Design and Implement monitoring and alerting to address security events

• Key AWS services for monitoring and alerting
• Monitoring metrics and baselines
• Analyzing environments and workloads to determine monitoring

requirements according to business and security requirements

• Setting up tools and scripts to perform regular audits
Troubleshoot security monitoring and alerting
• Configuring of monitoring services and collecting event data
• Application monitoring, alerting, and visibility challenges

Design and implement a logging solution

• Key logging services and attributes
• Log destinations, Ingestion points and lifecycle management
• Logging specific to services and applications

Troubleshoot logging solutions

• AWS services that provide data sources and logging capabilities
• Access permissions that are necessary for logging
• Identifying misconfigurations and remediations specific to logging
• Reasons for missing logs and performing remediation steps

Design a log analysis solution

• Services and tools to analyze captured logs
• Identifying patterns in logs to indicate anomalies and known threats
• Log analysis features for AWS services
• Log format and components
• Normalizing, parsing, and correlating logs

Design and implement security controls for edge services

• Define edge security strategies and security features
• Select proper edge services based on anticipated threats and attacks
and define proper Protection mechanisms based on that
• Define layered Defense (Defense in Depth) mechanisms
• Applying restrictions based on different criteria
• Enable logging and monitoring across edge services to indicate attacks
• VPC security mechanisms including Security Groups, NACLs, and Network
firewall
• Traffic Mirroring and VPC Flow Logs

Design and implement network security controls

• VPC Security mechanisms and implement network segmentation based
on security requirements
• Network traffic management and segmentation
• Inter-VPC connectivity, Traffic isolation, and VPN concepts and deployment
• Peering and Transit Gateway
• AWS Point to Site and Site to Site VPN, Direct Connect
• Continuous optimization by identifying and removing unnecessary network access.

Design and implement security controls for compute workloads

• Provisioning and maintenance of EC2 instances
• Create hardened images and backups
• Applying instance and service roles for defining permissions
• Host-based security mechanisms
Vulnerability assessment using AWS Inspector
• Passing secrets and credentials security to computing workloads
Troubleshoot network security
Identifying, interpreting, and prioritizing network connectivity
and analyzing reachability
Analyse log sources to identify problems
Network traffic sampling using traffic mirroring
• Identity and Access Management
• Establish identity through an authentication system based on requirements.
• Managed Identities, Identity federation
• AWS Identity center, IAM and Cognito
• MFA, Conditional access, STS
• Troubleshoot authentication issues

Design, implement and troubleshoot authentication for AWS resources
IAM policies and types

• Policy structure and troubleshooting
• Troubleshoot authorization issues
• ABAC and RBAC strategies
• Principle of least privilege and Separation of duties
• Investigate unintended permissions, authorization, or privileges

Design and implement controls that provide
confidentiality and integrity for data in transit

Design secure connectivity between AWS and on-premises networks

• Design mechanisms to require encryption when connecting to resources.
• Requiring DIT encryption for AWS API calls.
• Design mechanisms to forward traffic over secure connections.
• Designing cross-region networking

Design and implement controls that provide confidentiality and integrity for data at rest
Encryption and integrity concepts

• Resource policies
• Configure services to activate encryption for data at rest and to protect data
integrity by preventing Modifications.
• Cloud HSM and KMS

Design and implement controls to manage the data lifecycle at rest
Lifecycle policies and configurations

• Automated life cycle management
• Establishing schedules and retention for AWS backup across AWS services.

Design and implement controls to protect credentials, secrets,and cryptographic key materials
Designing management and rotation of secrets for workloads using a
secret manager

• Designing KMS key policies to limit key usage to authorized users.
• Establishing mechanisms to import and remove customer-provider key material

Design a strategy to centrally deploy and manage AWS accounts

• Multi account strategies using AWS organization and Control tower
• SCPs and Policy multi-account policy enforcement
• Centralized management of security services and aggregation of findings
• Securing root account access

Implement a secure and consistent deployment strategy for
cloud resources

• Deployment best practices with Infrastructure as a code
• Tagging and metadata
• Configure and deploy portfolios of approved AWS services.
• Securely sharing resources across AWS accounts
• Visibility and control over AWS infrastructure