Your instructor:

Michael J Shannon
CISSP #42221 / #524169,
Certified Cloud Security Class will begin at
Professional (CCSP), 11:00 A.M. Eastern
AWS Security – Specialty, Standard Time (EST)
ITIL 4 Managing Professional
 AWS Cloud Practitioner Exam

AWS Certified Cloud Practitioner (CLF-C01)

For candidates who have the skills and knowledge required to
successfully validate a general understanding of the AWS Cloud
There are two types of questions:
• Multiple-choice: Has one correct response and three
incorrect responses (distractors)
• Multiple-response: Has two correct responses out of five
options
 AWS Cloud Practitioner Exam

Uses a scaled score from 100 through 1000, with a

minimum passing score of 700
The examination uses a compensatory scoring model,
which means that you do not need to “pass” the
individual sections, only the overall examination
The exam is $100 USD and candidates have 90 minutes
to complete the exam
 Exam Domains

Domain % of Exam
Domain 1: Cloud Concepts 28%

Domain 2: Security 24%

Domain 3: Technology 36%

Domain 4: Billing and Pricing 12%

Total 100%
Cloud Computing Defined

According to Amazon Web Services (AWS):

“Cloud computing is the on-demand delivery
of compute power, database, storage,
applications, and other IT resources via the
internet with pay-as-you-go pricing.”
 Cloud Computing Defined

Cloud Computing has many advantages

• No need for large upfront investments
• No need to spend time managing hardware
• Provision the exact computing resource
 5 Characteristics of Cloud Services

• The traditional cloud model promotes

availability and is composed of five
essential characteristics:
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured Service
Cloud Computing and Emerging Technology

Machine Blockchain
learning & AI

Robotics AR & VR
Emerging
Analytics Technology IoT
Cloud Computing Types

Infrastructure-as-a-Service (IaaS)

Platform-as-a-Service (PaaS)

Software-as-a-Service (SaaS)
 Infrastructure-as-a-Service (IaaS)

Networking and Compute Storage & Database

Content Delivery
 IaaS at Amazon Web Services
Customer data

Customer IAM
Platform & application management

Operating system, network, & firewall configuration

Client-side data Server-side encryption Network traffic

encryption & data File system and/or data protection
integrity authentication Encryption/integrity/identity

Foundation Networking
Compute Storage Databases
Endpoints

AWS IAM
Services & CDN
AWS

AWS Global Availability Edge

Regions
Infrastructure zones locations
Example: AWS Virtual Private Cloud (VPC)

•Provision a logically isolated portion of the AWS

Cloud
•Have complete control over your environment
• Choosing your own IPv4 or IPv6 address ranges, subnet
design
• Configure route tables and network gateways
 Platform-as-a-Service (PaaS)

Customers still do not manage/control the AWS infrastructure

Consumers control applications and services

</> Programming languages, libraries, services, and tools

Some services are more “managed” by AWS than others

 Platform-as-a-Service (PaaS)
</> JAVA

.NET Java

JSON/YAML Python
Platform Support
Go Ruby

</>
 PaaS at Amazon Web Services
Customer data

Customer IAM
Client-side data Network traffic
encryption & data Server-side encryption protection
File system and/or data
integrity authentication Encryption/integrity/identity

Platform and Application Management

Operating System and Network Configuration

Foundation
Compute Storage Databases Networking
Endpoints

AWS IAM
Services
AWS

AWS Global Availability Edge

Regions
Infrastructure zones locations
 Example: Amazon Lightsail

Offers everything needed to build an application

or website using a cost-effective
Provides virtual servers, storage, databases, and
networking
Excellent for simple web applications and sites,
business software, and development/testing
Software-as-a-Service

The consumer uses the service provider’s

applications running on a cloud
infrastructure
The consumer often does not even
manage or control the individual
application capabilities
Cloud-based Cloud Deployment
• A fully deployed solution in the AWS Cloud
• Every component of the application operates in the cloud
infrastructure
• Cloud-based applications have either been generated in
the cloud or have been transferred from an existing
enterprise
• Can be built on low-level virtualized infrastructure
components
• Can also leverage higher level services that abstract from
the management, architectural, and scaling needs of the
core infrastructure
Hybrid Cloud Deployment
• A method for connecting infrastructure and applications
between AWS Cloud-based resources and other
resources that are not placed in the cloud
• The most common type of hybrid deployment is between
the provider's cloud and a standing on-premises
enterprise
• Can be used to migrate, expand, or grow an
organization's infrastructure into a cloud solution while
linking internal systems to AWS Cloud resources
• Often used by organizations to "burst up" to the cloud
during peak demand times or special situations
On-Premises Cloud Deployment
• Entails using virtualization and resource management
tools on-site only
• Sometimes called a "private cloud" deployment although
resources can be hosted privately at AWS
• Does not offer benefits of cloud computing but is often
needed for regulations and governance
• This deployment model is very similar to a traditional IT
infrastructure
• The difference is that the entity is using hypervisors,
application management, and other virtualization
technologies to attempt to enhance resource utilization
and lower costs
The AWS Virginia
Region has 6 Availability
Zones – each with at
least 2 datacenters -
and there are 3 Edge
Locations in Ashburn VA
AWS as the producer, we as the consumer to co-
create value and deliver data, applications, services,
and solutions to the world

• Agility
• Elasticity
• Cost
• Flexibility
• Security
• Leveraging for rapid deployment, testing, experimentation, & innovation
• Overcoming geographical limitations
• Getting content as close to the consumer as possible
• Reducing time and cost for testing and experimentation
• Allows consumers better innovation
• Elasticity is the ability to almost instantly provision and
de-provision resources
• Challenges with predicting demand leads to higher costs
• Leveraging dynamic auto-scaling technologies
• “Elasticity of the cloud allows us to add thousands of
virtual servers and petabytes of storage within minutes,
making such an expansion possible. Leveraging multiple
AWS cloud regions, spread all over the world, enables us
to dynamically shift around and expand our global
infrastructure capacity, creating a better and more
enjoyable streaming experience for Netflix members
wherever they are."
• - Yury Izrailevsky, VP Cloud and Platform Engineering, Netflix (from
Netflix Media Center)
For many organizations, using the cloud
to reduce costs is the dominant factor in
the value proposition

• Cabling • Racks
• Cooling • Servers
• Power • Storage
• Networking • Training and
• Racks Certifications

• Ongoing • Labor
maintenance and
upgrades
• AWS delivers a continuously increasing set of
infrastructure and software services
• These can be leveraged by all types of public
and private organizations of all sizes and
sectors
• These services empower organizations to:
• Better engage with their customers
• Manage their internal processes
• Analyze data from internal and external sources
to gain competitive advantage
AWS offers an enormous variety of services, products
and solutions that empower organizations to be
successful and profitable in meaningful and
measurable ways

• Reports from various entities like Gartner and

International Data Corporation (IDC) point out that
AWS customers get important financial benefits
that help increase growth, drive productiveness,
and realize important long-term cost reductions
Source: “Cloud Economics Center". August 15, 2017. https://aws.amazon.com/economics/
Cloud Economics
• 62% realize a more efficient IT infrastructure staff
• 51% achieve lower 5-year cost of operations
• 90% use less staff time to deploy new storage
• 25% attain more productive development teams
• 6 months to payback outlays
Source: “Cloud Economics Center". August 15, 2017. https://aws.amazon.com/economics/
• Gartner rates AWS the best cloud provider
• In the 2019 Magic Quadrant for Cloud
Infrastructure as a Service, Worldwide,
Gartner placed Amazon Web Services in the
"Leaders" quadrant and rated AWS as
having both the furthest completeness of
vision and the highest ability to execute
Source: “Cloud Economics Center". August 15, 2019. https://aws.amazon.com/economics/
 Source: "Magic Quadrant for Cloud Infrastructure as a Service, Worldwide".
https://www.gartner.com/en/documents/3738058/magic-quadrant-for-cloud-infrastructure-as-a-service-wor.
• Enterprises make larger annual
financial commitments to AWS
• Organizations deploy more mission-
critical workloads on AWS
• AWS has a broader range of customer
profiles, ranging from startups and
small and midsize businesses (SMBs)
to large enterprises
• AWS is the most mature, enterprise-
ready provider, with the strongest
track record of customer success and
the most useful partner ecosystem
Source: “Cloud Economics Center". August 15, 2017. https://aws.amazon.com/economics
• The AWS Free Tier provides customers the ability to explore and
try out AWS services free of charge up to specified limits for each
service
• Services with a 12-month Free Tier allow customers to use the
product for free up to itemized limits for one year from the date
the of account creation
• If your usage exceeds the free tier limits, you simply pay
standard, pay-as-you-go service rates
• AWS offers a "pay-as-you-go” approach to
pricing for their large array of cloud products
and services
• You will only pay for the specific services that
you need and only for the time that you are
utilizing them
• You will only incur fees for the actual resources
and services that your enterprise uses
Easily adapt to changing business
needs
• No more necessity to overcommit on
budgets
• Improve reaction and response to
changes
• Adapt business to real needs and not
forecasts
• Reduce risks of over-positioning or
missing capacity
• Organizations stay agile and reactive
• Always able to meet scaling demands
• Redirect focus to innovation and
modernization
• Reduce the difficulty and complexity of
procurement
• Empower the business to be fully
elastic
• AWS offers a Reserved Instance option for certain services like
EC2 and RDS
• If your enterprise pays a higher upfront fee, you will enjoy a
better discount
• According to AWS, you can save up to 75% over similar demand
by reserving capacity
• With Reserved Instances, you can save up to 75% over
equivalent on-demand capacity
• Reserved Instances are available in 3 options:
• All up-front (AURI)
• Partial up-front (PURI)
• No upfront payments (NURI)
• Use managed services to help address needs
• Get volume-based discounts
• Gain substantial savings as usage increases
• Take advantage of S3 tier-based pricing
• The AWS Well-Architected Framework helps customers
understand how to design and drive dependable, secure,
proficient, and cost-effective systems in the AWS Cloud
• It offers a method to consistently measure an
architecture against best practices and proven design
principles as well as detect areas for improvement
• The Well-Architected Framework is based on five pillars:
• Operational excellence
• Security
• Reliability
• Performance efficiency
• Cost optimization
• Perform operations as code
• Make frequent, small, reversible changes
• Refine operations procedures frequently
• Anticipate failure
• Learn from all operational failures
• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
• Automatically recover from failure
• Test recovery procedures
• Scale horizontally to increase aggregate workload
availability
• Stop guessing capacity
• Manage change in automation
• Democratize advanced technologies
• Go global in minutes
• Use serverless architectures
• Experiment more often
• Consider mechanical sympathy
• Implement cloud financial management
• Adopt a consumption model
• Measure overall efficiency
• Stop spending money on undifferentiated heavy lifting
• Analyze and attribute expenditure
• A hypervisor is the software that
produces and manages a virtual
infrastructure, allowing multiple
operating systems to run and
share resources on a single
physical machine
Containers

• In AWS, you can also build and run containerized applications

• A container is a discrete environment within an operating
system where one or more applications can run, typically
assigned all the resources and dependencies needed to function
• You can also use containers for processes and workflows in
which there are important requirements for security, reliability,
and scalability
• Amazon Elastic Container Service (Amazon ECS) is a fully
managed container orchestration service
 Root Account Distinctives

• IAM password policy does not apply to the root account

• Change the support plan, payments options, and billing
• Close an AWS account or sign up for GovCloud
• Transfer a Route 53 domain to another account
• Create an AWS-created X.509 signing certificate
The AWS virtual network service

• Amazon Virtual Private Cloud (Amazon

VPC) lets you launch (spin-up) AWS
resources into a virtual network that
you've defined
• This virtual network closely emulates a
traditional network in your own data
center
• A VPC is a virtual network dedicated to your AWS account
• It is logically isolated from other virtual networks in the AWS
Cloud
• You typically launch resources like EC2 Linux and Windows
instances in the VPC
• Activities include creating subnets, specifying IP address
ranges, and configuring route tables, NACLs, and security
groups
• You can also leverage the AWS Marketplace
• AMIs provide the necessary information
to launch an instance of an operating
system
• When launching an instance in AWS you
must determine the preferred AMI
• When you desire more than one instance
with a similar configuration, you can also
spin up multiple instances derived from a
single AMI
An AMI includes:

• An instance root volume template or one

or more Elastic Block Storage (EBS)
snapshots
• Permissions that allow you to manage the
AWS accounts that launch instances using
the AMI
• Specifications of the attachable volumes to
use when launching an AMI based on a
block device mapping
 Subnets
• A subnet is a range of IP addresses in your VPC
• A subnet is distinguished based on the entries in the Route
Table assigned to it
• There are 3 Types of Subnets:
• Private – there is no entry in the route table out of the
subnet itself
• Public – there is an entry in the table to an IGW
• VPN-only – there is an entry to a VPG
 Route Tables
• Route tables contain a set of rules, called routes, that are
used to determine where network traffic is directed
• The entries in your route tables determine the type of subnet
you have deployed
• Default limit is 50 routes with 1000 route hard limit (new in
2019)
• Check out: https://docs.aws.amazon.com/vpc/latest/
userguide/route-table-options.html
 Internet Gateways (IGW)
• An internet gateway (IGW) is a horizontally scaled,
redundant, and highly available VPC component
• It facilitates communication between VPC instances and the
internet
• It imposes no availability risks or bandwidth constraints on
your network traffic
• An IGW serves two purposes:
• To provide a target in your VPC route tables for traffic
routable on the Internet
• To perform network address translation (NAT) for
instances that have been assigned public IPv4 addresses
 NAT Gateways
• NAT Gateways enable instances in a private subnet to
connect to the internet or other AWS services, while
preventing the internet from initiating a connection with
those instances
• For example – Windows Update Services, upgrades, security
fixes, etc.
• You are charged for creating and using a NAT gateway in your
account with hourly usage and data processing rates applying
Egress-Only Internet Gateways (EOIG)
• An egress-only Internet gateway allows outbound
communication over IPv6 from instances in your VPC to the
Internet
• It prevents the Internet from initiating an IPv6 connection
with your instances
• An egress-only Internet gateway is for use with IPv6 traffic
only
• An internet gateway supports IPv4 and IPv6 traffic
 Elastic IP Addresses
• An Elastic IP addresses (EIP) address is a static, public IPv4
address used for dynamic cloud computing
• You can associate an EIP with any instance or network
interface for any VPC in your account then mask an instance
failure by quickly remapping the address to another instance
in the VPC
• Associate the EIP with the network interface instead of
directly with the instance so that you can move all the
attributes of the vNIC from one instance to another in a
single step
 DHCP Options Sets
• EC2 instances launched into a nondefault VPC are private by
default and they receive an unresolvable host name that
AWS assigns
• You can assign your own domain name to your instances and
use up to 4 of your own DNS servers by designating a special
set of DHCP options to use with the VPC
• Available options: domain-name-servers, domain-name,
ntp-servers, netbios-name-servers, netbios-node-type
 Endpoints
• VPC endpoints allow you to privately connect your VPC to
supported AWS services and VPC endpoint services powered
by AWS PrivateLink without needing an internet gateway,
NAT device, VPN connection, or AWS Direct Connect
connection
• Instances in your VPC do not need public IP addresses to
communicate with resources in the service since traffic
between your VPC and the other service does not leave the
Amazon network
• Endpoints are virtual VPC devices
 Endpoints (cont.)
• When you generate a gateway endpoint, you simply
designate the subnet route tables in your VPC that are used
by the gateway endpoint
• A route is automatically added to each of the route tables
with a destination that specifies the prefix list ID of the
service (pl-xxxxxxxx), and a target with the endpoint ID (vpce-
xxxxxxxxxxxxxxxxx)
• You cannot explicitly delete or modify the endpoint route,
but you can change the route tables that are used by the
endpoint
 Endpoints (cont.)
• The following are the key concepts for VPC endpoints:
• Gateway endpoints - a gateway that you designate as a
target for a route in your route table for traffic destined
to a supported AWS service
• Interface endpoints - An interface endpoint is an elastic
network interface with a private IP address from the IP
address range of your subnet that serves as an entry
point for traffic destined to a supported service
• Endpoint services - Your own application in your VPC
using PrivateLink. Other AWS principals can create a
connection from their VPC to your endpoint service
 VPC Peering
• A VPC peering connection is a networking connection
between two VPCs that lets you route traffic between them
using private IPv4 or IPv6 addresses
• Instances in either VPC can communicate with each other as
if they are within the same network
• You can create a VPC peering connection between your own
VPCs, or with a VPC in another AWS account
• Intra-region or inter-region peering connections
Connecting to your VPC

• AWS Site-to-Site (managed) VPN

• AWS Direct Connect
• AWS Direct Connect Plus VPN
• AWS VPN CloudHub
• Software VPN
• Transit Gateway (and/or transit VPC)
• Client VPN Endpoints
Connecting between VPCs

• VPC Peering
• Software-to-AWS Site-to-Site (Managed) VPN
• AWS Site-to-Site (Managed) VPN
• AWS Direct Connect
• AWS PrivateLink
• AWS Transit Gateway
AWS has the most secure datacenters in
the world

• Leverage the secure infrastructure and best

practices of AWS
• Inherit all the guidelines, policies,
architecture, and operational processes of
Amazon Web Services
• Allows you to grow and innovate, while
preserving a compliant and secure
environment
• The AWS infrastructure uses strong safeguards
to help protect the privacy of all data is stored
in highly secure AWS data centers
• Maintain the highest standard of security
without having to manage your own facility
• Security scales with your AWS Cloud usage so
that no matter the size of the business, the
AWS infrastructure will keep your data safe
• AWS manages dozens of compliance programs
in its infrastructure so that segments of your
compliance have already been completed
The Shared Responsibility Model
• Cloud resource security is quite a bit different than
protecting your own data center on-premise
• When you migrate resources to a cloud service provider
(CSP), the service level-agreement (SLA) becomes a joint
shared responsibility between the provider and the
consumer
• With IaaS and SaaS cloud models this relationship has a
more distinct demarcation point
• With PaaS, however, the lines are often less clear and
depend on how "managed" the service is by the CSP
• What content customers choose to store or migrate to
AWS
• Which AWS services are used with that content
• In what country that content is stored
• The format and structure of that content
• Whether it is masked, anonymized or encrypted
• Who has access to that content
• How those access rights are granted, managed and
revoked
• Compliance services help you realize AWS
controls
• Compliance responsibilities are part of shared
responsibility
• Utilize "governance-focused" and "audit-
friendly" services
• Enablers are constructed on traditional
compliance programs
• AWS offers an extensive array of control
information
• You may need to uphold specific
standards as proven through an
audit
• An audit or inspection will ensure
that the company has met those
standards
• Artifact is a console-based, on-
demand self-service auditing object
retrieval service that offers quick
and easy access to AWS compliance
documentation and agreements
• AWS Artifact Agreements lets you review, accept, and
manage agreements for an individual account and for all
your accounts in AWS Organizations
• Different types of agreements are offered to address the needs of
customers who are subject to specific regulations, such as HIPAA

• AWS Artifact Reports provides compliance reports from

third-party auditors who have tested and verified that AWS
is compliant with a variety of global, regional, and industry-
specific security standards and regulations
• AWS Artifact Reports remains up to date with the latest reports
released
• You can provide the AWS audit artifacts to your auditors or
regulators as evidence of AWS security controls
• Contains resources to assist customers in learning more about AWS compliance
• Contains customer compliance stories and case studies to ascertain how organizations in
regulated industries have solved various compliance, governance, and audit tasks
• The Customer Compliance Center includes an auditor learning path designed for
individuals in auditing, compliance, and legal roles who need to learn more about how
their internal operations can validate compliance using the AWS Cloud
• Customers can access compliance whitepapers and documentation on topics such as:
• AWS answers to key compliance questions
• An overview of AWS risk and compliance
• An auditing security checklist
Consensus Assessment Initiative
Questionnaire
Cloud Security Alliance (CSA) is a not-for-
profit enterprise with a mission to
"promote the use of best practices for
providing security assurance within Cloud
Computing, and to provide education on
the uses of Cloud Computing to help
secure all other forms of computing."
Cloud Adoption Framework (AWS CAF)
• The AWS CAF organizes guidance into six areas of focus,
called Perspectives
• Each Perspective speaks to discrete responsibilities
• The planning process assists the right stakeholders across
the organization prepare for the coming changes
• In general, the Business, People, and Governance
Perspectives focus on business capabilities
• The Platform, Security, and Operations Perspectives focus
on technical capabilities