New! 2018 AWS Security Specialty BETA Exam Resouces

Finally, it’s here!

AWS Certified Security – Specialty Beta Exam

SCS-C01.  registered last night, it is only $150 – which is much better than the usual $300 for each of the other two Specialty Exams.  This beta exam will only be available from January 15th to March 2nd – so I scheduled mine when… ? Feb 28th. I’ll be compiling a resource list for anyone else who wants to do this exam. 

Ok, now the nitty gritty, what resources are needed?

Official Exam Guide

First, here is the pdf of the  AWS Exam Guide for the BETA SCS-C01

Now, here is my resource collection:

I can start by telling you I’ve already purchased the

AWS Certified Security – Specialty Course from acloud.guru

It’s the course from the original BETA exam that came out (early 2017?), but it covers all the fundamentals and the guys at acloud.guru update their content regularly when it comes to Exam courses. I believe the cost on this is $60. Outstanding value!

UPDATE from acloud.guru Founder Ryan Kroonenburg – Ryan sat this exam on Jan 15th in London. He made this video giving general exam experience feedback and he also said that he will be updating the above mentioned acloud.guru AWS Security course based on his experience.

WhitePapers

Next, I think this Exam will hit every corner of the AWS Universe, which means diving deep into the AWS Security and Compliance Whitepapers

Out of those, The Well Architected Framework – Security Pillar would be the one to know like the back of your hand.

Re:Invent 2017 Security Vids

After that, the AWS RE:Invent 2017  IAM Policy Ninja Video is an incredible resource and to be sure, I will watch (and practice) this multiple times over the next several weeks. And other RE:Invent 2017 Security Vids:

AWS Philosophy of Security
Architecting Security and Governance Across Multiple-Accounts
Security Anti-Patterns: Mistakes to Avoid
Best Practices for Managing Security Operations on AWS
AWS Security State of the Union
Compliance and Top Security Threats in the Cloud
Incident Response in the Cloud
Five New Security Automation Improvements You Can Make by Using CloudWatch Events and AWS Config Rules
Using AWS Lambda as a Security Team
 CloudTrail to Enhance Governance and Compliance of Ama

Now the AWS recomended Training for the SCS-C01 BETA exam:

AWS Security Fundamentals e-course
Online Resources for AWS Security

Exam Topic Specific Resources SCS-C01

Domain 1: Incident Response

RE:Invent Video: Incident Response in the Cloud

1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.

I received a notification that my AWS resources or account may be compromised. What should I do?

1.2 Verify that the Incident Response plan includes relevant AWS services

Building a Cloud-Specific Incident Response Plan

1.3 Evaluate configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues

How to Remediate Amazon Inspector Security Findings Automatically
How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events

Domain 2: Logging and Monitoring

2.1 Design and implement security monitoring and alerting.

Designing Centralized Logging
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
How to Receive Alerts When Your IAM Configuration Changes
SID341 – Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection

2.2 Troubleshoot security monitoring and alerting.

Troubleshoot SNS Deliveries
Troubleshoot SES Notifications

2.3 Design and implement a logging solution.

Logging Whitepaper
How to Monitor and Visualize Failed SSH Access Attempts to Amazon EC2 Linux Instances

2.4 Troubleshoot logging solutions

Troubleshooting CloudWatch Events

Domain 3: Infrastructure Security

3.1 Design edge security on AWS.

AWS WAF
AWS Shield
Protect Dynamic Content using Shield and Route53
Serving Private Content Through CloudFront
SID342 – Protect Your Web Applications from Common Attack Vectors Using AWS WAF
SID401 – Let’s Dive Deep Together: Advancing Web Application Security

3.2 Design and implement a secure network infrastructure.

Setting Up an AWS VPN Connection – Amazon Virtual Private Cloud
VPN Connections – Amazon Virtual Private Cloud – AWS Documentation
Well Architected Framework – Security Pillar

3.3 Troubleshoot a secure network infrastructure.

Troubleshooting – Amazon Virtual Private Cloud – AWS Documentation
Troubleshoot Connecting to an Instance in a VPC – AWS – Amazon.com
Troubleshooting AWS Direct Connect – AWS Documentation
VPN Tunnel Troubleshooting – AWS – Amazon.com

3.4 Design and implement host-based security

IDS and IPS for EC2 Instances
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
Amazon Inspector – Security Assessment Service

Domain 4: Identity and Access Management

4.1 Design and implement a scalable authorization and authentication system to access AWS resources.

AWS Identity and Access Management (IAM) Documentation
IAM Best Practices – AWS Identity and Access Management
Enabling SAML 2.0 Federated Users to Access the AWS Management …
SID337 – Best Practices for Managing Access to AWS Resources Using IAM Roles
AWS Cognito
SID344 – Soup to Nuts: Identity Federation for AWS

4.2 Troubleshoot an authorization and authentication system to access AWS resources.

Troubleshooting IAM – AWS Identity and Access Management
Troubleshooting IAM Roles – AWS Identity and Access Management
Troubleshoot IAM Policies – AWS Identity and Access Management
Troubleshooting Amazon EC2 and IAM – AWS Identity and Access …
Troubleshooting Amazon S3 and IAM – AWS Identity and Access …

Domain 5: Data Protection

5.1 Design and implement key management and use.

AWS Key Management Service Concepts – AWS Documentation
RE:Invent Video – Best Practices for Implementing KMS
Whitepaper – Best Practices for KMS
SID345 – AWS Encryption SDK: The Busy Engineer’s Guide to Client-Side Encryption
Amazon Macie

5.2 Troubleshoot key management.

Verifying and Troubleshooting KMS Key Permissions – AWS .
Determining Access to an AWS KMS Customer Master Key – AWS Key …
Limits – AWS Key Management Service – AWS Documentation
Troubleshooting Key Signing Errors

5.3 Design and implement a data encryption solution for data at rest and data in transit.

How to Protect Data at Rest with Amazon EC2 … – AWS – Amazon.com
Encrypting Amazon RDS Resources – AWS Documentation
Encrypting Data at Rest ( non AWS BLOG )
How to Encrypt and Decrypt Your Data with the AWS Encryption CLI
How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
Architecture for HIPAA Compliance on AWS

The Full List of the Security, Compliance, and Identity Sessions, Workshops, and Chalk Talks at AWS re:Invent 2017

Based on acloud.guru Founder Ryan Kroonenburg’s Feeback on the Exam, I’ve added some more study links:

Cloud HSM FAQs
Cloud HSM AWS Documentation
Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
Protecting Data Using Client-Side Encryption in S3
IAM Policies and Bucket Policies and ACLs! Oh, My!
Posted in AWS, AWS Certified Solutions Architect, Cloud Security, Cyber Security | Leave a comment

Spectre and Meltdown: kb4056892 Fix causing AMD Issues, seem to be only older AMD Processors

There were news stories  out this morning about kb4056892 ( Microsoft’s Patch for Spectre and Meltdown ) bricking AMD chips.

In reading them, it was hard to get a sense of how REAL of an issue this is, since media is great at propagating Fear Uncertainty and Doubt. None of the major stories on this I have read so far gives any metrics or any specifics.

So.. I got my own –  It seems the source of all the FUD in the media on this is coming from this Microsoft answers forum:  I had some time to comb through 13  pages on the forum get some samples, and it appears all of these reported issues are Consumer based AMDs, ( samples from the forum below) are older Athlon Series, released by AMD in 2005 – 2006 – and Turion, also released in 2005:

AMD Athlon 64 X2 4600+ and windows 10 pro
AMD Athlon 64 X2 6000+, Asus MB
AMD Athlon 64 X2 5200+ and Asus M3N78 Mb
AMD Athlon 64 X2 6400+ BBE, Asus MB
AMD Althlon 64 x2 5000+
ten years old AMD Athlon X2 64
Athlon X2 4200+
AMD processor Athlon 64 X2 6000+ and Win10 Home 32-bit
Athlon X2 5600 (Brisbane) W10 64 bit Home
Athlon 64 X2 6000 (Windsor) W10 64 bit Pro machine
indows 10 x64 Pro Build (1709 16299.125) with an HP Pavilion Entertainment PC DV2-2116WM with AMD Turion 64 X2.
AMD Turion x2 dual-core mobile rm-72 and Win 10 Pro 64 bits
Athlon X2 4850e, Windows 10 pro
AMD Athlon 64 X2 4400+.
AMD Athlon 3200+
AMD Athlon 64 X2 6000+, Asus M3A78-V3, Win 10 Home (32bit)
HP60 with AMD Turion X2 RM70 32 bit
AMD Athlon 64 X2 5600+
AMD Athlon 4850e dual processor machine
AMD Athlon 64 X2 6000+
DualCore AMD Athlon 64 X2
AMD Athlon 5050e 2.60 GHz on Asrock AOD790GX/128M

 

Posted in Uncategorized | Leave a comment

Spectre and Meltdown

UPDATE:  AWS has patched 99.9 percent of its infrastructure:

https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/

 

Wanted to share so that everyone is aware of new major Security Vulnerabilities:

https://meltdownattack.com/ 

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre

CVE-2017-5754 is the official reference to Meltdown

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

 

 

Posted in Uncategorized | Leave a comment

ELB XFF Headers

Which fields AWS ELB passes on after a SSL Termination:

X-Forwarded-For: <original client IP>, <first proxy IP>, <second proxy 2 IP>...
X-Forwarded-Proto: <protocol name>
X-Forwarded-Port: <port number>

CloudNode Notes on XFF on ELB

Posted in Uncategorized | Leave a comment

PaloAlto VPN Primer

I am building this to place all the resources in one place that you’ll need to build out PA AnyConnect  in your PA Firewall.

First, kudos to PaloAlto, you ca do GlobalProtect VPN without a license  as long as you do not want the host intrusion (HIP).

These links provide the basics, I’ll add in any missing parts / fill in the blanks below.

Guide to Building GlobalProtect

Certificate Configuration on PA

Generate a a Self-Signed Cert for Testing

First caveat I am running into with this, is attempting to configure Global Protect on VM Series Firewall in AWS. I am thinking because all the interfaces are DHCP, that I may have to do some funkiness like terminating Global Protect on loopback and creating a NAT policy. 

An example  I am trying is here

Posted in Uncategorized | Leave a comment

Quick and Dirty OPENSSL

Making a new cert? Here are some things below that should help.


#The openssl command to generate a private key is:

openssl genrsa 2048 > private-key.pem


#The CSR is generated based on the private key. The following command is used for the CSR creation:

openssl req -new -key private-key.pem -out csr.pem

Once you’ve completed your certificate with one of the Major Certificate Authorities You can then import your certificate into Amazon’s Certificate Management Service to be used on ELB. Amazon also will create SSL Certificates

Once you have your cert created, encrypt your private key:

gpg -c ./private-key.pem 

#and remove the original

rm -f ./private-key.pem

Certificate checkers:

Qualys [ SSLLABs ] Cert Checker

sslshoppers Certificate checker

Posted in Uncategorized | Leave a comment

Joining Machines to AWS provided Microsoft Directory Services

This one is quick and dirty, folks  – some quick resources if you are doing AWS Directory Services on AWS.

How to automatically Configure your systems to join an AD Domain on AWS

Terraform Directory Services for AWS Page

AWS System Manager Documents from the ‘IT Hollow Blog’

Quick windows shortcuts

#Open up Network control Panel quicky

%SystemRoot%\system32\control.exe ncpa.cpl

#Open up System Settings Quickly:

%SystemRoot%\system32\control.exe sysdm.cpl

 

Posted in Uncategorized | Leave a comment