Securing AWS Account:

1. Best Practices for Securing an AWS Account:

o Enable Multi-Factor Authentication (MFA) for all users.

o Use strong, unique passwords for each user.

o Regularly review IAM policies and remove unnecessary permissions.

o Monitor account activity using AWS CloudTrail and other tools.

2. AWS IAM Access Analyzer:

o IAM Access Analyzer helps by analyzing resource policies to determine who

has access to your AWS resources.

o It provides visibility into potential unintended access to resources, enabling

you to make informed decisions about access control.

Securing Load Balancers:

3. Security Considerations for AWS Elastic Load Balancers (ELBs):

o Configure security groups to control inbound and outbound traffic.

o Use SSL/TLS to encrypt data in transit for secure communication.

o Enable access logs for monitoring and auditing traffic and requests.

4. Restricting Access to an AWS Application Load Balancer (ALB) Based on IP

Address:

o Use security groups or Network ACLs to filter traffic based on IP addresses.

o You can also configure AWS WAF to set rules for allowing or blocking specific
IP addresses.

5. Purpose of SSL Termination on a Load Balancer:

o SSL termination offloads SSL decryption from backend servers to the load
balancer.

o This improves performance and reduces CPU usage on backend servers.

6. Best Practices for Securing Applications Hosted on AWS:

 o Regularly patch applications to fix vulnerabilities.

o Implement AWS WAF rules to filter malicious traffic.

o Use security groups and Network ACLs to control access.

o Monitor application logs for suspicious activity.

AWS WAF and Web ACL:

7. AWS WAF (Web Application Firewall):

o AWS WAF protects web applications from common exploits such as SQL
injection, XSS, and CSRF attacks.

o It filters and monitors incoming web traffic, ensuring that only legitimate
traffic reaches your application.

8. Web ACL in AWS WAF:

o A Web ACL is a set of rules that define conditions to allow or block requests
based on predefined criteria.

9. Benefit of Using AWS Managed Rules with AWS WAF:

o AWS Managed Rules are pre-configured sets of rules that protect

applications from common threats, reducing the need for manual rule
creation.

AWS Shield:

10. AWS Shield and Protection Against DDoS Attacks:

• AWS Shield is a managed service that provides protection against DDoS attacks
targeting AWS applications.

• It safeguards applications running on AWS from network and transport layer DDoS
attacks.

11. How AWS Shield Protects Against Network and Transport Layer DDoS Attacks:

• AWS Shield offers always-on monitoring, near real-time attack visibility, and
automatic traffic anomaly detection and mitigation.
 12. Difference Between AWS Shield Standard and AWS Shield Advanced:

• Shield Standard provides protection against common, smaller DDoS attacks.

• Shield Advanced offers enhanced protection with additional mitigation capacity,

24x7 access to the AWS DDoS Response Team (DRT), and protection against larger,
more sophisticated attacks.

Amazon CloudFront:

13. Enhancing Security with Amazon CloudFront:

• CloudFront can distribute content securely through HTTPS.

• You can use geo-restriction to block content delivery to specific regions.

• Integrate AWS WAF with CloudFront to protect against web application attacks.

14. Origin Access Identity (OAI) in Amazon CloudFront:

• OAI is a virtual identity that grants CloudFront permission to fetch private content
from an S3 bucket.

15. Preventing Hotlinking of Content in CloudFront:

• Configure CloudFront to check the referrer header, ensuring that content is only
served to requests originating from specified domains.

16. Purpose of CloudFront Signed URLs and Cookies:

• CloudFront Signed URLs and Cookies allow you to control access to your content
by requiring viewers to use special URLs or include specific information in their
requests.

AWS Key Management Service (KMS) and Data Encryption:

17. AWS Key Management Service (KMS):

• AWS KMS is a managed service that simplifies the creation and control of
encryption keys, helping to secure sensitive data.

18. Securing Data at Rest Using AWS KMS in S3 and EBS:

• AWS KMS enables you to create and manage encryption keys for encrypting data
at rest in services like S3 and EBS, adding an extra layer of security.

19. AWS KMS Customer Master Key (CMK):

• A CMK is a logical encryption key that is used to encrypt and decrypt data. It is
managed by AWS KMS.

20. Envelope Encryption and AWS KMS:

• Envelope encryption involves using a data encryption key to encrypt data and
then encrypting the data encryption key itself using a CMK. AWS KMS uses this
method to secure data.

21. AWS Managed Keys vs Customer Managed Keys (CMKs):

• AWS Managed Keys are created, managed, and used by AWS services
automatically.

• Customer Managed Keys (CMKs) are created, managed, and used by the customer
within AWS KMS.

22. Rotating Customer Master Keys (CMKs) in AWS KMS:

• Automatic key rotation can be enabled for a CMK, allowing AWS KMS to
automatically rotate the key material.

• Alternatively, manual key rotation can be performed by the user.

23. AWS KMS Grants:

• Grants in AWS KMS allow you to delegate permissions to use a CMK in specific ways
to other AWS identities or services.

24. AWS KMS Integration with S3 and EBS for Encryption:

• AWS S3 and EBS can use AWS KMS to request encryption keys to encrypt data at
rest. AWS KMS returns the appropriate encryption key for the service.

25. AWS CloudHSM:

• AWS CloudHSM is a hardware security module (HSM) that provides secure

cryptographic key storage.

• It helps protect sensitive data and meet compliance requirements by ensuring that
cryptographic keys remain within a dedicated hardware device.
 26. Encrypting Data in Amazon RDS:

• You can enable encryption at rest when creating a new RDS instance or modify an
existing instance to enable encryption.

• AWS RDS uses AWS KMS for managing encryption keys.

27. AWS SSM Parameter Store for Secret Management:

• AWS Systems Manager (SSM) Parameter Store provides secure, hierarchical

storage for configuration data and secrets management. It can store sensitive
information securely.

Handling Security Incidents and Sensitive Information:

28. Handling Security Incidents and Breaches in an AWS Environment:

• Establish an incident response plan.

• Monitor for unusual activity and establish procedures to investigate and mitigate
security incidents.

29. Securing Sensitive Information Like API Keys and Passwords:

• Use AWS Secrets Manager or AWS Systems Manager Parameter Store to

securely store and retrieve sensitive information like API keys and passwords.