is a web application firewall that helps monitor the HTTP/HTTPS traffic and allows controlling access to the content.
helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
helps define Web ACLs, which is a combination of Rules that is a combinations of Conditions and Action to block or allow
integrated with CloudFront, Application Load Balancer (ALB), API Gateway services commonly used to deliver content and applications
supports custom origins outside of AWS, when integrated with CloudFront
is a managed service that provides protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS
provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of applications on AWS.
offers threat detection that enables continuous monitoring and protects the AWS accounts and workloads.
is a Regional service
analyzes continuous streams of meta-data generated from AWS accounts and network activity found in AWS CloudTrail Events, EKS audit logs, VPC Flow Logs, and DNS Logs.
integrated threat intelligence
combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS
supports suppression rules, trusted IP lists, and thread lists.
provides Malware Protection to detect malicious files on EBS volumes
operates completely independently from the resources so there is no risk of performance or availability impacts on the workloads.
is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities
automatically discovers and scans EC2 instances and container images residing in Elastic Container Registry (ECR) for software vulnerabilities and unintended network exposure.
creates a finding, when a software vulnerability or network issue is discovered, that describes the vulnerability, rates its severity, identifies the affected resource, and provides remediation guidance.
is a Regional service.
requires Systems Manager (SSM) agent to be installed and enabled.
helps analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
automatically collects log data from the AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data to easily conduct faster and more efficient security investigations.
enables customers to view summaries and analytical data associated with CloudTrail logs, EKS audit logs, VPC Flow Logs.
provides detailed summaries, analysis, and visualizations of the behaviors and interactions amongst your AWS accounts, EC2 instances, AWS users, roles, and IP addresses.
maintains up to a year of aggregated data
is a Regional service and needs to be enabled on a region-by-region basis.
is a multi-account service that aggregates data from monitored member accounts under a single administrative account within the same region.
has no impact on the performance or availability of the AWS infrastructure since it retrieves the log data and findings directly from the AWS services.
Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
provides an inventory of the S3 buckets and automatically evaluates and monitors the buckets for security and access control.
automates the discovery, classification, and reporting of sensitive data.
generates a finding for you to review and remediate as necessary if it detects a potential issue with the security or privacy of the data, such as a bucket that becomes publicly accessible.
provides multi-account support using AWS Organizations to enable Macie across all of the accounts.
is a regional service and must be enabled on a region-by-region basis and helps view findings across all the accounts within each Region.
AWS CloudHSM is a cloud-based hardware security module (HSM) that provides secure cryptographic key storage and enables you to easily generate and use your own encryption keys on the AWS Cloud.
CloudHSM helps manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.
AWS CloudHSM helps meet corporate, contractual and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS cloud.
A hardware security module (HSM)
is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.
are designed with physical and logical mechanisms, to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
physical protections include tamper detection and tamper response. When a tampering event is detected, the HSM is designed to securely destroy the keys rather than risk compromise.
logical protections include role-based access controls that provide separation of duties
CloudHSM allows encryption key protection within HSMs, designed and validated to government standards for secure key management.
CloudHSM helps comply with strict key management requirements within the AWS cloud without sacrificing application performance
CloudHSM uses SafeNet Luna SA HSM appliances
HSMs are located in AWS data centres, managed and monitored by AWS, but AWS does not have access to the keys.
CloudHSM makes periodic backups of the users, keys, and policies in the cluster.
CloudHSM is a fully-managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.
CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.
CloudHSM automatically load balances requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster.
Only you have access to the keys and operations to generate, store and manage the keys.
AWS can’t help recover the key material if the credentials are lost
CloudHSM provides single tenant dedicated access to each HSM appliance
HSMs are inside your VPC and isolated from the rest of the network
Placing HSM appliances near the EC2 instances decreases network latency, which can improve application performance
Integrated with Amazon Redshift and Amazon RDS for Oracle
Other use cases like EBS volume encryption and S3 object encryption and key management can be handled by writing custom applications and integrating them with CloudHSM
CloudHSM can perform a variety of cryptographic tasks:
Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
Use symmetric and asymmetric algorithms to encrypt and decrypt data.
Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
Cryptographically sign data (including code signing) and verify signatures.
Generate cryptographically secure random data.
CloudHSM Use Cases
Offload SSL/TLS processing for the web servers.
Store the Transparent Data Encryption (TDE) master encryption key for Oracle database servers that support TDE.
Store private keys and sign certificate requests acting act as an issuing CA to issue certificates for your organization.
CloudHSM Cluster is a collection of individual HSMs kept in sync.
HSMs can be placed in different AZs to provide high availability. Spreading clusters across AZs provides redundancy and high availability.
Cluster can be added with more HSMs for scalability and performance.
Cluster with more than one HSM is automatically load balanced.
CloudHSM helps keep the cluster synchronized, redundant, and highly available.
CloudHSM vs KMS
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
With which AWS services CloudHSM can be used (select 2)
An AWS customer is deploying a web application that is composed of a front-end running on Amazon EC2 and of confidential data that is stored on Amazon S3. The customer security policy that all access operations to this sensitive data must be authenticated and authorized by a centralized access management system that is operated by a separate security team. In addition, the web application team that owns and administers the EC2 web front-end instances is prohibited from having any ability to access the data that circumvents this centralized access management system. Which of the following configurations will support these requirements:
Encrypt the data on Amazon S3 using a CloudHSM that is operated by the separate security team. Configure the web application to integrate with the CloudHSM for decrypting approved data access operations for trusted end-users. (S3 doesn’t integrate directly with CloudHSM, also there is no centralized access management system control)
Configure the web application to authenticate end-users against the centralized access management system. Have the web application provision trusted users STS tokens entitling the download of approved data directly from Amazon S3 (Controlled access and admins cannot access the data as it needs authentication)
Have the separate security team create and IAM role that is entitled to access the data on Amazon S3. Have the web application team provision their instances with this role while denying their IAM users access to the data on Amazon S3 (Web team would have access to the data)
Configure the web application to authenticate end-users against the centralized access management system using SAML. Have the end-users authenticate to IAM using their SAML token and download the approved data directly from S3. (not the way SAML auth works and not sure if the centralized access management system is SAML complaint)