Per Scholas Notes

Security - Security Best Practices for Creating an AWS Account
################################
## Security Best Practices for Creating an AWS Account

	AWS - security *of* the cloud
	User - security *in* the cloud

	Understanding when to use the root directory
		- change account settings
		- restore IAM user permissions
		- change AWS Support plan or cancel AWS Support plan
		- activate IAM access
		- view tax invoices
		- close AWS account
		- register as a seller
		- configure S3 bucket
		- edit or delete S3 bucket

	Best practices: Stop using root user
		Create IAM user -> Create IAM group -> Sign in with IAM credentials
			|-> Give group full admin permissions
			|-> Add IAM users to this group

	Require MFA
		Root user-|
				  |--> Require MFA for all account users -> Access AWS console -> use MFA
		Root user-|

	Best practices: AWS CloudTrail (log monitoring tool)
		Cloudtrail tracks API calls, publishes log files to S3 bucket

		Activate CloudTrail -> Grant S3 access to those who require it
			|-> Apply to all Regions
			|-> Specify an S3 bucket where logs will be stored


	Best practices: Billing report
		Activate billing report, such as AWS Cost and Usage Report (S3 bucket)

		Activate billing report in AWS -> Grant S3 access to those who need it
			|-> use AWS Cost and Usage Report
Security - AWS Compliance Program
################################
## AWS Compliance Program

	- how laws, standards, and regulations impact security
	- identify various regulatory compliance standards
	- describe AWS compliance program

	## Regulatory compliance and standards
		Goal of security compliance
			- security compliance ensures security controls meet regulatory and contractual requirements
			- Regulations mandate security controls	
				Regulatory
					- Country
					- Industry
				Contractual
					- SLA - service level agreement
					- PLA - project labor agreement

			- vary between localities, jurisdictions, and cultures
			- create policies to support and enforce compliance

		Compliance levels and noncompliance
			- Compliance leves vary by authority type. Noncompliance has consequences
			- External authority
				- Governmet or laws - mandatory
				- Open standards - recommended
				- Best practices - optional
			- Consequences of noncompliance
				- Government or laws - civil, criminal, or financial
				- Open Standards - financial or participation
				- Best practices - loss of customers, partners, or revenue
			- Proper reporting required to prove compliance

		National and international cybersecurity standards
			- NIST, ENISA, ETSI, ISO, EITF, IEEE, COSO

		PCI DSS
			- Payment Card Industry (PCI) Data Security Standard (DSS), payment card transactions

		HIPAA
		 	- Health Insurance Portability and Accountability Act of 1996
		 	- how personally identifiable information should be protected

		 Compliance standards: European Union
		 	- General Data Protection Regulation (GDPR)
		 	- enhanced control over personal and private data

		 Compliance standards: Canada
		 	- Personal Information Protection and Electronic Documents Act (PIPEDA)
		 	- how private sector collects, uses, and discloses personal information of clients

		 Compliance standards: Russia
		 	- Russian federal law on personal data
		 	- individual must provide consent
		 	- can revoke previously granted consent
		 	- transfer of data outside Russian Federation requires protection in destination country

		 Compliance standards: United States
		 	- many compliance requirements
		 		- Dodd-Frank, Gramm-Leah-Billey, etc


 	## AWS compliance program

 		AWS risk and compliance program
 			- provide information about AWS controls
 			- assist customers in documenting security compliance framework
 		Three components
 			- AWS business risk management
 			- AWS control environment and automation
 			- AWS certifications and attestations

 		AWS business risk management
 			- perform risk assessments and risk monitoring of key AWS functional areas
 			- capture business risk management goals in a business plan, that is reevaluated at least biannually
 			- goals include
 				- id and remediate risks
 				- maintain register of known risks
 				- create and maintain security policies
 				- provide security training to AWS employees
 				- perform application security review
 			- also uses independent security firms to perform threat assessments

 		AWS control environment and automation
 			- integrate security and compliance requirements during design and development of each AWS service
 			- establishes control environment that
 				- includes people, policies, processes, and control activities
 				- secures deliver of AWS service offerings
 				- uses automation to eliminate potential process deviations
 			- integrate practices identified by industry-leading cloud bodies

 		AWS certifications and attestations
 			- regular third-party attestation audits to provide assurance that control activities are operating as intended
 			- audits performed against
 				- global and regional security frameworks
 				- customer contract and govmt regulatory requirements
 			- results of audits documents and available in AWS Artifact portal

 		Customer compliance responsibilities
 			- customers responsible for maintaining adequate governance over entire IT control environment
 			- customers need to:
 				- understand required compliance objectives and requirements
 				- establish control environment that meets thos objectives and requirements
 				- understand validation required based on organization's risk tolerance
 				- verify operating effectiveness of control environment
Security - AWS Security Resources
################################
## AWS Security Resources

	- explore different types of security resources

	AWS account teams
		- first point of contact
		- guide deployment
		- point toward resources to resolve security issues

	AWS Support plans
		- basic support plan
			- customer service and communities
			- AWS Trusted Advisor
			- Personal Health Dashboard
		- three tiers of additional support
			- Developer support plan
			- Business Support plan
			- Enterprise Support plan

	AWS Developer Support
		- for users that use AWS services for testing within AWS
		- email cloud support associates
		- response times
			- general guidance: 24 hours or less
			- system impaired: 12 hours or less

	AWS Business Support
		- for users or businesses with production workloads within AWS
		- support avail 24/7 by phone, chat, or email
		- response times
			- general: 24 hrs or less
			- system impaired: 12 hours or less
			- production system impaired: 4 hours or less
			- production system down: 1 hour or less

	AWS Enterprise Support
		- business-critical workloads
		- less than 15 minutes for business-critical outages
		- 24/7 phone, chat, email
		- dedicated technical account manager (TAM)
		- response times
			- general: 24 hrs or less
			- system impaired: 12 hours or less
			- production system impaired: 4 hours or less
			- production system down: 1 hour or less
			- business-critical down: 15 minutes or less

	AWS Professional Service and Partner Network
		Partner Network (APN) - group of cloud software and service vendors that has certified APN Partners worldwide
		
		APN Partners
			- help customers implement and manage deployment
			- develop security policies
			- meet compliance requirements
			- include system integrators and manage services providers
		APN Technology Partners
			- provide software tools and services hosted or run on AWS
			- include independent software vendors (ISVs) and providers of SaaS

	AWS advisories and bulletins
		- provide infor on current vulnerabilities and threats
		- work with experts to address
			- report abuse
			- report vulnerabilities
			- conduct penetration tests

	AWS Auditor Learning Path
		- help understand how internal operations gain compliance
		- visit compliance website for
			- recommended training
			- self-paced labs
			- auditing resources

	AWS security benefits
		- only commercial cloud service that has its services vetted and approved for top-secret workloads
		- securely scale infrastructure
		- automate security tasks
		- integrated security services
		- large infrastructure env prebuilt for customer
		- AWS security is strategic and focuses on preventing, detecting, responding, and remediating