Time
36 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Welcome back to this lecture and this lecture. We're gonna be talking about security by design. And what I mean is
00:07
one of the main things that we use eight of us for as building out our network whether we're expanding our network from our office into the cloud or building something in the cloud, that's for applications and application development. Things like that.
00:22
Uh, you know, you're gonna be using tools like VP sees, which builds your virtual private cloud. That's one of the P C stands for,
00:29
and you're gonna be spinning up easy. Two instances you're gonna be deploying EBS volumes. You know, storage volumes. You're gonna be integrating other tools like s three. You're gonna have databases. Ah, you may have. You know, dynamodb, which another database, Um, you're gonna have all kinds of different service is. And
00:47
when you're designing your ear infrastructure, you want to be designing that with security in mind. That way, after everything has been designed that everything has been developed, you're not going back, you know, smacking your head thing. Oh gosh. Why did I do it this way? I should have done it differently. I should have
01:06
implemented security into my design. And that way I don't have to do the work twice. And I don't get in trouble with my boss and my application In my private data, my super secret information does not get stolen.
01:18
So
01:19
we're going thio touch up a little bit on that on some of the tools that are available to you and some of the best practices that you can use to go about when you were implementing security into your design in this lecture. So
01:36
how can you stay secure? An eight of Yes, Well, there's a couple different ways that you can do it. And I recommend all of thes
01:44
visibility, audit ability, controllability and agility, and we're gonna talk a little bit about each one of them here. So when I talk about visibility, what I'm talking about is getting that really high level overview, the ability to audit the configurations off your assets, and eight of us
02:01
being able to compare the current configurations with
02:07
the desired configurations and being able to assess the compliance nature of your assets. Eight of us provides you with a tool called config, which allows you to do just that and this icon here is the icon that represents a Tapia's config.
02:25
It allows you to review and out of the configuration of the assets in your eight of us environments.
02:31
Um, and it was a very good job at doing so. Ah, you know everything that you have spun up. You can review an audit within config and do so within minutes of having the information being process. You can compare the comfort
02:51
the current configurations with the desire configurations.
02:54
And like I said, you can also compare that to whatever compliance requirements are necessary for your environment. That's PC. I, um hipaa uh, gpr you name it.
03:09
Audit ability is another thing that we mentioned in our list of security by design and AWS cloudtrail is one of one of the great tools that allows you to do that. It's built into eight of us and ah, it enables you to maintain that governance that compliance, that operation auditing and
03:29
the risk auditing of your interview s environment,
03:32
your AWS accounts, you can log continuously, monitor routine account activity related actions across your infrastructure, and cloudtrail provides the events history so that you can see what kind of things were going on within your previous accounts.
03:51
And you know, those actions can include
03:53
Ah, the interview. This management council, which you know, is the graphic user interface you log into when you go on, Uh, you know, eight of us dot amazon dot com slash consul Or, you know, if you're using sdk. So for those development projects that you're integrating eight of us into
04:12
if using yes, a kid SD case you can audit the action's done using cloudtrail
04:16
coming online tools. Obviously, if you're using command line and interacting with your resource is that way and other eight of us service is so
04:27
I know that seems kind of general. If you want to learn more about klatch l I recommend you go over to the documentation that we can find, you know, the answers to your specific questions. But just as a high level overview, if you're looking to influence security into the design of your infrastructure, I have a recommend Quattro. I use it all the time,
04:46
and, you know, I think that it will be helpful for you as well. They've done a very good job developing this tool
04:53
needs Lee within eight of us they have. You know, the interviews Key Management Service, which there came a CE service that makes it really easy for you to create and manage the keys and control the use of your encryption across a wide range of interviews. Service is, um and they also cloudhsm,
05:11
which is basically a cloud based hardware security module. You probably have experienced harbor security modules on Prem if you if you work for any large organization that requires, you know, encryption keys to be created and managed, it systems are key for that.
05:30
Ah,
05:30
and AWS allows you to use their clout, ageism, and that way you can easily generate and create an encryption keys within the AWS cloud itself. Those are the icons for the two. And last but not least, agility is the last thing that we want to include in our security by design. So,
05:51
uh, I love confirmation because it allows you to write your code in order to spend up your infrastructure, your environment, and to do so very easily. One of the really cool things I found. This being a cloud security engineer is that you can actually do testing on the confirmation code and compare that
06:11
with some bass lines.
06:12
Um, you know, are, you know, just general insecure practices that you're gonna be testing against, And that way you can You can help remove some of those impurities before you're actually deploying your environment. So first of all this backtrack If you're not familiar with infrastructure as code you need to be,
06:31
I highly recommend that you go ahead and read up on it.
06:35
Basically, you right, Oppa, Jason file That allows you to spin up servers that allows you to spend a hard drives in the clouds, spin up firewalls. You got to create sub nets. You get to create all this stuff and confirmation has a really vast documentation
06:56
that covers all these different things that you could do with it.
06:59
And, you know, that's that's awesome in itself. But what I'm saying is that you know, if you have ever done any any secure code review, you can actually do that secure code review on confirmation as well. I know. You know, if my company we use check marks and other companies, these other tools like it
07:16
and that allows you to scan the code for, you know, things that you should probably changing before you deploy that into
07:24
eight of us. So really cool stuff. I think you know, as faras Agility goes and makes your job so much easier. And if you're not the one doing it, the people who are doing it, you know, if they're dead officers, server engineers or whoever they're gonna love you for knowing about this
07:39
and really helping out. So it's a really good way to score some extra brownie points at work.
07:44
Um, so, yeah, security by design, Definitely important. Police keep all these things in mind. And, you know, make sure you review these different tools that I talk about here and the course you know, we're not gonna go super super in depth because sometimes it's just not possible to create a case environment for each and every one,
08:01
especially when you don't have a lot of data
08:05
testing data, the Inca process or whatever, but it is good to know them on. And if you ever decide to pursue a certification Ah, you know, especially like the associate level asserts, You don't really have to know a whole whole lot about every single one of these Service is But you should know a general idea of what they dio
08:22
in order. Thio pass the certification and really just, you know, carry that knowledge into your workplace. So
08:30
that about wraps of this lecture guys, I This was helpful. If you have any questions, feel free to reach out to me.

Up Next

AWS Infrastructure Security

Looking to learn more about the security infrastructure offerings with AWS? You’re in luck! AWS offers a multitude of tools that secure your network and systems and in this course, we will introduce you to them.

Instructed By

Instructor Profile Image
Nicolas Moy
Senior Cloud Security Engineer
Instructor