[AWS Explained] Security
AWS Security
2023-09-14 08:59:12 时间
CloudTrail
You can use
- CloudTrail to stream log into CloudWatch Logs
- Then in the CloudWatch, you can setup Metric Filters based on certain condition, (e.g count occurrenencs)
- Set up a CloudWatch Alaram based on Metric filter, trigger alarm once over the limit
- Can notifiy by SNS
You can set up Organization Trail to collect all the CloudTrail events from Children account.
- Organization Trail has to be setup in Mangement account
How to react faster?
Overall, CloudTrail may takeup 15 mins to deliver events
To Speed up:
- CloudWatch Events: Which can be triggered by any API call in CloudTrail, the fastest, most reactive way
- CloudTrail Delivery in CloudWatch Logs: Events are streamed, can perform a metric filter to analyze occurrences and detect anomalies
- CloudTrail Delivery in S3: Events are delivered every 5 mins, possibility of analyzing logs integrity, deliver cross account, long-term storage
S3 Access Points
Previously, you can restrict S3 access by using
- IAM role
- S3 bucket policy
The problem for both is the complexity of the policy / role rules can grow fast and complex.
Access points breaks the complex by two parts:
- Access points only do the mappings, which access points access which buckets
- One policy per access point
- For each VPC, using VPC Gateway Endpoint to access S3
- Define Endpoint Policy rules inside Each VPC
- Access point for Bucket only allow access From VPC
SSL
Normally handle SSL on ALB
It is also possible to handle SSL on EC2 server.
EC2 can retrieve SSL private key at EC2 boot time.
EC2 need to performing SSL encryption / decryption
But it requries CPU, might slow down the applications
One way to improve it is by using CloudHSM SSL Offloading
相关文章
- Matano:一款针对AWS的开源安全湖平台
- 如何使用YATAS审查AWS基础设施中潜在的安全问题
- AWS交换机:我芯由我不由天
- AWS WAF bypass
- ORA-46104: Security class string cannot inherit from base security classes ORACLE 报错 故障修复 远程处理
- MySQL Error number: MY-011437; Symbol: ER_KEYRING_AWS_FAILED_TO_CONNECT_KMS; SQLSTATE: HY000 报错 故障修复 远程处理
- MySQL Error number: MY-011442; Symbol: ER_KEYRING_AWS_FAILED_TO_ROTATE_CMK; SQLSTATE: HY000 报错 故障修复 远程处理
- AWS 日本出现大规模故障
- 上万个公司都在用的机器学习服务SageMaker,AWS宣布要在中国推出了
- Twitter宣布牵手AWS交付其时间表,首次尝试使用公有云扩展实时服务
- 使用AWS同步构建MySQL数据库环境(aws同步mysql)
- 灵活的云计算利用AWS S3和MySQL让你的业务更上一层楼(awss3mysql)
- azure sql比较分析AWS MySQL 与 Azure SQL的区别(aws mysql 还是)
- 云服务器上MySQL的迁移AWS解决之道(aws mysql 迁移)
- 探索Oracle云和AWS的全新世界(oracle云和aws)
- 亚马逊AWS获得美国国家安全局百亿美元云计算合同