Security Engineering on AWS

Intended audience

This course is intended for:

• Security Engineers
• Security Architects
• Information Security professionals

Prerequisites

We recommend that attendees of this course have:

• Working knowledge of IT security practices and infrastructure concepts
• Familiarity with cloud computing concepts
• Completed AWS Cloud Practitioner Essentials (Second Edition) free digital course or classroom course, AWS Security Fundamentals digital training, and Architecting on AWS classroom training

Day One

Module 0: Course introduction

• Security in the AWS Cloud
• AWS Shared Responsibility Model
• Incident response overview
• DevOps with security engineering

Module 1: Identifying entry points on AWS

• Identify the different ways to access the AWS platform
• Understanding IAM policies
• IAM permissions boundary
• Multi-factor authentication
• AWS CloudTrail
• Hands-on lab 1: Cross-account access

Module 2: Security considerations: web application environments

• Threats in a three-tier architecture
• Common threats: User access
• Common threats: Data access
• AWS Trusted Advisor

Module 3: Application security

• Dedicated Amazon EC2 instances and hosts
• Amazon machine images (AMIs)
• Amazon Inspector
• AWS Systems Manager
• Hands-on lab 2: Using AWS Systems Manager and Amazon Inspector

Module 4: Securing network communications – part 1

• Amazon VPC security considerations
• Responding to compromised instances
• Elastic Load Balancing
• AWS Certificate Manager (ACM)

Day Two

Module 5: Data security

• Data protection strategies
• Encryption on AWS
• Protecting data at rest with Amazon S3, Amazon RDS, and Amazon DynamoDB
• Protecting archived data with Amazon S3 Glacier

Module 6: Security considerations: hybrid environments

• AWS site-to-site and client VPN connections
• AWS Direct Connect (DX)
• AWS Transit Gateway
• AWS Storage Gateway

Module 7: Monitoring and collecting logs on AWS

• Amazon CloudWatch and CloudWatch Logs
• AWS Config
• Amazon CloudWatch logs
• Amazon VPC Flow logs
• Amazon S3 server access logs
• ELB access logs
• Hands-on lab 3 part 1: Server log analysis – log collection

Module 8: Processing Logs on AWS

• Amazon Kinesis for log processing
• Amazon Athena for log processing
• Hands-on lab 3 part 2: Server log analysis – log analysis

Module 9: Securing network communications – part 2

• Amazon VPC peering
• Amazon VPC endpoints

Module 10: Out-of-region protection

• Denial of service threats overview
• Amazon Route 53
• AWS WAF
• Amazon CloudFront
• AWS Shield
• AWS Firewall Manager
• DDoS mitigation on AWS Day Three

Module 11: Account management on AWS

• AWS Organizations
• AWS Control Tower
• AWS Single Sign-On (AWS SSO)
• AWS Directory Service
• Hands-on lab 4: Federated access with ADFS

Module 12: Security considerations: serverless environments

• Amazon Cognito
• Amazon API Gateway
• Secure messaging with Amazon SQS and Amazon SNS
• AWS Lambda
• Hands-on lab 5: Monitor and respond with AWS Lambda and AWS Config

Module 13: Secrets Management on AWS

• AWS Key Management Service (AWS KMS)
• AWS CloudHSM
• AWS Secrets Manager
• Hands-on lab 6: Using AWS KMS

Module 14: Automating security on AWS

• AWS CloudFormation
• AWS Service Catalog
• Hands-on lab 7: Security automation on AWS with AWS Service Catalog

Module 15: Threat detection and sensitive data monitoring

• Amazon GuardDuty
• Amazon Macie