1
00:00:00,600 --> 00:00:02,970
‫So let's summarize this section on security

2
00:00:02,970 --> 00:00:05,280
‫and compliance and you have to agree, yes, this was a very,

3
00:00:05,280 --> 00:00:07,650
‫very long section and I'm sorry about that.

4
00:00:07,650 --> 00:00:09,000
‫You have to just remember a lot of things.

5
00:00:09,000 --> 00:00:11,250
‫So the shared responsibility model on AWS,

6
00:00:11,250 --> 00:00:13,260
‫we've seen it at length in this course.

7
00:00:13,260 --> 00:00:14,460
‫So then you know about it

8
00:00:14,460 --> 00:00:17,460
‫Shield is a way for you to get automatic DDoS protection

9
00:00:17,460 --> 00:00:21,510
‫and then if you use Shield Advance, you get 24/7 support.

10
00:00:21,510 --> 00:00:23,430
‫You get WAF web application firewall,

11
00:00:23,430 --> 00:00:25,980
‫which is a firewall to filter incoming requests

12
00:00:25,980 --> 00:00:27,870
‫based on specific rules.

13
00:00:27,870 --> 00:00:31,290
‫KMS to manage your encryption keys on AWS.

14
00:00:31,290 --> 00:00:34,170
‫CloudHSM to have hardware encryption.

15
00:00:34,170 --> 00:00:36,360
‫And this time is not AWS that manages the keys,

16
00:00:36,360 --> 00:00:40,650
‫it is ourselves that manages the encryption keys.

17
00:00:40,650 --> 00:00:43,260
‫AWS will only manage the hardware behind it.

18
00:00:43,260 --> 00:00:45,840
‫ACM, so AWS Certificate Manager is a way for you

19
00:00:45,840 --> 00:00:49,320
‫to provision, manage, and deploy SSL and TLS certificates

20
00:00:49,320 --> 00:00:51,003
‫and to get in-flight encryption.

21
00:00:51,840 --> 00:00:55,020
‫Artifact is going to give you access to compliance reports

22
00:00:55,020 --> 00:00:57,720
‫such as PCI, ISO, et cetera, et cetera.

23
00:00:57,720 --> 00:00:59,730
‫GuardDuty is a way for you to find

24
00:00:59,730 --> 00:01:02,040
‫malicious behavior automatically

25
00:01:02,040 --> 00:01:05,850
‫by analyzing VPC logs, DNS logs, and CloudTrail logs.

26
00:01:05,850 --> 00:01:08,370
‫And Inspector, you'll find software vulnerabilities

27
00:01:08,370 --> 00:01:12,243
‫in EC2, ECR container images and Lambda functions.

28
00:01:13,290 --> 00:01:15,300
‫Next, we have Config, which is allowing us

29
00:01:15,300 --> 00:01:18,210
‫for compliance to track configuration changes

30
00:01:18,210 --> 00:01:20,340
‫and also create rules to check compliance

31
00:01:20,340 --> 00:01:23,460
‫of these resources configuration over time.

32
00:01:23,460 --> 00:01:27,090
‫Macie is a way for us to find synthetic data, for example,

33
00:01:27,090 --> 00:01:31,890
‫PII data, so personal information, in Amazon S3 buckets.

34
00:01:31,890 --> 00:01:35,070
‫CloudTrail is a way for us to track API calls made

35
00:01:35,070 --> 00:01:37,290
‫by users within the accounts.

36
00:01:37,290 --> 00:01:38,550
‫Security Hub is a way

37
00:01:38,550 --> 00:01:40,860
‫for us to gather all the security findings

38
00:01:40,860 --> 00:01:42,510
‫from so many different services

39
00:01:42,510 --> 00:01:45,720
‫from multiple AWS accounts into one place

40
00:01:45,720 --> 00:01:48,120
‫and really act on these security findings directly

41
00:01:48,120 --> 00:01:49,110
‫from there.

42
00:01:49,110 --> 00:01:52,020
‫Detective is in case we have a security finding,

43
00:01:52,020 --> 00:01:54,300
‫how do we get to the root cause very quickly?

44
00:01:54,300 --> 00:01:56,220
‫And this is with Detective, which is going to link

45
00:01:56,220 --> 00:01:59,040
‫up all these services together and help you with that.

46
00:01:59,040 --> 00:02:02,130
‫The Abuse Team is a team that you report

47
00:02:02,130 --> 00:02:04,590
‫to when you see abusive behavior

48
00:02:04,590 --> 00:02:08,280
‫by using AWS resources for abusive or illegal purposes.

49
00:02:08,280 --> 00:02:10,680
‫And you either have a form or you send them an email.

50
00:02:10,680 --> 00:02:13,110
‫And then you have to remember, I think the four most

51
00:02:13,110 --> 00:02:16,440
‫important things that a root user can do in your accounts;

52
00:02:16,440 --> 00:02:17,670
‫it can change the account settings,

53
00:02:17,670 --> 00:02:20,640
‫it can close your AWS accounts, it can change

54
00:02:20,640 --> 00:02:23,520
‫or cancel your support plan, or it can register

55
00:02:23,520 --> 00:02:27,330
‫as a seller in the Reserved Instances Marketplace.

56
00:02:27,330 --> 00:02:29,430
‫And we have IAM Access Analyzer to figure

57
00:02:29,430 --> 00:02:31,980
‫out which resources are shared externally

58
00:02:31,980 --> 00:02:34,620
‫outside your zone of trust.

59
00:02:34,620 --> 00:02:35,453
‫So that's it.

60
00:02:35,453 --> 00:02:36,510
‫I hope you like this lecture

61
00:02:36,510 --> 00:02:38,460
‫and I will see you in the next section.