Friday, July 31, 2020

Macie, Inspector, Rekognition, GuardDuty

Macie 
-         fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
-         automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations
-         applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII). Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon CloudWatch Events for easy integration with existing workflow or event management systems, or to be used in combination with AWS services, such as AWS Step Functions to take automated remediation actions

Inspector 
-         automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API
-         help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances

Rekognition
-         makes it easy to add image and video analysis to your applications. You just provide an image or video to the Amazon Rekognition API, and the service can identify objects, people, text, scenes, and activities. It can detect any inappropriate content as well. Amazon Rekognition also provides highly accurate facial analysis, face comparison, and face search capabilities

GuardDuty
-         a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3 
-         analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs

Thursday, July 30, 2020

WAF and Shield

AWS WAF
-       AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources
AWS Shield
-       https://aws.amazon.com/shield/
-       A managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.



Monday, July 20, 2020

Step Functions

Step Functions
-         https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html
-         SWF successor
-         enables you to coordinate the components of distributed applications and microservices using visual workflows
-         offers a graphical console to visualize the components of your application as a series of steps.
-         The service tracks each step and retries in case of failure
-         It is possible to change / add steps without writing code
-         Defines workflows in Amazon State Language
-         defines state machines (workflows) that contain series of steps, their relationships and in/outputs
-         Visual console uses colors highlighting the state of each step
-         Activity task (activity worker)– can be an application on EC2, on-premise, a mobile device
-         Service Task – how a step in a state machine (workflow) can connect to another supported AWS Service – it pushes requests to a service, awaits response, continues to next step
-         Step Functions Service can combine both Service ands Activity tasks, running on-premises or in the cloud
-         Integrates with:
          §  Lambda
          §  DynamoDB
          §  Batch
          §  SNS
          §  SQS
          §  Glue
          §  SageMaler

SWF - Simple Workflow Service

SWF - Simple Workflow Service
-         https://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-welcome.html
-         fully managed state tracker and task coordinator
-         helps development of asynchronous and distribute applications by providing a programming model and infra for coordinating distributed components
-         uses IAM for access control
-         acts similarly to a bus or a mediator – allowing components to communicate
-         access via: SDK, AWS Flow Framework (enhanced SDK for writing distribute workflows), HTTP API, development environment for specific language
-         REGIONAL service

Components (coded by user, not AWS)
-         Workflow – set of activities. A workflow runs a domain that controls the workflow scope
-         Worker – receives an activity task, processes and feeds the status back
-         A worker can run on AWS (EC2, Lambda, etc.) or on-premises
-         Task – activity performed by a worker, can be distributed across multiple servers or even Regions.
-         SWF assigns tasks to workers and maintains a state of each task
-         Decider – controls the flow of activities in workflow execution; schedules tasks; processes task responses; ends workflows – all trough SWF
-         Workers and Deciders poll SWF for tasks
-         SWF – central hub for data exchange among deciders workers and the user
-         Execution History – SWF maintains the state of each workflow execution. SWF includes the current workflow state in Decision task definition (below) – thus keeping the Decider up to date
-         Task Types:
          §  Activity task – action for worker to perform
          §  Lambda task – execution of a lambda function
          §  Decision task – informs the Decider on the current workflow state
-         Endpoints – exits in regions. SWF in one region has no access to workflows in another region

RAM – Resource Access Manager


RAM – Resource Access Manager
-         https://docs.aws.amazon.com/ram/latest/userguide/what-is.html
-         RAM lets you share your resources with any AWS account or through AWS Organizations. If you have multiple AWS accounts, you can create resources centrally and use AWS RAM to share those resources with other accounts.
-         Access via: Console, SDK, API. Command line, WAS tools for Windows PowerShell
-         Can share across: accounts, OU, AWS Organization
-         When sharing a resource with another account – all policies in the receiving account apply
-         Reduces overhead – removes need for duplicate resources
-         Integrates with CloudWatch and CloudTrail
-         Sharing resources in VPC – the owner creates a VPC and shares specific subnets with others in same AWS Organization. Participants cannot view / delete / modify other participants’ resources in a VPC
-         The following sections list the services that integrate with AWS RAM, and the resources that support sharing.
          §  AWS App Mesh
          §  Amazon Aurora
          §  AWS CodeBuild
          §  Amazon EC2 (incl. Transit Gateway)
          §  Amazon EC2 Image Builder
          §  AWS License Manager
          §  AWS Resource Groups
          §  Amazon Route 53
-         AZ ID - a unique ID. To ensure that resources are distributed across the Availability Zones for a Region, AWS independently map Availability Zones to names for each account. For example, the Availability Zone us-east-1a for your AWS account might not have the same location as us-east-1a for another AWS account. AZ ID should be used to provide unique reference.

X-Ray


AWS X-Ray
-         https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html
-         a service that collects data about requests that your application serves, and provides tools you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization.
-         Traces requests as they travel through application components/microservices; builds a component map. This helps with:
          §  Bulging a dependency tree
          §  Detecting latency issues across regions / AZs
          §  Identify services not operating as expected
          §  Identify errors / bugs
-         You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services. API Gateway supports AWS X-Ray tracing for all API Gateway endpoint types: regional, edge-optimized, and private. You can use AWS X-Ray with Amazon API Gateway in all regions where X-Ray is available
-         X-Ray gives you an end-to-end view of an entire request, so you can analyze latencies in your APIs and their backend services. You can use an X-Ray service map to view the latency of an entire request and that of the downstream services that are integrated with X-Ray. And you can configure sampling rules to tell X-Ray which requests to record, at what sampling rates, according to criteria that you specify. If you call an API Gateway API from a service that's already being traced, API Gateway passes the trace through, even if X-Ray tracing is not enabled on the API
-         You can enable X-Ray for an API stage by using the API Gateway management console, or by using the API Gateway API or CLI.
Components:
-         Trace – collection of data point sharing a TraceID
-         Segment – all data points in a single component
-         Sampling – data NOT FOR EVERY request is collected from a component – X-RAY can NOT be used as a compliance tool that requires data completeness
-         Annotation – system or user-defined data associated with a segment
-         Errors – annotations for a segment that responded with an error to an X-Ray call


Batch


AWS Batch
-         
https://docs.aws.amazon.com/batch/latest/userguide/what-is-batch.html
-         enables you to run batch computing workloads on the AWS Cloud
-         removes the undifferentiated heavy lifting of configuring and managing the required infrastructure, similar to traditional batch computing software
-         regional service, simplifies running batch jobs across multiple Availability Zones
-         supports any job that can be run as a Docker container
-         can take on workloads of any scale
-         user can specify the memory and CPUs to be used
-         Jobs - A unit of work (such as a shell script, a Linux executable, or a Docker container image). It runs as a containerized application on an Amazon EC2 instance in your compute environment, using parameters that you specify in a job definition.
-         Job definitions - specifies how jobs to be run; can attach IAM Role with specific permissions, specify which Docker image to use, how many resources to allocate, what parameters are to be passed in
-         Jobs queue – a job is submitted into a queue; one or more compute environments can be associated with a queue
-         Scheduler – evaluates the queue contents
-         Compute Environment - EC2 insistence
-         CloudWatch is available for Batch. Can do:
          §  Build custom dashboards
          §  Monitor progress of jobs
          §  Build complex workflows with dependencies
          §  Triger off a CloudWatch target – Lambda, SQS, SNS, Kinesis Data Stream OR another Batch job
-         CloudTrail – all activity is logged

Config

AWS Config
-         https://aws.amazon.com/config/features/   REGIONAL resource
-         Service that enables you to assess, audit, and evaluate the configurations of your AWS resources: EC2, EBS, Security Groups, VPCs, etc. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations:
          §  See how the resources are related to one another
          §  See how the resources were configured in the past
          §  Extract existing resource settings and detect deviations from the standard
          §  Receive notifications when resources are added / modified / deleted
-         Connection from a resource to the Config service – over the AWS infra
-         Config is used for governance and compliance.
-         Example: can see what gets affected by a change in a Security Group rule
-         Configuration item – a point-in-time view of a configuration of a supported resource
-         Configuration history – collection of items for a resource over a period of time. Retention of min 30 days and max 7 years.
-         Configuration recorder – stores items in an account
-         Snapshot – a collection of configuration items for a resource. Can be delivered to S3
-         Configuration stream – near real time, automatically updated list for the resources that are being recorded. Works via an SNS topic
-         Resource Relationship – map of relationships between resources in an account

Athena

Athena
-        https://docs.aws.amazon.com/athena/latest/ug/what-is.html
-         interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.
-         Athena is an overlay on top of S3. The data is loaded into and queried by Athena
-         Data - unstructured, semi-structured, and structured data stored in Amazon S3. Examples include CSV, JSON, or columnar data formats such as Apache Parquet and Apache ORC. You can use Athena to run ad-hoc queries using ANSI SQL, without the need to aggregate or load the data into Athena.
          §  Columnar data – fast to query. Data can be converted into columns by creating an EMR cluster and converting using Hive
-         Integrates with Amazon QuickSight for easy data visualization. You can use Athena to generate reports or to explore data with business intelligence tools or SQL clients connected with a JDBC or an ODBC driver.
-         You can access Athena using the AWS Management Console, through a JDBC or ODBC connection, using the Athena API, or using the Athena CLI
-         Encryption – query results are stored in S3, can be encrypted
-         Query results - .csv and .csv.metadata
-         Query history – kept for 45 days; to extend this - can write code to read the data and write into S3
-         Can use Athena to query log databases:
          §  CloudTrail logs
          §  CloudFront logs
          §  LoadBalancer logs
          §  VPC Flow logs
 
Service Catalog
-         https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html
-         AWS Service Catalog enables organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures.
-         Catalog administrators (administrators) – Manage a catalog of products (applications and services), organizing them into portfolios and granting access to end users. Catalog administrators prepare (import) AWS CloudFormation templates, configure constraints, and manage IAM roles that are assigned to products to provide for advanced resource management.
-         End users – Receive AWS credentials from their IT department or manager and use the AWS Management Console to launch products to which they have been granted access
-         Portfolio - A portfolio is a collection of products, together with configuration information. 
-         Provisioned stack – a CloudFormation template (YAML/JSON) with a collection of resources
-         Provisioned product – a stack with resources
-         Versions - Service Catalog allows you to manage multiple versions of the products in your catalog. This allows you to add new versions of templates and associated resources based on software updates or configuration changes
-         When a new version of a product becomes available – it gets distributed to all users with access to the product, allowing the user to select the version they prefer running
-         Service Catalog does not automatically update products

Systems Manager

Systems Manager
-         https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
-         service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources.
-         Systems Manager helps you maintain security and compliance by scanning your managed instances and reporting on (or taking corrective action on) any policy violations it detects (ex: patch needed, etc.)
-         Supported operating system types include Windows Server, multiple distributions of Linux, and Raspbian – in-cloud, on-premises and other cloud environments (Azure, etc.)
-         Benefits:
          §  Centralizing workflows using unified set of tools and scripts
          §  Access to CloudTrail, CloudWatch, SNS
-         Systems Manager Console / SDK / CLI / AWS Tools for PowerShell can be used to schedule System 

Manager actions
-         SSM Agent
          §  gets installed on managed instances / servers in hybrid environments;
          §  performs specified tasks
          §  reports to Systems Manager
          §  comes as part of newer Windows Server AMI / manual install for Linux
          §  has public endpoints – accessible via the internet; can also be accessed via AWS infra; need to set up Security Groups etc.
          §   IAM user permissions, IAM Instance Profiles (EC2) / IAM Service Role (for on-premise instances) are required

Parameter Store
-         https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
-         provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter
-         secure, scalable, hosted secrets management service with no servers to manage.
-         can also reference parameters in a number of other AWS services, including the following:
          §  Amazon Elastic Compute Cloud (Amazon EC2)
          §  Amazon Elastic Container Service (Amazon ECS)
          §  AWS Secrets Manager
                §  Can have the Parameter Store pull in secrets stored in Secrets Manager, i.e. act as a proxy between an application referencing a parameter and the secret tha the parameter needs
          §  AWS Lambda
          §  AWS CloudFormation
          §  AWS CodeBuild
          §  AWS CodePipeline
          §  AWS CodeDeploy
-         Configure integration with the following AWS services for encryption, notification, monitoring, and auditing:
          §  AWS Key Management Service (AWS KMS)
          §  Amazon Simple Notification Service (Amazon SNS)
          §  Amazon CloudWatch
          §  AWS CloudTrail