Study Guide920 words
DVA-C02 Unit 2: Comprehensive Security Study Guide
Unit 2: Security
Unit 2: Security
This guide covers the critical security concepts for the AWS Certified Developer Associate (DVA-C02) exam, focusing on identity management, encryption, and the protection of sensitive data.
Learning Objectives
By the end of this module, you will be able to:
- Implement authentication and authorization using AWS IAM and Amazon Cognito.
- Configure federated access and manage bearer tokens for secure application entry.
- Distinguish between and implement encryption at rest and encryption in transit.
- Apply client-side versus server-side encryption strategies using AWS KMS.
- Securely manage sensitive data, environment variables, and secrets in application code.
Key Terms & Glossary
| Term | Definition |
|---|---|
| Principle of Least Privilege (POLP) | The practice of granting only the minimum permissions necessary to perform a task. |
| Authentication (AuthN) | The process of verifying who a user is (e.g., login credentials). |
| Authorization (AuthZ) | The process of verifying what a user is allowed to do (e.g., IAM policies). |
| Identity Federation | Linking a user's identity across multiple identity providers (e.g., login with Google/SAML). |
| STS (Security Token Service) | A web service that enables you to request temporary, limited-privilege credentials. |
| KMS (Key Management Service) | A managed service that makes it easy to create and control cryptographic keys. |
The "Big Idea"
[!IMPORTANT] The core philosophy of AWS Security is "Safe by Design." This means security should not be an afterthought but an integrated part of the development lifecycle. Every identity must be verified, and every API call must be explicitly authorized following the Principle of Least Privilege.
Formula / Concept Box
Authentication vs. Authorization
| Feature | Authentication (AuthN) | Authorization (AuthZ) |
|---|---|---|
| Focus | Identity | Permissions |
| Question | "Who are you?" | "What can you do?" |
| AWS Tool | Cognito User Pools, IAM Users | IAM Policies, Cognito Identity Pools |
Encryption Types
- At Rest: Data encrypted while stored on disk (S3, RDS, EBS).
- In Transit: Data encrypted while moving between client and server (HTTPS/TLS).
Hierarchical Outline
- Identity and Access Management
- IAM Principals: Users, Groups, and Roles.
- IAM Roles: Used for temporary access; highly recommended for EC2 and Lambda instances to avoid hardcoding credentials.
- Federation: Using SAML 2.0 or OpenID Connect (OIDC) to allow external users to access AWS resources.
- Amazon Cognito
- User Pools: Managed user directory (Sign-up/Sign-in).
- Identity Pools: Provides temporary AWS credentials to users for accessing other AWS services.
- Data Security & Encryption
- AWS KMS: Customer Master Keys (CMKs), data keys, and key rotation.
- Server-Side Encryption (SSE): AWS manages the encryption process on your behalf (e.g., SSE-S3, SSE-KMS).
- Client-Side Encryption: You encrypt the data before sending it to AWS.
- Managing Sensitive Data
- Secrets Manager: Securely stores database credentials, API keys; supports automatic rotation.
- Parameter Store: Part of AWS Systems Manager; provides hierarchical storage for configuration data.
Visual Anchors
Identity Flowchart
Loading Diagram...
Server-Side vs. Client-Side Encryption
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Bearer Token: A security token that grants access to the "bearer."
- Example: An OAuth 2.0 Access Token used in an
Authorization: Bearer <token>header to call a protected API.
- Example: An OAuth 2.0 Access Token used in an
- Data Masking: Hiding original data with modified content for security.
- Example: Displaying only the last four digits of a credit card number in a UI:
**** **** **** 1234.
- Example: Displaying only the last four digits of a credit card number in a UI:
- Identity Federation: Allowing users to login via a third-party provider.
- Example: Allowing employees to log in to the AWS Console using their existing corporate Microsoft Active Directory credentials via SAML.
Worked Examples
Example 1: Assuming an IAM Role (CLI)
If an application running locally needs to access an S3 bucket in a production account, it can use STS to assume a role.
- Call STS:
bash
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/S3AccessRole" --role-session-name "ExampleSession" - Result: You receive an
AccessKeyId,SecretAccessKey, andSessionToken. - Apply: Export these as environment variables to authenticate subsequent requests.
Example 2: Using AWS Secrets Manager in Code
Instead of hardcoding a database password, the developer fetches it at runtime.
python
import boto3
from botocore.exceptions import ClientError
def get_secret():
client = boto3.client('secretsmanager', region_name="us-east-1")
try:
response = client.get_secret_value(SecretId='my-db-secret')
return response['SecretString']
except ClientError as e:
raise eCheckpoint Questions
- What is the difference between an IAM User and an IAM Role?
- Answer: A user has permanent credentials, while a role is intended to be assumed by anyone who needs it for a short time and provides temporary credentials.
- When would you choose AWS Secrets Manager over Systems Manager Parameter Store?
- Answer: Choose Secrets Manager when you need automatic password rotation or cross-account access for sensitive credentials.
- If an application requires "fine-grained access control" for millions of mobile users, which service should you use?
- Answer: Amazon Cognito (User Pools for identity, Identity Pools for resource access).
- True or False: In Server-Side Encryption (SSE), the client is responsible for encrypting data before it reaches the AWS endpoint.
- Answer: False. That is Client-Side Encryption. In SSE, the AWS service encrypts the data as it is written to the disk.