WEBVTT
1
00:00:05.680 --> 00:00:10.420
Pete Durst: I have a start, webinar button on my screen. Should I push that? I just did?
2
00:00:10.720 --> 00:00:14.420
Pete Durst: Okay, and it disappeared. Okay.
3
00:00:15.340 --> 00:00:26.599
Myles Brown :: Moderator: well, welcome. Good afternoon, or Good morning or Good evening. Wherever you're coming from. It's going to take a while for everybody to come in, so we'll give them a couple of seconds to get in there.
4
00:00:30.650 --> 00:00:35.179
Myles Brown :: Moderator: and we'll get started when the number of attendees starts to level off.
5
00:00:40.820 --> 00:00:42.690
Myles Brown :: Moderator: They're still coming in
6
00:00:54.070 --> 00:00:58.870
Myles Brown :: Moderator: all right while we're waiting for a few more people to come in. My name is Miles. I
7
00:00:59.590 --> 00:01:18.089
Myles Brown :: Moderator: I'm the senior Cloud and Devops advisor and exit certified exit certified is partnered with aws for training and training is kind of our only business. we've been doing aws training authorized training since 2,014. So you know, 9 years coming up on 10 soon.
8
00:01:18.350 --> 00:01:39.399
Myles Brown :: Moderator: And yeah, it looks like people are still coming in. So you know, it takes a little while on the zoom webinars. By the way, this is sort of a one of these kind of free webinars that we put on. So it's a little bit different than our regular classes. We want to open it up to as many people as possible. We had well, over a hundred people register. We never get
9
00:01:39.400 --> 00:01:53.690
Myles Brown :: Moderator: quite that. Many people show up, but So we run it more webinar style, so you can't turn on your cameras or your microphones. But you should be able to ask questions in the chat and and see the questions asked.
10
00:01:53.790 --> 00:01:58.890
so let me just throw something in the chat here. Hello! From Toronto.
11
00:01:59.880 --> 00:02:12.710
Myles Brown :: Moderator: That's where I'm from. Maybe you can throw in the chat where you're coming from. Pete is going to be your instructor. He's a fellow Canadian. You're where you're somewhere near Ottawa. Right? Oh, Prescott, yeah, that's well, somewhere near Ottawa.
12
00:02:12.950 --> 00:02:19.780
Myles Brown :: Moderator: So we'll see. Oh, here we go. We got New Jersey all right. so
13
00:02:20.830 --> 00:02:23.039
Myles Brown :: Moderator: it was still coming in. But
14
00:02:23.280 --> 00:02:40.719
Myles Brown :: Moderator: so these we do these a little more webinar style. just to answer some things up front. the slides that Pete is using. He's not allowed to share with you. but we are allowed to record this, and so everybody who registered will get an email with the link to the recording.
15
00:02:41.090 --> 00:03:03.050
Myles Brown :: Moderator: In fact, you know, this is just one of a series of discovery days that aws allows authorized training partners like exit certified to to produce. So we have 2 more live ones. So next Tuesday, I'll be doing one on data and analytics. And then the following Tuesday, our colleague, Chris Littlefield, will be doing one on machine learning
16
00:03:03.050 --> 00:03:11.859
But there was a couple that already went by. So when we come back at the end, I you know, I'm gonna leave and sort of just deal with the chat Pete's going to present.
17
00:03:11.860 --> 00:03:23.380
Myles Brown :: Moderator: and then I'll talk a little bit at the end. We've got like a summer promotion going on. If you want to take any technical training. You can get a pretty good deal on that. we also have
18
00:03:23.400 --> 00:03:32.259
Myles Brown :: Moderator: you know, some some other. Well, we'll probably talk about some of the courses, and I'll also point you towards some of the other free webinars, and where you can find those
19
00:03:32.810 --> 00:03:52.750
Myles Brown :: Moderator: But for now I think without further ado. I'll introduce Pete durst to. Pete's. Been in it for a very long time. I met him in the late 90 S. I believe. We both worked at the same company where he was a a Solaris administration kind of guy, and I was more of a a Java developer. And so, you know, we've
20
00:03:52.750 --> 00:04:04.290
Myles Brown :: Moderator: we've sort of mirrored our our jobs along the way, he more on the administration side and security and me more on the development and data and analytics side.
21
00:04:04.290 --> 00:04:15.540
Myles Brown :: Moderator: And so we've worked together at several different companies, and there's nobody I would rather be in a class with when it comes to all things security, especially in the cloud, because, like myself, Pete's been 2,
22
00:04:15.540 --> 00:04:24.300
Myles Brown :: Moderator: you know, teaching aws classes since 2,014, and somewhere around there. So you you're in very good hands. So Pete, take it away.
23
00:04:24.400 --> 00:04:43.110
Pete Durst: Alright. Thank you, Miles, and welcome to the discovery days class. I'm Pete durst. I'm gonna be the the person dragging you through some slides. I'm a solutions architect, specialist and devops engineer security specialists and a network specialist with aws. So that's a number of certifications.
24
00:04:43.190 --> 00:05:11.270
Pete Durst: certainly, I play a lot in the secure world. And you know, as we all know, security is an evolving ever changing environment. There is, there is no, you know, consistency to any of it, because, as we know, those evil doers on the planet are out there looking for ways to, you know, make your life a little bit rougher than it should be. So what we want to do is talk a little bit about security in aws and looking after your resources in the cloud. And of course
25
00:05:11.270 --> 00:05:22.929
Pete Durst: introduce you to some of the things that we do to help you out, as well as introducing some things that you may not have been aware of, and hopefully they can help you. when you're trying to protect your resources and your data, of course.
26
00:05:22.990 --> 00:05:28.019
Pete Durst: So let's go ahead and get started and look at
27
00:05:29.050 --> 00:05:53.669
Pete Durst: the benefits of using the cloud. So first thing office, you know, cloud environments allow for you to step away from a management of a data center where you have physical limits, you you only have so many slots in the racks. You only have so many racks, only so much power cooling, and so on, and so forth. They become the problem. They become a fixed, you know, pro issue. You can't really, you know, defeat that.
28
00:05:53.670 --> 00:06:18.560
Pete Durst: And of course, the long procurement times and everything else also worked against the data centers, and certainly, many of the reasons for folks to move to a cloud-based solution is those ones there? with the cloud, the benefit of elasticity to be able to change things quickly. In other words, you know, be able to move from one type of system to another, one or experiment with new technologies or look at, you know, different approaches
29
00:06:18.720 --> 00:06:33.880
Pete Durst: is relatively easy. We've got, you know, lots and lots of choices, and the opportunities are there for you to take advantage of that, and of course be able to increase or decrease your fleet sizes to accommodate load testing whatever it is. It's always a big piece to that.
30
00:06:33.880 --> 00:06:57.030
Pete Durst: Speed, and disability is is part and parcel to that. Being able to change quickly. Your your customers are, you know, speed freaks. They want things quickly. They don't want to wait for months or years to get new features. They want them yesterday, and of course we know that this is. This is all part of being, you know, in a fast, moving, fast, evolving world. to be able to keep up with that.
31
00:06:57.060 --> 00:07:24.379
Pete Durst: to be able to go anywhere in the world is also another big feature. I have clients in a European area to be able to deploy my services in that area, and, you know, reduce their latency to reduce their time to, you know. Wait for things to happen, of course, increase the performance for downloads and things like that. That's that's super important. We trade off the the purchase world to the paying as you go, or the rental world.
32
00:07:24.380 --> 00:07:40.910
Pete Durst: So instead of buying your car, you rent it, and just like renting a car when you're done with it, you turn it back in. You stop paying for it when you get the keys back. So this is exactly what we do you rent your compute resources when you're finished with them you return them, and of course you stop paying for them at that point.
33
00:07:40.910 --> 00:08:06.030
Pete Durst: we want to also have a very secure environment. So not only aws helping you to protect your resources, but you, being able to do all those things that you already know how to do and do that in a way to, you know again help protect your resources, prevent those evil divers from winning, and that's always something we want to be. very, very much on on top of. It's just not a one time thing. It's you gotta do this continuously.
34
00:08:06.740 --> 00:08:30.190
Pete Durst: So your account, you know, in aws and on account, is the owner of the resources if you will. when you create an Aws account, of course, you use an email address to do this the email address, of course, identifies the the account ownership, if you will. The account is given a unique number, and of course we use that as a reference to you know who owns which resources where?
35
00:08:30.270 --> 00:08:49.379
Pete Durst: Inside the account, of course, you can create users, regular standard users. And again, P. Provide permissions to them to be able to manage those resources in the account which could be things like the virtual machines, elastic compute cloud, or Ec. 2. Our storage solution, called S. 3 or simple story. So service.
36
00:08:49.380 --> 00:09:08.510
Pete Durst: And again, you know, being able to manage those resources, plus many, many, many others. that we have in our world from the security perspective we need to really identify. You know what the customers are responsible for and what, of course, Aws is responsible for. And that's really what you know, is super important to start off with.
37
00:09:08.510 --> 00:09:29.519
Pete Durst: So when we look at this particular diagram, we see, you know, Aws is responsible for everything below that dashed line. And if we look at this, this is all the hardware. So every data center the Aws owns wherever they are. Those are a hundred, you know, managed, and then aws, is 100% responsible for those.
38
00:09:29.520 --> 00:09:43.860
Pete Durst: The services they run above those those, you know, providing us access to those compute resources or storage resources, or whatever they might be. That's also aws is responsibility. So they, this is always, always, always a hundred percent. Aws.
39
00:09:43.860 --> 00:09:59.200
Pete Durst: we look above the line. This is where we get into, you know, potentially what type of services to how much of this is yours. Ultimately, the customer data is always a hundred percent. Yours, the Aws is never, ever responsible for this. This is yours.
40
00:09:59.200 --> 00:10:17.919
Pete Durst: however, the intervening layers here really kind of depend on what service you're talking about as to whether that's going to be your responsibility, or a combination of you and aws, or even just aws. So our simple storage service pretty much. None of this belongs to the customer. Almost all of this belongs to Aws.
41
00:10:17.920 --> 00:10:36.559
Pete Durst: On the other hand, elastic compute clouds of virtual machine. All of this belongs to you. So it really kind of depends on the service as to how much of this is really going to be. You know your responsibility. And again, we look at things like, you know, application updates and patches, operating system updates and patches.
42
00:10:36.560 --> 00:10:56.660
Pete Durst: using encryption or not store a server side encryption client side encryption, VPN's network protections, all of these things all fit into this area. And of course these are super important, you know, to keep in view. And again, it is above that line. So it's kind of one of those things to make sure that if you're responsible for that, you're you're taking care of that.
43
00:10:58.680 --> 00:11:11.330
Pete Durst: the security design principles of the next thing we want to look at again. We want to, you know, kind of look at all the different things that we can talk about, as far as security goes, and we will start off with the principle of least privilege.
44
00:11:11.330 --> 00:11:30.819
Pete Durst: So at least, privilege principle really is all about making sure that The users in your account only have enough privilege to do their job. And this may sound kind of you know, like we're we're handcuffing them, and we're restricting them severely and stuff like that. But the other side of this and you kind of look at it from the business perspective is.
45
00:11:30.850 --> 00:11:55.080
Pete Durst: if I allow that person to have privileges to do everything mistakes can happen. They don't maybe understand the building mechanism. They don't understand the cost mechanisms. They go out there and they launch something like red shift, which is a very expensive data warehousing solution. And they're just playing around. They don't even realize that they're costing their company a lot of money with, you know, with a resource that really isn't needed.
46
00:11:55.150 --> 00:12:17.509
Pete Durst: And then the other side of that is, accidents do happen. So, hey? I was over here looking at this resource. I didn't realize that if I said deleted actually would delete it. I'm sorry I didn't need to make that go away. We mean, that was the production database that disappeared. So these are kinds of things where you really want to make sure that they just have enough to do their job from my perspective as a security guy.
47
00:12:17.510 --> 00:12:28.319
Pete Durst: I I love calls to say, Pete, I can't do my job because I don't have the permissions to do what I need to do, and then I have to resolve that and figure out what I need to give them to let them do their job.
48
00:12:28.320 --> 00:12:50.710
Pete Durst: I'd rather get that kind of call than the call from their manager, which said, How come our production database disappeared. And and why didn't you stop that which is always a call that nobody ever wants to have? So these are really the the kinds of things that we want this to apply to least privilege principle only enough to do what you need to do. Don't you? Don't go any further than that.
49
00:12:50.820 --> 00:12:58.750
Pete Durst: in for separation of duties, you know, hey? As a database admin you need these privileges as a developer. You need these privileges.
50
00:12:58.750 --> 00:13:22.010
Pete Durst: They're not going to be the same. So you know, when you're working as a database. Admin, here's your privileges you need for that. And when you're working as the developer. Here's your privileges for that, and we really don't want them to be mixed together. Say, well, you need to do both, so we'll just give you everything in one shot. We really don't have to separate them out. So roles come into play, and we use those as a way to say, Hey, when you're doing the database admin. Use this role when you're doing developing uses for
51
00:13:23.020 --> 00:13:32.280
Pete Durst: long term. Credentials are where we have passwords and keys, and that that don't expire, and this is something that you know it's convenient.
52
00:13:32.280 --> 00:13:57.059
Pete Durst: but it's also what hackers law. And when we look at it from that perspective, you need to, you know. Make sure that you're using policies. That force password changes regularly. you're using policies that force key changes regularly. if you're using roles kind of what I was just talking about in the previous button bullet. These always use temporary credentials there. The the the credentials are, Max. Time is is 36 h.
53
00:13:57.060 --> 00:14:12.550
Pete Durst: so they can't last longer than that. So that's really a a great idea. Short-term credentials really need. If they're they're compromised. Somebody's gotten them. That shouldn't have gotten them. They're not going to last long. They're not going to be much value to them. for a very long period of time.
54
00:14:12.560 --> 00:14:14.150
Pete Durst: Change it as quick as you can
55
00:14:15.870 --> 00:14:34.039
Pete Durst: enable chase ability. So whenever I'm doing a security engineering class or security essentials class one of the very first things I, I tell people, and even in the architect and classes, is you know what check your compliance requirements. You need to go and look up your your compliance requirements. We have a service called Aws Artifact.
56
00:14:34.040 --> 00:14:53.829
Pete Durst: It's a great place to go look for this information. Find out what you have to work with. What do you need to do in order to stay compliant for the services that you're running? And almost always again, I'm going to say one of the time it's going to say you need to capture activity logs. You need to capture what's going on in your account.
57
00:14:54.730 --> 00:14:58.079
Pete Durst: So enabling traceability is a big part of that. What's that
58
00:15:01.220 --> 00:15:25.129
Pete Durst: sorry about? I thought I was. Gonna say, it's just gonna come back with, I apologize. so enabling traceability is all about capturing those activities. And what's going on with the activity? Logs and stuff like that. So with that cloud trails are our Api tracing tool, if you will tracks all the Api requests made in your account. so that's one piece to that.
59
00:15:25.130 --> 00:15:50.120
Pete Durst: application, access and activity and stuff is something that you need to do, and that, of course, is capture. The information from the host, from the the virtual machine, for example, and then, of course, store that in some location that you can retain those for as long as you need to retain them. take advantage of the the services that can help you manage that information, be able to search for patterns, to be able to look
60
00:15:50.120 --> 00:16:09.320
Pete Durst: for things, and then, of course, the Cloud Watch Logs Service can help out, and of course there are lots of third party services out there as well. You buy on what's going on with your resources. So another services call config. Aws! Config Keep track of all your resources when they they were created, when they were last changed.
61
00:16:09.320 --> 00:16:22.629
Pete Durst: when they were deleted. All that's recorded in there. So you can, you know. Track resource, you know. existence, you know, when it it kind of wanted to go. When did you know who made it go where? Through cloud, trail, etc., etc. So lots of things there
62
00:16:24.510 --> 00:16:36.470
Pete Durst: secure at all layers. So we like to think of that. That onion, the layer approach with an onion. You you know you peel off a layer, you get to the next and peel off a way, or get to the next, and peel off a layer, get to the next one
63
00:16:36.600 --> 00:16:59.530
Pete Durst: with security, having a layered defense just means. There are many things that have to happen before that information becomes exposed to whoever is trying to get to it. Obviously, we need those that need to be able to get to it to get to it. So that's where CIA comes in. Confidentiality, integrity, and availability. So the the a piece of that is, you know, may unable to make it available.
64
00:16:59.530 --> 00:17:24.530
Pete Durst: So how do I make sure that that data is available doesn't get compromised? It's integral. I need to do all of that. So putting many layers of defense and apply is a fantastic idea. 3 firewalls is better than 1. 5 firewalls is better than 3. It's always in your best interest to put as many barriers between those that could do bad, nasty things to you and your your sensitive information.
65
00:17:24.530 --> 00:17:46.210
Pete Durst: the information you want to protect, and the more you put in the better. It makes it much more difficult for them to be successful. To break their way into. It can be a little bit more challenging just because there are more steps to to be done to allow actual access to that data. But in the reality it's it's not that difficult to, you know, give something that's authorized access to that data.
66
00:17:46.210 --> 00:17:58.379
Pete Durst: but also deny those that are aren't authorized. Isn't that hard? So this is really kinds of things that You want to put as many layers in as you can. take that defense, and in depth approach
67
00:17:58.470 --> 00:18:16.500
Pete Durst: more is better than us, and take advantage of multiple services. Anytime we could use a manage service instead of me managing the service as a customer and letting aws manage the service as an example, a relational database service versus me running. You know a database engine on Ec. 2 myself.
68
00:18:16.530 --> 00:18:33.519
Pete Durst: I'm always going to be in favor of the Rds solution. Just because I I give aws more responsibility to look after securing that resource and taking care of patches and making sure that it's updated and stuff like that. So anytime I can push it off to a man service. I'm I'm a fan of that. I'm good with that
69
00:18:35.530 --> 00:18:48.700
Pete Durst: automate automate automate. So when we look at you know the things we do in the cloud environment. everything can be done through Api requests. So aws itself is an Api driven, you know, resource.
70
00:18:48.710 --> 00:19:04.440
Pete Durst: and the Api calls can be made from the web browser. That's what call the management console, using our command line tools which are free downloads and install really anywhere. Of course you could use the sdks and incorporate those those Api requests right in your own application.
71
00:19:04.440 --> 00:19:19.590
Pete Durst: All of these Api requests can be, you know, used to automate things. So hey? If I, you know, tell you to create a Vpc. Or set up a subnet or create your road table and launch a virtual machine, creating that 3 bucket whenever I need to do. I can do that through those Api requests.
72
00:19:19.670 --> 00:19:31.549
Pete Durst: Well, that means that I can then automate, that I can write a scrapped. I can use something like confirmation which allows for us to build environments. It gives us what we call infrastructure as code.
73
00:19:31.550 --> 00:19:52.080
Pete Durst: we can use playbooks from system manager. We we have, you know, chef recipes and and puppet manifests from Ops works and stuff like that. So there's lots of things we can use as a way to automate things. So when we automate things that gives us repeatability. We can recreate this very quickly, very easily.
74
00:19:52.080 --> 00:20:21.019
Pete Durst: and it gives us the ability to, you know, provide self documentation. How did this get available? Here's the playbook we use, and we can look through that playbook and see how it was built, and be able to use that as a reference point, say, okay, we missed this part here, we need to adjust that this is too much. This is not enough, and we can. We can adjust. If you know what it is. This is certainly, you know, much, much, much preferred over the manual approach where somebody, you know goes in and and manually changes and does things.
75
00:20:21.090 --> 00:20:38.070
Pete Durst: manual is great for learning how to do things in the environment, that. But the end of the day you want automation. You want to automate everything as much as you can. That gives you, you know, the ability to, you know, do things repeatedly and accurately, so it doesn't get changed every time you do it?
76
00:20:38.290 --> 00:20:41.230
and that's exactly what we want.
77
00:20:43.560 --> 00:21:09.900
Pete Durst: Protect your data at all times. It really is kind of all these things. It's your data, you know, to keep it yours. There's again. This is mostly dealing with encryption. And again, you know, different levels and different places to do. It is always there again. Layered defense is also really good here. So client side encryption is where you have your application, encrypt the data before you send it anywhere so encrypted data before it leaves the application.
78
00:21:09.900 --> 00:21:18.079
Pete Durst: Then take advantage of using an encrypting protocol like Https, or use a VPN using IP sack, or whatever open VPN,
79
00:21:18.080 --> 00:21:40.089
Pete Durst: as a way to tunnel the data from the the application server to whoever's getting that data at the other end, and then server sign encryption data at rest. Encryption is also something you should do. So I encrypted that the application side client side encryption. I send it to S. 3 using https. So I've actually double encrypted to transmit it.
80
00:21:40.090 --> 00:22:02.110
Pete Durst: I unencrypted from https, but it's still clients unencrypted. Then I store it on s 3, and I do server side encryption on s. 3. So s. 3 now has encryption turned on by default. So you really don't have an option anymore. It's on you. You could choose which one you like. So this is something that changed recently. So that gives us the ability to
81
00:22:02.980 --> 00:22:37.699
Pete Durst: take, you know, advantage of, hey? It's just it's going to be encrypted at rest. So it's again. It's double encrypted. The server side encryption plus the clients on encryption. Well, it's there. that can get us to other things as well as you know, who has access to the to the keys to do the client sign encryption would again allow you to limit access to that resource and kind of think of it this way. I got sensitive. Hr. Information that's being stored in that that S. 3 bucket. My administrators of the S. 3 bucket need to be able to manage the bucket. Of course they can see everything in the bucket, and you know, change properties of the bucket things like that.
82
00:22:37.760 --> 00:23:01.129
Pete Durst: but I don't want them to be able to see the information in the actual object itself. So client side encryption, and, you know, prevent that key from being visible to the Admins. So I can manage the bucket. But I can't see the data. So that gives us that level of separation. So using client side and service side together perfect. It's a great way to do that. classify your data using tags.
83
00:23:01.130 --> 00:23:14.349
Pete Durst: We talk with tags, and pretty much every class that aws does. And and it really is. It's a tool that is is under utilized they really, you have the ability to apply up to 50 tags per resource.
84
00:23:14.370 --> 00:23:41.830
Pete Durst: and, to be honest, you really should put as many tags into play as you can. It can be useful, for management of the resource can be useful from the financial side of things, keeping track of what you know, things are used for which projects and life, cycle and stuff like that, but also can be useful in the security side of things. And you know, hey, this is secret top secret, you know, confidential, restricted, you know, public information. You know the tanks of yours. They use them whatever way it makes most sounds
85
00:23:41.850 --> 00:23:56.909
Pete Durst: again, as we said, don't do unencrypted communications. do everything through, you know a Tls based protocol, or, you know, a VPN of some sort. And that way again. The prying eyes can't see anything, and that's ultimately what we want.
86
00:23:59.380 --> 00:24:22.840
Pete Durst: Things go bad. We know this. This happens. It's not a fun thing. It's kind of one of those realities of our world, you know. the evil doors of our planet have way. More time to, you know. Come up with ways to try and wreak havoc in our world than we do to have, you know, to resolve them. So as soon as we figure something out. Since we fix something. They're up trying to figure another way to, you know. Come in and and wreak havoc in our world.
87
00:24:22.980 --> 00:24:44.660
Pete Durst: So that means that at some point. Something will go wrong. Something will not, you know. you know, be happy. It will be a a day when something didn't go the way it should have went. So this is something that you need to be prepared for, and you got. You know, there's a lot of monitoring services to help us out with this Amazon detective.
88
00:24:44.730 --> 00:24:56.690
Pete Durst: guard duty may see, and a few other ones are out there as ways to monitor for things that have, you know, gone sideways. They aren't working the way they're supposed to
89
00:24:56.690 --> 00:25:21.249
Pete Durst: take advantage of using those and then use these as ways to trigger. Hey? Something went wrong. somebody compromise the system they install, you know, software that shouldn't be there. Malware, Bitcoin mining software, whatever. And you need to, you know, take those actions. Again, we talk about this on the security engineering classes. You know things that you need to, you know. Prepare for how do you isolate it? How do you, you know, capture the information without compromising it?
90
00:25:21.320 --> 00:25:34.840
Pete Durst: And so on. So far these are all things that need to be done. So we need to plan for that. You can just, you know, hey? By the way, we think this thing's broken, and then, you know, kind of guess what we need to do. And this is something that you need to game that you need to plan for this.
91
00:25:35.000 --> 00:25:58.159
Pete Durst: And that's really what that's all about is Come up with your plans, your strategies test them, make sure they work And then, when something does go wrong, you can take those steps and say, Okay, I know how to do this. I isolate my resource. I need to, you know. Put this into play, trigger this trigger that, and get those things happening that allows us to capture that information, and of course, you know, get that system offline as soon as possible.
92
00:25:58.160 --> 00:26:21.809
Pete Durst: and of course you know, mitigate those rest. Mitigation really means. You know. How did that happen? You know what? What was the steps that the the evil do or took to compromise that system? What can we do to prevent that from happening again and again? That can kind of go back to, you know. you know, guard duty, config rules and things like that, but can be very helpful. And it's Hey, we've seen these, you know, patterns
93
00:26:21.860 --> 00:26:41.889
Pete Durst: in the Vpc flow logs that tell us that they're they're trying to do something like this and then put, you know, Acls into play or security group rules into play, or employ the new firewall appliance and have it. Do you know the the blocks on those type of packets and stuff like that? and be able to to stop those things from happening.
94
00:26:41.890 --> 00:26:55.429
Pete Durst: I guess that process to isolate the incidents in the interse operations is ultimately very critical. You need to, really, you know, focus on that and and get it ready to go before it happens. You don't want to do this, you know, when you've got a system that's compromised already.
95
00:26:57.300 --> 00:27:09.949
Pete Durst: minimize the attack surface. So if I deploy, you know, 100 web servers on the Internet, I've got a hundred targets that need to be protected. I need to keep my eyes on 100 moving targets.
96
00:27:09.950 --> 00:27:34.479
Pete Durst: and of course, you know, any one of them could be compromised at any point. And of course the you know, turning what the compromise is that might end up meaning my whole fleet is then compromised. And that really is the problem. So what can I do to maybe minimize that attack surface, and one of the steps might be to put those behind a load balancer what the low mountains would be the front end. So instead of, you know, 100 web servers available to the
97
00:27:34.480 --> 00:27:39.039
Pete Durst: clients, I've got a low balancer service that stands in front of them, which may be only
98
00:27:39.040 --> 00:28:04.009
Pete Durst: 2 or 3 or 4 systems, and that are facing the the the evil doers, and they actually act as a barrier between those evil doers and my back end services. So that can be a really good way to do that. Take advantage of any services so cloudfront some other great example of us. using cloud front, which is our content delivery network or Cdm it again acts as a barrier. The clients taught
99
00:28:04.010 --> 00:28:27.630
Pete Durst: to the Cdm to cloudfront and then cloud front talks to the back end services. The clients actually can't talk to the back end. They can only talk to Cloudfront. So that really means, as Aws has to, you know, deal with the attacks and everything else at their level, and it should be fairly clear selling from their back to your resources again. There are extra things you can do with that. Take advantage. Api gateway.
100
00:28:27.630 --> 00:28:47.340
Pete Durst: Again. You could still have a low balancer between, you know, cloud front and your back end services. And again, more layers is better. so use them all tile front, blow balancers, and you know firewall appliances. Put as many things in there as you can to prevent those evil doors from making their way through.
101
00:28:47.410 --> 00:29:06.629
Pete Durst: If you have to expose it to the Internet. It it has to be there. Make sure that you. You walk it down as much as you can. Don't leave ports open that don't need to be open, hey? I might need to be a less associated to this at some point to be able to do this, but might need to be able to do it versus I have to be able to do it. It's not the same thing.
102
00:29:06.630 --> 00:29:25.220
Pete Durst: So you know, if it's an easy to instance, maybe take advantage of, you know, system manager, and use that as a way to access that resource instead of using Ssh. And leaving the Ssh ports open and stuff like that. So there are ways to to walk the resources down and and minimize that that exposure as much as possible.
103
00:29:26.210 --> 00:29:34.429
Pete Durst: So that gets us really to a good question, which is, What is your security posture? And that really is going to get us some more talking points to look at.
104
00:29:35.300 --> 00:29:57.719
Pete Durst: So we've got a number of things we're going to look at. We got our 6 targets that we want to talk about. So we're going to start off with the one at the very, very top. the authentication. So when we look at identifying who you are, and again, this can be done in a couple of different ways, the indication for access to the A, the the account managing the account resources.
105
00:29:57.720 --> 00:30:06.129
Pete Durst: but also authentication to log into your application itself. So this again, it's authentication going to be the 2 places we're kind of focusing on the Aws side.
106
00:30:06.130 --> 00:30:30.440
Pete Durst: But it it can be for both. So what is authentication. It's identifying who you are. So this could be a name and a password, preferably, maybe, name password and a two-factor authentication approach to it and use that as a way to again prove you are who you say you are. So here's my name. Here's my password. Here's my Mfa. You know, 6 digit code, and that, you know, is enough for me
107
00:30:30.440 --> 00:30:35.890
Pete Durst: information for us to say yes, you are who you say you are, and we now know who you are.
108
00:30:35.940 --> 00:31:00.130
Pete Durst: That's the first part. So whenever we look at an Api request may be. But yes, that's the the very first thing we have to do is identify you. If I don't know you, you're not getting anything. Our default permission is deny. So if I don't know you did not so you're not going to get anything with with. If you don't authenticate, if you authenticate, the next piece we need to do is, of course, identify. You know what permissions you have. So
109
00:31:00.280 --> 00:31:28.919
Pete Durst: from. I am identity and access management. Again, managing access to the Aws account resources is what this is all about. The services for you. There's no charge for using. This allows you to manage, you know. up to 5,000 users per account. you can organize them in groups if you wish, and as I've alluded to already, take advantage of roles as a way to provide job, you know, description of job duties, etc., etc.
110
00:31:28.920 --> 00:31:43.940
Pete Durst: But we look at logging in from the management console like I said, it's username and password, or using a password. And Mfa. And again, Mfa is optional. I kind of wish it was may be mandatory, but it is optional. You should make it mandatory for your account. Really should.
111
00:31:43.940 --> 00:32:10.539
Pete Durst: If you're using the command line tools or using the sdks, we use keys and the keys work almost the same way as a username and a password, we have an id key, and then a matching secret key. That kind of goes with that id key. They're generated together as a set. You present those keys as your your identification information. that will link you to exactly one user in one account. And that really is is the same as the username and password
112
00:32:10.540 --> 00:32:14.659
from the Management Council assisted set keys instead of names and passwords.
113
00:32:14.690 --> 00:32:19.480
Pete Durst: That's, of course, what's going to be used to identify you. That's the authentication piece.
114
00:32:20.340 --> 00:32:48.699
Pete Durst: The next piece is the authorization piece, which is, do you have permission to do this? But of course, once I know who you are, the next piece is, well, what is it you're trying to do? So I look at your Api request. What Api requests are you trying to do? And then assess whether you're going to be allowed to do that or not. So when we look at it, we're going to look at a number of things. So the first step. Obviously this the authentication, like, I said, that's the who are you need that first?
115
00:32:48.720 --> 00:33:07.139
Pete Durst: Then I'm going to say, Well, what is it that you're trying to do. And you know the access request. That's the Api request that you're trying to. If I want to create an Ec 2, instance, for example, I'm going to launch an Ec 2 instance. so I'm going to look at, you know, policies. And there's really these are all Json based policies. They can be
116
00:33:07.140 --> 00:33:31.489
Pete Durst: any number of these in many, many different locations from 0 to, you know, tens, hundreds, maybe. that really did. This could be any number of policies that we could look around. You know what it is you're trying to work with. So I can have policies associated with you, the user. I have policies associated with any groups that you belong to. I can have policies on the resource itself. So I'm trying to, you know. Do something with s. 3.
117
00:33:31.490 --> 00:33:45.410
Pete Durst: I can have a policy on the the S. 3 bucket that you know, determines yes or whatever. So in this case, here, I'm going to gather all of the policies it's like, you know. Put them all on a big pot, kind of stir it all up, and then I got to look at all. The policy simultaneously.
118
00:33:45.450 --> 00:34:03.760
Pete Durst: and the first thing I'm going to do is, you know, kind of decide. if this, whatever it is you're trying to do, it's going to be denied or not. So the first thing I'm going to do is actually say, okay, we're we're trying to do some of an S 3 bucket. They're gonna create a bucket. So the resources that has 3 bucket. Then I'm gonna look through all the policies.
119
00:34:03.760 --> 00:34:16.329
Pete Durst: And the first thing I'm looking for is a deny. So if any one of the policy says an explicit deny says, No, you can't do that. You're done. You cannot be the the explicit deny you're already. You're failed. You can't have this.
120
00:34:16.440 --> 00:34:40.760
Pete Durst: So when I look at all the policies it is. See ones and I you're up, you can't have it if I don't see it. Deny I must see an allow, so I'm going to look through all those policies. It doesn't matter how many allows there are. As as long as at least one policy has an allow statement in it, you're going to get the resource. You're going to get it so no deny. And there's an allow you'll get the, you know the Api requests, you know. Satisfy
121
00:34:40.820 --> 00:35:02.120
Pete Durst: if there is no deny. But there's also no allow you're going to get what we call the implicit deny, which really means you don't get anything. The implicit denies the default. Yeah, you you can't have that. And of course it's the same as the explicit when we don't tell you why, we just make it really difficult for you to, you know, do things because you get permission denied. And it's all you're really going to get.
122
00:35:02.210 --> 00:35:11.550
Pete Durst: So that allows us to again protect those resources we identify who you are. Then we just that, you know, identify whether you're going to be allowed to do that or not.
123
00:35:12.680 --> 00:35:41.990
Pete Durst: Monitoring is the next piece that we want to talk about some monitoring is keeping an eye on the environment. We want to make sure that things are working the way they're supposed to, and these can be indicators of when things become compromised. So the normal CPU utilization of these particular services is 20%. All of a sudden they're running at 95. So why are they working so hard? Well, that could be because maybe there's some, you know, malware, some kind of illegal software install on the systems.
124
00:35:41.990 --> 00:36:05.370
Pete Durst: we can see increase in network traffic, and which might be an indication. Something's been a compromise you're doing, basically shouldn't be doing It can give me, you know, status of the service or the the resources that I'm concerned about. these are working. These are not working. It is the ability to be able to keep an eye on the environment. Our service is called Cloudwatch and Cloud watch allows us to
125
00:36:05.370 --> 00:36:29.590
Pete Durst: really monitor a lot of things. We have a huge number of built in, you know. Metrics is what we call them and of course you just look at these at any time you can create a dashboard which gives you a nice visual on all the things you want to see and it and that can make it easier to just, you know, kind of get that 10,000 foot view of how things are. And then, you know, as you're you're you're working through that hey? I want to drill into this. This doesn't look right
126
00:36:29.590 --> 00:36:42.089
Pete Durst: if you go into it and look at more things. Cloud Watch does support custom metrics, which really is anything you want. Those can come from, you know, in the cloud resources, but also from on-prem resources. So we can install an agent
127
00:36:42.090 --> 00:37:06.219
Pete Durst: on an on-prem resource and have that send stats, or whatever information you need, up to cloud Watch, and again be able to collect all that information and put it in one place. The benefit of this, of course, leads us to something called alarms. So we could look at things and say, You know what, whenever these things get over a certain percentage of Cp utilization. For example, that's should be a trigger for us. That should be something we need to go look at. So I can send a law and say, Hey.
128
00:37:06.220 --> 00:37:14.100
Pete Durst: watch the average CPU utilization on these, you know, web servers, if it ever goes above 70, I need to know that.
129
00:37:14.160 --> 00:37:39.449
Pete Durst: And and basically we sent alarm on that. And basically, you know, whenever that that happens, if there's a time parameter goes with us, it needs to be over that line for like 10 min, or whatever when that happens, the alarm triggers, and of course you can make them or do whatever you want. So send me an email. Send me an SMS message trigger something like auto scaling, which is a way to automatically increase or decrease flights fleet sizes and things like that. So these are all great things.
130
00:37:39.450 --> 00:37:50.899
Pete Durst: We talk about how much events here. This is actually changed since this slide was built. How much events has moved to Event bridge. So it's another service called Aws Event Bridge.
131
00:37:50.990 --> 00:38:19.819
Pete Durst: basically allows us to do event driven coding if you will. basically, we can watch. Or again, as things happen in your account. And it's certainly things like hardware events and things like that which are really hard for you to get to, because, like I said, back in the earlier slide, you don't have access to the hardware, but we will know there's something went wrong. maybe with the Hypervisor. Your Ec. 2 is running on stuff like that. That's where events come into play. You can create custom events in here you can tie to the
132
00:38:19.820 --> 00:38:42.560
Pete Durst: A huge list of events that are available to look at. You create an event bridge rule. And basically that lets you, you know, come up again with an action. So it's a triggered or event-driven approach to things that this event occurs. Do this afterwards. So run this land of function, you know. Send a message to whatever you need to do. So again. So call much events is is move to the given bridge about
133
00:38:44.430 --> 00:39:08.309
Pete Durst: so auditing again back to the compliance stuff I talked about earlier. Yeah, it's our world we live with this, you know. Audits happen. I need to be ready for that. So what can I do to set up my audits and stuff like that? And of course the primary one from the account perspective is cloud route. So every Api, you know request is is tracked and logged in cloud. Trail is always on. You can't turn it off
134
00:39:08.400 --> 00:39:31.990
Pete Durst: by default. It's only keep a data for 90 days. However, like I said, when you do that, an artifact, you know, compliance check. Yeah, you're probably going to need to keep that longer than 90 days. So in that case you need to create a cloud trail which will store that information in an S. 3 bucket for long term, we again you control how long that is with lifecycle policies and such at the S. 3 side
135
00:39:32.010 --> 00:39:52.680
Pete Durst: it will track all the Api requests. Successful failed. Whatever. If it happen, it happens. It also tracks login, failures and successes as well. So the management console the the support side and stuff like that. So it's good to track those as well. So it's all the Api requests, plus a few, you know, log in, you know, failures and and and
136
00:39:52.680 --> 00:40:12.359
Pete Durst: successes that will be recorded. these are well understood logs. There's a cloud trail processing log that it'll be available for those I want to write their own application to interpret it. You could go look at the logs directly they're in S. 3, so you can see them there swans and logic. Things like that are also well tuned. To work with these laws.
137
00:40:12.360 --> 00:40:21.549
It'll give you exactly what you want. One event can give you 50 or 60 lines of information and a log file. So these are lots of information. There's lots and lots there.
138
00:40:23.520 --> 00:40:31.329
Pete Durst: Encryption is the next thing we want to talk about. So with encryption. We're looking at, you know, potentially
139
00:40:31.640 --> 00:40:37.160
Pete Durst: protecting our data in rest and in transit. we're looking at.
140
00:40:37.510 --> 00:40:41.779
Pete Durst: Certainly working all right. Hey? My, also, my freezing up and on
141
00:40:42.910 --> 00:40:45.359
Pete Durst: video seems to be. But
142
00:40:46.390 --> 00:40:55.440
Pete Durst: yeah, my, my, my display video, say, I'm frozen is the audio on the the videos, the slides coming through. Okay, yeah. The audio on the slides are fine, I think. All right, I'll just keep one.
143
00:40:55.610 --> 00:40:56.970
Pete Durst: Maybe I'll catch up.
144
00:40:57.190 --> 00:41:03.500
Pete Durst: I'm not really frozen, really, I'm not all right. Concurrency day at rest and in transit again we talked about this
145
00:41:03.530 --> 00:41:13.869
Pete Durst: when we look at, you know, managing the encryption and looking after the encryption and stuff like that. these are things that I'm gonna just gonna turn my video off in the back one again and see how it's.
146
00:41:17.870 --> 00:41:22.670
Pete Durst: Maybe my camera doesn't like me. All right. we'll see.
147
00:41:23.700 --> 00:41:46.110
Pete Durst: So things to think about again when you encryption data you need, you know a couple of things to make that work. You need to select an algorithm or an application. Or you know program that you want to use to encrypt it? What kind of keys are going to be used to, you know? manage the encryption. Where do you put the how do you store them. How do you get back to them? who has access to those keys?
148
00:41:46.110 --> 00:42:02.830
Pete Durst: And this is these are, you know, all things you need to plan and plan well ahead of time. Otherwise you're not going to, you know, necessarily. be able to recover your data. the data gets encrypted and you lose the key that was used to encrypt it. You're not going to back. It's it's not going to be decrypted.
149
00:42:02.870 --> 00:42:18.590
Pete Durst: Einstein. Encryption, as I said, is where you encrypt the data before it leaves the application. if it's a you know your application, for you can use whatever algorithms and keys you like, and of course you're managing your keys. However, you want, use a hardware device you could use
150
00:42:18.860 --> 00:42:30.210
Pete Durst: storage devices Kms. The team management service can store a little of data through custom, key store and stuff like that
151
00:42:30.220 --> 00:42:52.910
Pete Durst: server side. Encryption is where the servers are going to encrypt the data before they store it. this is a case where we need to, you know, kind of again manage to has access to the keys. And who's you know, generating the keys? that's something that, of course, is Is there? Sorry about the video folks? I'm not sure what's going on. Maybe my cameras decided that it doesn't want to play anymore.
152
00:42:53.090 --> 00:42:59.589
Pete Durst: And it's stop it for just a second here and it again, just to see what's going on.
153
00:43:01.600 --> 00:43:02.870
That's good.
154
00:43:04.600 --> 00:43:09.709
Pete Durst: Yeah. So there we are. I gotta leave it like this. We'll we'll figure it out later.
155
00:43:10.210 --> 00:43:11.220
Pete Durst: All right.
156
00:43:11.720 --> 00:43:38.730
Pete Durst: So there's our encryption. So let's go on from there. Tms or key management service is our service that we use to help us with keys out of the box key management services really can't store data keys. If you set up what we call the Custom Key store, and then you can store a limited number of keys with it. and be able to manage those keys from there. However, out of the box it is, it does not have.
157
00:43:38.730 --> 00:44:05.780
Pete Durst: What it does is allow you to choose what kind of keys you want symmetric asymmetric keys. And of course we deliver those keys to you using a Tls based protocol and then make sure that you're able to, you know, encrypt or decrease the data. Please understand, we're giving you 2 versions of the key one that's encrypted in one that is not. The encrypted version of the key is, from whatever primary key you with us to use a service primary key, or you know your own provided key.
158
00:44:05.780 --> 00:44:30.199
Pete Durst: and then that way, you know you. You have 2 variants of it. Then store the encrypted key with your data, and then, when you need to recover that data, send us that encrypted key, we'll decrypt it with the key that we use to encrypt it and send that back to you. And then, of course, then you can use that K to decrypt the data again because it is an Aws service. It's all done through. Api calls. So guess what we get to track all of this with cloud trail.
159
00:44:30.200 --> 00:44:38.660
Pete Durst: And of course, that gives you the auditing aspect. So who did what, where and how how often they did it. And stuff like that is is all going to be there
160
00:44:39.950 --> 00:45:09.650
Pete Durst: in transit. So again, A number of different approaches for this, using an encrypting protocol is one way. So https, for example, Ssh, and so on and so forth. These are, you know, encrypting the data as it leaves your system. And then, you know, when it gets to the server, the server decrypts that data. So it doesn't really matter what's between you and the server? The data is protected between those 2 systems. Oh, look at that! My video finally came back
161
00:45:09.760 --> 00:45:13.970
Pete Durst: hopefully. Everybody see you again. Hi, I'm back.
162
00:45:13.990 --> 00:45:41.809
Pete Durst: okay, that's a Good again. with that, you know. That's one way. IP sack or open VPN tunnels. are another way to do that least usually work at the network level instead of the host level. So I attach the VPN. To one network and then attach another. The VPN endpoint to another network. And then any data going between those 2 networks would be encrypted with IP sec. Or open VPN, whatever protocols you're using.
163
00:45:41.880 --> 00:46:04.820
Pete Durst: and of course, as it enters the tunnel it gets encrypted. Generally it's going across the untrusted Internet, and then when it gets to the other end, it gets decrypted to the other side and put back into the network plain tax. So it doesn't really protect the network you're attached to. It protects between the 2 networks, and that so Ssl Tls would go from host to server, VPN is network to network. And it is really it is
164
00:46:04.890 --> 00:46:27.479
Pete Durst: we also, you know, have you know, the ability to manage Ssl. Ts certificates through a service called certificate Manager. A certificate manager allows us to really do quite a while. You'd learn so wonderfully as Miles indicate, a little bit earlier. You know, we started a way back in 2,014 manuscripts. If it gets back, then was a pain. Try to put a security on a load, balancer and stuff like that was like a 30 step process.
165
00:46:27.480 --> 00:46:56.590
Pete Durst: And if you made a mistake in Step 3. You wouldn't notice it until Step 26. Of course you have to do it all over again, because it it didn't work. So when certificate manager came out. There was a lot of us there. Well, who? Both time we needed that, and of course it's been improved on since it came out. So looks after certificates for both. You know the load balancer's cloud front and a number of other aws services. so absinc and things like that that require certificates that will manage so. Certificates for you.
166
00:46:56.590 --> 00:47:25.490
Pete Durst: public certificates for these services are free private certificates are available as well. When you are about 75 cents a piece or this privacy, because you can really use anywhere you want. So those are restricted to aws services. You can actually use them anywhere you want. So it's a great way to again manage your today. It's take that pain out of the off the plate of, you know, managing thousands of different service with thousands of different certificates. And, you know, simplifying. Again, it can be automated. And that's that's the big plus
167
00:47:25.710 --> 00:47:41.110
Pete Durst: enforce encryption only in the whatever endpoints you're setting up. So don't allow non-encrypted traffic so cloud front you can turn off Http Rds. You can disable Http. Communications with the servers.
168
00:47:41.110 --> 00:47:56.389
Pete Durst: You could do this on your own systems again. You just need to set that up. You have your low balancers. Only listen on the encrypted ports, and then put in a policy that only allows secure traffic and stuff like that. So there are ways to enforce that, and that certainly in your your best interests.
169
00:47:58.180 --> 00:48:06.780
Pete Durst: Data pass. What network controls do you have over where the data is and who has access to it? And again,
170
00:48:06.990 --> 00:48:15.130
Pete Durst: isolation of the the resources, you know. Don't put your, you know, super sensitive information on a public web server on the Internet doesn't make sense.
171
00:48:15.130 --> 00:48:39.419
Pete Durst: make sure that you know the access is limited to those systems that need it, and only those systems. So take advantage of things like our Vpcs or virtual private cloud where we can, you know, set up public and private subnets, and, you know, provide isolation through that wrote tables, network access control, the security groups, lots and lots and lots of things can come into there. We do have our firewall appliance. Now
172
00:48:39.420 --> 00:49:05.629
Pete Durst: we can do intrusion, detection, prevention, work. lots and lots of things there. again, it gives you a layered defense. Approach. The more pieces between those that you are trying to see that data and the actual data the better. again, if you're you're authorized to get there, and you want that to work, you know, kind of seamlessly. But if you're not authorized to be there. We want those many blocks between them and that data as we could possibly put in there, so the more the better.
173
00:49:06.640 --> 00:49:34.710
Pete Durst: So Vpc. Security features. So the routing is, you know, one of them out of the box. The virtual private cloud is not accessible from the Internet. It's just it's not on the Internet. You can't get to the Internet. The Internet can't get to you. So it really is private, just, you know, out of the box. I need to establish, you know, external connectivity to that Vpc, and that's an Internet gateway, VPN gateway, and so on and so forth, that we could attach that Vpc peering, and so on and so forth.
174
00:49:34.710 --> 00:49:37.900
Pete Durst: When we add something to the Vpc.
175
00:49:37.900 --> 00:50:05.129
Pete Durst: I need to identify which subnets can use that resource from the Vpc. So that's where that some that routing comes into play is. I use that as a way to identify which of the subnets are allowed to use that external connection. So if you're something that's not configured to use the Internet gateway, and then, of course, the resources could be exposed to the Internet if you wanted them to be
176
00:50:05.420 --> 00:50:28.560
Pete Durst: number Kcl, also work at the subnet level. They are firewalls that are work at the boundary of the subnet. basically can be used to, you know, to to determine what's allowed or what's not allowed. it is a status firewall. So we do have inbound and outbound rules that need to be set up in corresponding rules, just to make sure that you know what's allowed in is allowed out, or vice versa. What's allowed out is a lot back in
177
00:50:28.630 --> 00:50:34.940
Pete Durst: So they are very good as a boundary firewall for the subnets in the Vpc.
178
00:50:34.960 --> 00:50:48.909
Pete Durst: Looking after the single host of the host within a Vpc is the security group security groups technically work with the interface level. But you know, often cases, there's only one interface on a host. So that's the it's protecting the host.
179
00:50:48.910 --> 00:51:07.440
Pete Durst: what security group these are stateful firewalls again. the default is to deny with security groups. So unless I have an allow rule that what's the traffic in? It's not getting in. So I can use the routing the Acls, and the security of those 3 different layers. to protect my resources in that particular subnet.
180
00:51:09.110 --> 00:51:29.739
Pete Durst: So there you go. That's all the pieces that you know, belong to that protection mechanism who can make the Api requests. And you know, tracking those Api requests tracking the resource usage. and of course you have access to your resources themselves, and then more into somebody being able to access your web service, for example, the data path side of things.
181
00:51:30.490 --> 00:51:51.999
Pete Durst: So what's next? Well, next up learning at your own pace we've got. it's pretty fundamentals. there's a security essentials, class security engineering class. learning from the experts and stuff like that come in, you know, and have some training, and of course the ramp up go. So I'm going to hand this off to Miles at this point, Miles, I'm ready to send it back to you if you want.
182
00:51:52.000 --> 00:52:10.039
Myles Brown :: Moderator: Sure. Okay, well, maybe maybe I'll share my screen and you can talk a little bit about some of those IoT classes, because that's what hex is certified. That's what we really excel at. so this is sort of our our learning path document, where we have sort of different paths for different roles.
183
00:52:10.190 --> 00:52:33.530
Myles Brown :: Moderator: And the one class you mentioned is the one day security essentials class. We kind of put that up here with the not deeply technical, you know. It's it's sort of if you just took the one day Cloud practitioner, and you were just learning about the cloud, to begin with, and you wanted a high, level, overview sort of what you just did in an hour, but stretched out over a day. Right? You kind of see what are the major security controls?
184
00:52:33.610 --> 00:52:56.640
Myles Brown :: Moderator: But it wouldn't be enough to like walk out and say, I'm confident I can secure, you know, a large workloads in the cloud, you know. Like it's not. It's not a heavy duty class. The heavy duty class we have for for security experts. That's on the second page somewhere here is down here the security engineering on Aws. Now, that's a 3 day class.
185
00:52:56.790 --> 00:53:07.739
Myles Brown :: Moderator: It helps really prepare for the specialty certification. Right? But the way the way they looked at that I and and tell me, if you agree, Pete, I I think that
186
00:53:07.820 --> 00:53:25.250
Myles Brown :: Moderator: aws stance is to secure something. You have to know what it is that you're securing right? So they expect you to have associate level knowledge of aws. So maybe you take the 3 Day Architect in class, or maybe the 3 day, you know. Now it's called Cloud Operations on Aws class.
187
00:53:25.250 --> 00:53:48.230
Myles Brown :: Moderator: so you can get that sort of level where you could go and get an associate certification. You don't have to get served, but you've got that knowledge before you go into that 3 day engineering. Is that? Absolutely. I mean, I'm saying what you expect, a fundamental level of knowledge coming into it that they expect you. You already kind of know what the cloud is, so that when we talk about the cloud resources it makes sense. Yeah.
188
00:53:48.240 --> 00:53:59.099
Myles Brown :: Moderator: And so when you look at one of those classes. So here's the security engineering class. If I go look at the schedule, you know there's quite a few dates, because that that class we run fairly often, I think
189
00:53:59.120 --> 00:54:03.999
Myles Brown :: Moderator: and some of them are guaranteed to run. So if I look
190
00:54:04.010 --> 00:54:31.669
Myles Brown :: Moderator: if on our schedule, you see, you see that. Gtr, that means that date is guaranteed to run. So usually it's the virtual part of the class. They sometimes will have a virtual class, and you know, if we get enough people, the instructor will be in a training center. But you know the the virtual part we always guaranteed to run usually. So, you know, August second September thirteenth, you know. 27 sounds like, maybe every 3 or 4 weeks. Usually.
191
00:54:31.820 --> 00:54:49.979
Myles Brown :: Moderator: we're running that security engineering class, and that that will help you towards the certification. So there's there's sort of that First Level foundational cloud practitioner, and then there's the 6 or sorry the 3 associate level certs, and then the 6 specialty and 2 professional.
192
00:54:50.250 --> 00:55:06.619
Myles Brown :: Moderator: And so for security, the security specialty. It's It's not for the faint of heart. Right you! You don't just go in off the street and write that exam like you'll have to prepare for it. And certainly, if you come and take, say, the architect class, and then the security engineering class.
193
00:55:06.640 --> 00:55:14.859
Myles Brown :: Moderator: you know you still have to study a little bit, but you know that'll get you a long ways towards being ready for one of those heavy-duty certifications.
194
00:55:15.010 --> 00:55:35.800
Myles Brown :: Moderator: So that's that's what exit certified does exit certified.com is our website. Let me throw that in the chat for you. Just so you have it. I imagine you probably needed that to register here one of the things you'll see down at the bottom is, you know, every once in a while it pops by. Actually have a slide on it right now. But Right now we have a summer promo
195
00:55:37.030 --> 00:55:53.350
Myles Brown :: Moderator: and so you can get basically, it's a hundred dollars per day off. So if it's a 3 day class. It's $300 off upwards of 500 for a 5 day class. Or if you're doing learning subscriptions on demand self-face courses, it's 10% off.
196
00:55:53.400 --> 00:56:04.569
Myles Brown :: Moderator: We also have sort of deals if you're doing like, if you've got a group of people, and you want to do a training just for your company. You can certainly do that. And let me put that upskill 500
197
00:56:05.120 --> 00:56:05.970
actually.
198
00:56:08.240 --> 00:56:11.380
Myles Brown :: Moderator: let me guess I could probably just go there
199
00:56:12.200 --> 00:56:14.769
Myles Brown :: Moderator: still 500. Is that what it is?
200
00:56:15.060 --> 00:56:19.640
Myles Brown :: Moderator: I found it. Okay, here it is. So you have to register by August 30. First.
201
00:56:19.860 --> 00:56:33.280
Myles Brown :: Moderator: for a class that you take by. I think it's by the end of September there's some small print. Oh, no, here it is November thirtieth. You have to take the class by, but you have to register, you know it's the summer promo. So you got to register by the end of August.
202
00:56:33.500 --> 00:56:58.770
Myles Brown :: Moderator: So let me just throw that whole link into the chat. If you're interested in any classes, any aws classes aws! Isn't the only thing we do. we we definitely do a lot of aws, and it's probably our biggest vendor but we do a lot of cloud training in general. And so one of the things we've been using to kind of explain to people. You know, what what exit certified does, you know? Mostly it's
203
00:56:58.880 --> 00:57:18.999
Myles Brown :: Moderator: cloud training, right? So we're partner with the Big 4 cloud vendors. So we have their official courses. You know we we're not building the content, you know. Pete and I are are authorized aws instructors. So we we've been. We've gone through their certification process for instructors. they provide the material. We deliver it right?
204
00:57:19.000 --> 00:57:30.400
Myles Brown :: Moderator: and with our Aws classes you get to access to labs for 3 months, so you can come back and do the labs after class. You know, different vendors have different links of how long you can do the labs for.
205
00:57:30.530 --> 00:57:52.889
Myles Brown :: Moderator: But what we really found was that, you know, when when an organization moves to the cloud, it's rarely just okay. I want to get out of the data center business, and I want Amazon to take care of it. You know, a lot of times we see sort of 3 things go hand in hand. They're moving to the cloud. They're embracing the concept of a micro services and maybe embracing things like
206
00:57:52.890 --> 00:58:06.969
Myles Brown :: Moderator: devops, you know. And so we see a lot of these things go hand in hand. And so, you know, you see a lot of Logos here. But the some of these are commercial vendors that we're partnering with like data bricks, or
207
00:58:06.970 --> 00:58:09.540
Myles Brown :: Moderator: or you know,
208
00:58:09.640 --> 00:58:16.760
Myles Brown :: Moderator: who else cloud Era? Or you know, some of those companies. We, we have their official training. And then some things like Kubernetes. It's just an open source.
209
00:58:16.810 --> 00:58:31.300
Myles Brown :: Moderator: product, you know, anybody can say, Hang a sign and say we do Kubernetes training. So our job is to kind of, you know. Go in and make sure that we can find who's got the best of breed training in Kubernetes and provide that to you.
210
00:58:31.440 --> 00:58:45.670
Myles Brown :: Moderator: And so we've got lots of options all around Cloud. So if you're interested in any of that you can either talk to whoever your sales rep is, or you know what. I'll put my email address in here. If you have questions
211
00:58:46.530 --> 00:58:59.989
Myles Brown :: Moderator: You can always hit me up and I'll put you in touch with the right salesperson. I assume you ask how many trials for each lab is available. Well, aws, switch things. So now you can try the labs as many times as you want in that 3 months.
212
00:59:00.910 --> 00:59:10.470
Myles Brown :: Moderator: But, like I said, different vendors have different things, but that's aws! You got 3 months as many chain tries used to be. You only had 3 kicks at the can now they've opened it up.
213
00:59:11.190 --> 00:59:18.050
Myles Brown :: Moderator: so we we call this our cloud centric portfolio of training. It's just trying to show the breadth of what we can do.
214
00:59:18.080 --> 00:59:22.919
Myles Brown :: Moderator: And usually, you know, even beyond this, these are the ones we had room to fit on here.
215
00:59:22.990 --> 00:59:27.700
Myles Brown :: Moderator: But but but anything Cloud related is really what we're doing these days.
216
00:59:28.120 --> 00:59:39.920
Myles Brown :: Moderator: so I put the promo in Ccsp, yeah, I guess. talking about the security. And in specifically, there's a couple of like
217
00:59:40.760 --> 00:59:51.979
Myles Brown :: Moderator: cross vendor, you know, sort of general agnostic certifications like this Cissp and the Ccsp. And and say security plus from Comptia
218
00:59:52.780 --> 01:00:11.150
Myles Brown :: Moderator: or any of these trainings available in person. You know it these days, I would say that most of our classes are still virtual, right? And the best way to say, Yes, I'm going to be in a classroom with an instructor is, if you have enough people to say, let's put on our own private, because I don't think those ones.
219
01:00:11.640 --> 01:00:25.810
Myles Brown :: Moderator: you know. We used to have a few more people in, say San Francisco or in DC. But even there, you know, the market has changed, and people don't want to go into a classroom for training. So it's almost all virtual training at this point.
220
01:00:26.030 --> 01:00:45.109
Myles Brown :: Moderator: unless you have a group, and that that is a kind of a trend we're seeing now is that you know a lot of our customers. Their their employees are all over the place, and so they're starting to do on-site training as a reason to get people together, you know, at their site. So we'll send an instructor to you if you've got a group of people.
221
01:00:45.240 --> 01:00:55.690
Myles Brown :: Moderator: But to make the economics work out you gotta have at least 5 or 6 people, usually, you know. otherwise you're better off to just send them to individually to to a public class.
222
01:00:56.970 --> 01:01:01.839
Myles Brown :: Moderator: I think it does save time on the learners, and, you know, like commuting and everything else.
223
01:01:01.990 --> 01:01:10.740
Myles Brown :: Moderator: let's see, was there anything else I wanted to mention? Yeah, I guess I just throw up this slide about. You know this one, this one.
224
01:01:10.760 --> 01:01:35.420
Myles Brown :: Moderator: the webinars. So there's some webinars that you may have missed in the past couple of months. we have a bunch of aws discovery days. I'll show you those. there's still a couple coming up. There was an Exam. Prep. One on azure administrator. So the Az 104, just like it was like a 2 h thing that our colleague Tariq did, which talked about, you know, tips on how to prepare for that exam.
225
01:01:35.470 --> 01:01:50.670
Myles Brown :: Moderator: And then I did this one, which was sort of a public cloud comparison. Comparing aws as your Google Cloud and Oracle Cloud. so those webinars let me go to exit, certified.com slash webinars
226
01:01:51.500 --> 01:01:54.050
Myles Brown :: Moderator: and show you what's available.
227
01:01:56.050 --> 01:01:58.959
Myles Brown :: Moderator: If I just type in webinars here, we're going to get there.
228
01:02:01.920 --> 01:02:04.240
Myles Brown :: Moderator: think so. Here we go.
229
01:02:04.440 --> 01:02:14.980
Myles Brown :: Moderator: And so the the upcoming discovery days are the machine learning one that's like, I think. August second, and then mine. This is mine coming up next next Tuesday.
230
01:02:15.100 --> 01:02:17.490
Myles Brown :: Moderator: No, until 2. So mine is about 2 h.
231
01:02:18.690 --> 01:02:20.780
Myles Brown :: Moderator: They're all like slightly different lengths.
232
01:02:20.840 --> 01:02:32.370
Myles Brown :: Moderator: this one is the one for today, which I think when you come back, you know, a day or 2 from now, this will actually be the recording. So here's one our our colleague Craig, did on migration.
233
01:02:32.440 --> 01:02:53.419
Myles Brown :: Moderator: And so if you click on it, you actually it's right there. It's not even gated or anything. So you can just go. And you know. Watch that video. So it's a little bit like what you just saw. You know he's doing the slides. I guess we don't have a picture of him here too much. But I think they even have a transcript that you could go through, I mean as as good as those transcripts are. And
234
01:02:53.540 --> 01:03:04.310
Myles Brown :: Moderator: there, there's they're getting better and better. So I think that was the main stuff I wanted to talk about. Now. We talked about certification.
235
01:03:04.460 --> 01:03:13.469
Myles Brown :: Moderator: there's some other webinars in here. There's that public cloud comparison, the azure administrator, certification. Exam. Prep. One.
236
01:03:13.580 --> 01:03:16.590
Myles Brown :: Moderator: and then you can go back and look at our older ones as well.
237
01:03:17.120 --> 01:03:31.750
Myles Brown :: Moderator: So there's a lot of a lot of resources there. If you come and look for a training and go to aws, that'll take you to our main aws page, where you can find, you know all the courses that sort of categorized like, I said. If you're
238
01:03:31.830 --> 01:03:43.549
Myles Brown :: Moderator: if you're looking for ones that are guaranteed to run. You click on that. And it just, you know, gets you down to just the ones that are definitely going to run. Even if one person signs up. You know it's happening
239
01:03:43.690 --> 01:03:49.589
Myles Brown :: Moderator: which is a a rarity in training these days. It's hard to find classes that actually run
240
01:03:50.410 --> 01:04:02.560
Myles Brown :: Moderator: all right. Well, I think we are a little over time. But you know, Pete still here, if you have any questions you can throw them in the chat. can I share the link? Oh, yeah, that's right. I wanted to show the Webinars link.
241
01:04:02.700 --> 01:04:06.230
Myles Brown :: Moderator: Okay. that one in there as well.
242
01:04:07.020 --> 01:04:31.009
Myles Brown :: Moderator: when you go to leave this session. there'll be a little survey that should pop up when you when you go to like. Leave the the zoom session. It's only a few questions. It'll ask you what you think of Pete, what you think of the the webinar, and mostly it's asking like, what other things are you interested in because we we do like to put on these free webinars? We open them up to as many people as possible. So it's not like, you know.
243
01:04:31.070 --> 01:04:41.830
Myles Brown :: Moderator: you know, 8 10 people normally in class where it's two-way communication, and we want it to feel as much like a classroom as possible. But we do want to. you know, sort of
244
01:04:42.770 --> 01:04:53.150
Myles Brown :: Moderator: take the temperature of the room and see what people are interested in. So we ask a couple of questions in that survey on the way out. So please take, you know, a minute or 2 and just answer those questions.
245
01:04:53.330 --> 01:04:56.490
Myles Brown :: Moderator: It should pop up automatically as you leave
246
01:04:57.270 --> 01:05:02.630
Myles Brown :: Moderator: anything else. Pete, I don't see any questions.
247
01:05:02.820 --> 01:05:04.929
Pete Durst: I heard everything, I think we needed to cover
248
01:05:05.020 --> 01:05:18.530
Myles Brown :: Moderator: well, good luck with, aws, and hopefully, we'll see you, maybe maybe next week in my webinar or in a classroom down the road
249
01:05:19.280 --> 01:05:20.940
Pete Durst: today folks have a good one.
250
01:05:23.170 --> 01:05:26.699
Myles Brown :: Moderator: I'm going to leave it just for a second. So people are copying the
251
01:05:26.810 --> 01:05:29.570
Myles Brown :: Moderator: that when the links from the
252
01:05:29.950 --> 01:05:35.040
Myles Brown :: Moderator: chat there may be a way to save the chat, I don't know if that works or not.
253
01:05:39.610 --> 01:05:52.460
Myles Brown :: Moderator: I have the safe chat option, but I'm not sure if that's because I'm the panelist, or maybe maybe just us. Yeah, I don't think they can save the chat. So you should be able to click on those links and at least open them up and then bookmark them after.
254
01:05:59.340 --> 01:06:04.009
Myles Brown :: Moderator: Yeah, I think I think you're better off to just click on those links. If that works.
255
01:06:06.020 --> 01:06:08.679
Myles Brown :: Moderator: Oh, I can throw a couple of those diagrams
256
01:06:09.100 --> 01:06:10.930
Myles Brown :: Moderator: into the chat. I think
257
01:06:12.580 --> 01:06:14.859
Myles Brown :: Moderator: if you can download from there, maybe.
258
01:06:15.940 --> 01:06:19.050
Myles Brown :: Moderator: And then the Aws
259
01:06:19.170 --> 01:06:22.660
Myles Brown :: Moderator: Learning Path document was the other one I showed right?
260
01:06:35.150 --> 01:06:44.190
Myles Brown :: Moderator: Yeah, I'm not sure if everybody is going to be able to get those it it really depends how your zoom is set up. Some companies, you know. They they put real locks on the
261
01:06:44.430 --> 01:06:46.380
Myles Brown :: Moderator: on the zoom chat, so you can't
262
01:06:46.720 --> 01:06:50.200
Myles Brown :: Moderator: save documents or even click on links from them.
263
01:06:50.490 --> 01:06:53.149
Myles Brown :: Moderator: But hopefully you can. copy those links.
264
01:06:53.440 --> 01:06:55.080
Myles Brown :: Moderator: I only put 2 or 3
265
01:06:58.070 --> 01:06:59.110
Myles Brown :: Moderator: all right.
266
01:07:05.860 --> 01:07:07.480
Myles Brown :: Moderator: No, have a good afternoon.
267
01:07:08.810 --> 01:07:10.300
Pete Durst: I'd be my.
