Other

Macie

General Info

• Security service which uses machine learning and NLP (natural language processing) to discover, classify and protect sensitive data stored in S3
• Works directly with data stored in S3, but can also analyze CloudTrail logs

Characteristics

• Monitors
  • Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
  • Watches policy and ACL changes
  • Watches access patterns via CloudTrail
• Data classifications
  • by Content Type (JSON, PDF, Excel, TAR/ZIP, source code, XML)
  • by Theme (AMEX/Visa/Mastercard card keywords, banking/financial keywords, hacker and web exploitation keywords)
  • by file extension (.bin, .c, .bat, .exe, .html, .sql)
  • by regular expression (aws_secret_key, RSA private key, SWIFT code, Cisco Router Config)

---

Audit Manager

• Provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit

---

Control Tower

• It helps you create new accounts and establish a security baseline for AWS accounts
• This cannot be used if you already use AWS Organizations or if you previously used Landing Zone

---

Secrets Manager

Service which securely stores, encrypt and rotates DB credentials and other secrets

• Encryption in transit and at rest using KMS
• Automatically rotates credentials
• Apps can make API calls to Secrets Manager to retrieve secrets programmatically

• Apply fine grained access control using IAM policies:

  Policy Type	Effect
  Identity-based	You can grant access to many secrets for the same identity Useful when setting up an IAM role that requires access to more than one secret
  Resource-based	Grant access to multiple principals to a secret

• Automatic secrets rotation:

  • The rotation process takes advantage of AWS Lambda functions to orchestrate the secret rotation process
  • The following database services support automatic secrets rotation:
    • RDS (Aurora, MySQL, PostgreSQL, Oracle, MariaDB, Microsoft SQL Server)
    • DocumentDB
    • Redshift

Comparison with Parameter Store:

Secrets Manager	Parameter Store
Database credentials, API/SSH keys	Password, DB strings, license codes, parameter values, config data
Built-in integration with RDS (MySQL, PostgreSQL, Aurora)	User defined parameters
Built-in rotation of RDS secrets, support for non-RDS using Lambda	Values may be clear text or encrypted
Charged: $0.40 secret/pcm + $0.05 per 10,000 API calls	No additional charge
	Integrated with Secrets Manager

• The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager: Post exploring why the tried-and-true SSM Parameter Store is still the preferred choice for many developers and dive into the advantages it has over Secrets Manager

---

Systems Manager (SSM)

Capabilities

Category	Description
Operations Management	Understanding the current state of your environment and how its components are performing Covers features such as Explorer, OpsCenter, CloudWatch Dashboard, and Personal Health Dashboard (PHD)
Application Management	Administration of applications that are distributed along several components and AWS accounts Group resources of different types together based on a query (e.g. an application) Inventory: applications, files, network configurations, Windows services, registries, etc. Many features require the Agent installed (EC2 instances need an instance profile for a role that has the necessary permissions to allow the agent to interact with SSM)
Actions & Change	Allows to specify a sequence of actions to be executed on your managed instances and how to control its execution
Instances & Nodes	Manage instances and nodes at scale

Features

Run Command	Manages a fleet of EC2 at scale, without having to login to each instance Commands can be applied to a group of systems based on AWS instance tags or by selecting manually SSM agent needs to be installed on all your managed instances Integrations Logs via CloudTrail Can be triggered by CloudWatch Events
Session Manager	Browser based shell w/ IAM & CloudTrail Can log session data to S3 and/or CloudWatch Logs
Parameter Store	Pass confidential information to EC2 as a bootstrap script Types String (plain text) String List (plain text) Secure String: encrypts data using KMS Can be tagged + organized in a hierarchy KMS for encryption (users need KMS permissions to use the corresponding CMK)
State Manager	Establishes the instance's desired state (via an association) and the actions to bring the instance to that desired state (OS configuration, rollout schedule, compliance reporting) An association also defines which instances are covered by this desired state and a schedule to periodically execute the checks Example: ensure that the antimalware is running → if it's not installed, State Manager will install it automatically, and if it's not running, State Manager will start the service
Patch Manager	Keeps instances and nodes in the desired state regarding OS and application patches Patching configuration: desired state for patching (a patch baseline with rules and definitions on which patches an instance should have) target list of instances schedule for patching whether a specific maintenance window applies To execute the patching actions RunCommand (for a single execution) MaintenanceWindows (when periodically scheduled)
Compliance	Shows the current adherence status both for State Manager and Patch Manager
OpsCenter	Aggregates operational issues, provides tools for diagnosis, and helps accelerate the resolution of those issues by allowing the automation of tasks through SSM automations It's not recommended that you send security issues to OpsCenter to be centralized (you should use Security Hub instead)

---

1. Revisiting Macie ↩