly)AWSOwnedKeysUsedinternallybyAWSKeyMaterialOrigin:AWS_KMS(generatedinKMS)EXTERNAL(importyourown)AWS_CLOUDHSM(CloudHSMcluster)Multi-RegionKeys:-Samekeymaterialinmultipleregions-Simplifiescross-regionencryption-Primary+Replicakeys

3. Network Security Layers

DEFENSEINDEPTHLayer1:EdgeCloudFront+WAFShield(DDoS)Layer2:VPCPerimeterNetworkFirewallNATGatewayLayer3:SubnetNACL(stateless)Layer4:InstanceSecurityGroups(stateful)Layer5:ApplicationIAMRolesEncryption

4. AWS Network Firewall

AWSNETWORKFIREWALLFeatures:-Statefulinspection-IntrusionPrevention(IPS)-Webfiltering-ProtocoldetectionIntegration:InternetNetworkFirewall(FirewallSubnet)NATGatewayPrivateSubnets

5. Security Best Practices

1. Enable CloudTrail in all regions
2. Enable Config rules
3. Enable GuardDuty
4. Use Security Hub for aggregation
5. Encrypt everything (at rest and in transit)
6. Use IAM roles (not users) for applications
7. Enable MFA everywhere
8. Regular security assessments
9. Implement least privilege
10. Monitor and alert on security events

Tài liệu tham khảo chính thức

Ngày tiếp theo: Encryption và Compliance