DEV Community: miyuki_samitani

What is Security Hub?

miyuki_samitani — Fri, 21 Oct 2022 13:55:19 +0000

Image before study

I don't know much about it except that it's an AWS service.

Research

What is Security Hub?

It is a service that checks and centrally manages AWS services.
There are various AWS services, but it is difficult to check each service one by one.
Therefore, the Security Hub aggregates security alerts for AWS services and allows you to view them on a single management screen.
Security Hub is a service that aggregates security alerts for AWS services and allows you to view them on a single management screen.

Currently, the target services are as follows

Amazon GardDuty
Amazon Inspector
AWS System Manager
AWS Health
AWS config
AWS Firewall Manager
AWS IAM Access Analyzer
Amazon Macie

Benefits of the Security Hub

Data Aggregation

The security checks of the services listed above can be viewed in a single Security Hub.
This saves you the time and effort of visiting each service.

Automated security checks

The Security Hub can also perform compliance checks.
You can automatically check for compliance with certain standards, such as PCI DSS.

Security Hub Precautions

There are a few things to keep in mind when using the Security Hub.

AWS Config must be enabled for security checks.

AWS Config must be enabled as it will be used as data.

It must be enabled on a region-by-region basis.

Security Hub only processes data for the region of interest.
If you want to see several regions, you need to enable it for each region.

Image after study

I was looking at it for a while and thought it was similar to TRUSTED ADVISER.
I wonder if this one is more specialized in compliance and security?
Well, I guess there are some parts that are covered.

What is Design for Failure?

miyuki_samitani — Thu, 20 Oct 2022 12:09:42 +0000

Pre-study image

Is it a design for failure kind of story?

Study

What is Design for Failure?

Design for Failure refers to the concept of designing a system based on the assumption that failures will occur.
Servers can fail, AZ/region things can fail.
The idea is to improve the availability of the service by taking countermeasures in case of failures.

How to realize Design for Failure

Elimination of SPOFs

To improve availability, it is important not to create single-point-of-failure (SPOF).
By configuring the system in an HA configuration or, in the case of AWS, in a multi-AZ, multi-region configuration, it is possible to avoid SPOFs at a single point of failure.
This is because services can continue to operate even if an entire AZ or region fails.

Monitoring

Service monitoring for early detection of service failures, resource monitoring to detect performance degradation, etc.
It is necessary to set up constant monitoring of logs and metrics in the service for early detection and early recovery.

Recovery Methods

When a failure occurs and the client is affected, how to recover?
It is possible to recover early by deciding in advance how to move within the organization and what recovery methods to use when a failure occurs and clients are affected.

Image after study

SPOF is indeed ・・・・.
Basically, it means you have to think of the server as something that dies.

What is Amazon Detective?

miyuki_samitani — Tue, 18 Oct 2022 12:49:12 +0000

What is Amazon Detective?

Pre-study image

I feel like I've never heard of it.

Research

What is Amazon Detective?

It will be a service to help analyze and investigate the cause of security issues or suspicious activity in applications on AWS.
Since Detective means detective, this service monitors, investigates and analyzes the cause of the problem like a detective.

Detective collects the following logs and analyzes the information.

cloudtrail logs
vpc flow log
GuardDuty

Recommended Conditions

aws cli must be 1.16.303 or higher
Amazon GuardDuty must be enabled
- Must be enabled on master account
- Must wait 48 hours after activation
Amazon GuardDuty's cloudwatch notifications are every 6 hours, so we'll set them to 15 minutes.

Use Cases

Investigate the impact of a security issue

Check credentials in case of compromise, API calls from malicious IP addresses, etc.

File Identification

Scan for files that behave suspiciously like malware on EC2.

Image after study

Basically, I think of it as information gathering and analysis.
It seems like we can see where the suspicious IPs are accessing from.

What is Landing Zone?

miyuki_samitani — Mon, 17 Oct 2022 13:19:26 +0000

Pre-study image

You may have never heard of it.

Research

What is a Landing Zone?

Landing Zone is a mechanism to deploy accounts created based on AWS best practices.
Landing Zone is not a service but a mechanism.
Landing Zone is not a service, but a mechanism to maintain a certain level of security for a large number of accounts.

Landing Zone Features

Create an account with all necessary initial settings completed
Issue administrative privileges, creating permissions to manage accounts
Manage account access via SSO
Ensure network baselines are in place
Centrally store AWS logs
Install guardrails

How to use the Landing Zone

Using Control Tower

Control Tower is an easy to set up Landing Zone implementation.

Implement on your own

Use Organizations, config, etc. to build your own.
It can be customized freely, but it is difficult to set up.

Image after study

It feels more like a Control Tower feature...
Is that right?

What is IPAM?

miyuki_samitani — Mon, 17 Oct 2022 13:17:13 +0000

Pre-study image

I've seen the word on the AWS website, but I don't know what it is.
Is it related to IP address?

Research

What is IPAM?

IPAM stands for IP Address Management.
In Japanese, it is called IP address management.

IPAM refers to the centralized management of IP addresses in a network and software for such management.
It collects IP addresses in cooperation with DHCP servers, DNS servers, etc. that exist in the network, and
The DHCP server systematically allocates IP addresses.

In the past, when IP addresses were planned, planning was done using Excel.
When changes were made, modifications were often made.
However, this was sometimes unusable due to omissions or loss of tracking of work.
IPAM will do that automatically.

Image after study

It's definitely going to be in an Excel table or something... it's not going to be usable. 。。。。

Examined cross-account connectivity for AWS.

miyuki_samitani — Mon, 17 Oct 2022 13:15:56 +0000

Pre-study image

What was it? I don't have a quick answer.
I think it was something about doing something with users of different accounts.

Research

What is AWS Cross Account Connectivity?

It is to allow one account to handle the resources of two or more accounts.
If you have two, it is also called a multi-account connection.

You may think that all you have to do is to re-login to your account.
However, depending on the environment, it may be necessary to separate the accounts for production and development, or to connect to another company's AWS account.
In such cases, a cross-account connection allows you to connect simply by granting permission to your existing account without having to create a new one.

What kind of configuration will be used?

The use case is as follows.
User A exists in one account.
Another user A needs to be able to connect to the production environment, the development environment, and another company's environment.
In each environment, configure IAM roles as follows

Production environment
- Assign user A read access to the production log bucket
Development environment
- Assign read permission of the development log bucket to user A
Other company environment
- Assign all EC2 operation privileges to user A

Then, user A remains user A and only needs to perform the switch role
read permission for the production log bucket in the production environment, read permission for the development log bucket in the development environment, and all operating privileges for EC2 in other companies' environments
User A can obtain read access to production log buckets in the production environment, read access to development log buckets in the development environment, and all EC2 operations in other environments.

Difference between switch roles and cross account connections

Cross Account.
- Allowing two or more accounts to handle resources
Switch Roles
- To change to another authority (role).
- Commonly used to switch to a role of a different account when handling resources of a different account.
- It is not about logging in to a different account, but about switching to a role of a different account.

Image after study

Switching roles is not just a login.

What is Hyper-V?

miyuki_samitani — Fri, 14 Oct 2022 03:40:45 +0000

Pre-study image

Virtualization application-like?

Investigation

What is Hyper-V?

Read as Hyper-V, it refers to Microsoft's hypervisor virtualization software.
It refers to a method of running virtualization software by installing it directly on a server.
On a virtual machine, there are Windows Server systems, Windows for clients, some linux, etc.

Are there other hypervisor virtualization software besides Hyper-V?

The following are the most commonly used

VMware ESXi
Hyper-V
Xen

Image after study

Xen's friends?
I'm starting to understand what kind of grouping it is.

What is E2E?

miyuki_samitani — Thu, 13 Oct 2022 13:56:00 +0000

Image before study

I don't know

Study

What is E2E?

It stands for end to end.
In IT, it often refers to the entire pathway connecting two parties in communication.

End-to-end principle

One of the network design concepts is the `end-to-end principle.
This means that advanced processing such as communication control and error detection is done in the end system, while simple processing and relaying is done on the network path.
The end-to-end principle is that advanced processes such as communication control and error detection are performed by the end systems, and only simple processing and relaying are performed on the network paths.

Another related term is `E2EE (end to end encryption)
messages, etc., are all encrypted from one end to the other.
This encryption method is highly anonymous because only the sender and receiver can view the message.

Image after study

I figured this one out when I thought about it!
But the thought of advanced processing at the end wasn't so much as a recognition, so I'll keep it in mind.