AWS Cloud Security Flashcards
Federation w/ IAM
Federation w/ IAM
Federation can use something other than an ‘individual’ identity sources for AWS IAM access
Example:
Active Directory (like we do at State Farm) --->Connects to AWS IAM via SAML 2.0
Social Providers (gmail, facebook, etc) --->Connects to AWS IAM via OpenID Connect (OIDC)
AWS Single Sign-On (SSO)
AWS Single Sign-On (SSO)
Centralized permissions management
—>Provides access to MULTIPLE AWS Accounts and Organizations w/out having to re-authenticate for each one
Identify Sources
- –>Active Directory (self-managed) or cloud directory(Asure AD)
- –>Business applications
Active Directory (self-managed) identity source connects to SSO via AWS Directory Service
Used for Mobile and Web Apps to obtain temporary, limited-privilege credentials for AWS services via AWS STS (Security Token Service):
AD Connector
AWS Single Sign-On (SSO)
AWS Cognito
AWS Directory Services
AWS Cognito
Used for Mobile and Web Apps
Cognito Identity pools are used to obtain temporary, limited-privilege credentials for AWS services
Identities can come from:
- –>Cognito User Pool - stores actual identities are stored
- –>Identity Provider - external source - social IdPs
Cognito Identity pool uses AWS STS (Security Token Service) to obtain the ‘temporary’ credentials to AWS
—>STS provides access via an IAM role
AWS managed Microsoft Active Directory providing fully managed AWS services on AWS infrastructure. Good option for enterprises that want a hosted Microsoft Active Directory:
AD Connector
AWS Single Sign-On (SSO)
AWS Cognito
AWS Directory Services
AWS Directory Services:
AWS Managed Microsoft Active Directory
Fully managed AWS services on AWS infrastructure
Best choice if you have more than 5,000 users and/or need a trust relationship set up
You can setup trust relationships to extend authentication from on-premises Active Directories into the AWS cloud
On-premises users and groups can access resources in either domain using SSO
Can be uses as a standalone AD in the AWS cloud
Use Case: Enterprises that want hosted Microsoft Active Directory
Self-managed Microsoft Active Directory in your own datacenter that connects your existing on-premise Active Directory to AWS:
AD Connector
AWS Single Sign-On (SSO)
AWS Cognito
AWS Directory Services
AD Connector
Self-managed Microsoft AD in your own datacenter
All Identities are in one place - on premises
A gateway for redirecting directory requests to your on-premise Active Directory
Eliminates need for directory synchronization and the cost of complexity of hosting a federation infrastructure
Connects your existing on-premise AD to AWS
Use Case: Single sign-on for on-premises employees
Compatible w/ Active Directory but very simple, low scale, low cost, Active Directory (AD) implementation based on Samba:
AD Connector
AWS Single Sign-On (SSO)
Simple AD
AWS Directory Services
Simple AD
Compatible w/ Active Directory but very simple
Low scale, low cost, AD implementation based on Samba
Use Case: Simple user directory, or you need LDAP compatibility
AWS Systems Manager Parameter Store
AWS Systems Manager Parameter Store
Stores information in one place but NOT stored in your code
Provides secure, hierarchical storage for configuration data management and secrets management
Highly scalable, available and durable
You can store data such as passwords, database strings, and license codes as parameter values
You can store values as plaintext (unencrypted data) or ciphertext (encrypted data)
You can then reference values by using the unique name that you specified when you created the parameter
AWS Secrets Manager
AWS Secrets Manager
Similar to Parameter Store
Store info (database strings, passwords,etc) in a secure, encrypted place
Can be pulled out using API call
Allows native and automatic rotation of keys
Fine grained permissions
Central auditing for secret rotation
Encryption in Transit VS Encryption at Rest
Encryption in Transit
—When user sends data via HTTPSS it is protected by SSL/TLS (certificate attached to load balancer) in transit.
— Data may not have been encrypted on users machine and may not be encrypted once it gets to AWS, HOWEVER, it IS encrypted while it is in transit thanks to the SSL/TLS certificate.
Encryption at Rest
—Data is encrypted when it is stored
—Amazon S3 encrypts the object as it is written to the bucket using a data encryption key
What is SSL/TLS?
SSL/TLS = Secure Sockets Layer/Transport Layer Security
public and private CERTIFICATES Used to connect your internal connected resources with AWS
Encrypts data while it is IN TRANSIT
Asymmetric Encryption
Asymmetric Encryption
Also known as public key cryptography
Data is passed through encryption process and it becomes encrypted via a Public Key THEN you pass that encrypted data through decryption process via a Private Key and data becomes decrypted
Messages encrypted with the public key can only be decrypted with the Private Key
Messages encrypted with the private key can be decrypted with the public key
Examples include SSL/TLS certificates used to secure websites and SSH (secure shell)
Which AWS service creates, stores and renews SSL/TLS X.509 certificates?
AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)
AWS Certificate Manager (ACM)
Create, store and renew SSL/TLS X.509 certificates
Single domains, multiple domain names and wildcards
Integrates w/ several AWS services:
- -Elastic Load Balancing
- -Amazon CloudFront
- -AWS Elastic Beanstalk
- -AWS Nitro Enclaves
- -AWS CloudFormation
Symmetric Encryption
Symmetric Encryption
Data is passed through encryption process and it becomes encrypted via a Data encryption key
To decrypt the data you need the SAME Data encryption key for encryption and decryption
What Multi-tenant AWS service is used to create and manage encryption keys, has AWS managed root of trust and provides broad AWS service support?
AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)
AWS Key Management Service (KMS)
Used for creating and managing encryption keys
Gives you centralized control over the encryption keys used to protect your data
KMS is integrated with most other AWS services
Easy to encrypt the data you store in these services with encryption keys you control
KMS is:
- -MULTI-TENANT AWS Service
- —>Muti-tenant = a single instance of the software and its supporting infrastructure serves multiple customers
- -Highly available and durable key storage and management
- -AWS managed root of trust
- Broad AWS service support
What Single-tenant AWS service is used to create and manage encryption keys in your VPC, has customer managed root of trust and broad 3rd Party support?
AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)
AWS CloudHSM
Similar to KMS but has a higher level of security due to its physical separation and single tenancy
Can be used to created and managed symmetric and asymmetric encryption keys
Cloud-based hardware security module (HSM)
Generate and use your own encryption keys on the AWS Cloud
Manage your own encryption keys using FIPS 140-2 level 3 validated HSM’s
CloudHSM runs in your VPC
CloudHSM is:
- -SINGLE-TENANT Hardware Security Model(HSM)
- —>Single-tenant - a single instance of the software and supporting infrastructure serve a single customer on customer own independent database
Customer-managed durability and availability
Customer managed root of trust
Broad 3rd Party Support
What is the difference between Multi-tenant and Single Tenant?
Muti-tenant = a single instance of the software and its supporting infrastructure serves multiple customers
Single-tenant - a single instance of the software and supporting infrastructure serve a single customer on customer own independent database
Used for performance and monitoring and captures metrics about account activity:
Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs
Amazon CloudWatch
Gather application and system logs in CloudWatch
Unified CloudWatch Agent - must be installed on EC2 and on-premises servers to be able to send information to CloudWatch
Lamda can send info to CloudWatch via permissions
Amazon Elasticsearch Service - used to perform real-time log processing with subscription filters
Defined expiration policies and KMS encryption
Used to perform real-time log processing with subscription filters:
Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs
Amazon Elasticsearch Service
Used to perform real-time log processing with subscription filters
What is used to log API activity for Auditing:
Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs
AWS CloudTrail
CloudTrail logs API activity for Auditing
Auditing provides who did what and when in your account
Good for governance, compliance and auditing needs for AWS accounts
By default, management events are logged and retained for 90 days (data events and insight events are not logged by default)
CLOUD TRAIL TRAIL is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events
Can use a trail to filter the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and set up Amazon SNS notifications for log file delivery.
Logs any events in S3 for indefinite retention (for compliance purposes)
Trail can be within Region or all Regions
CloudWatch Events can be triggered based on API calls in CloudTrail
Events can be streamed to CloudWatch Logs
Logs info about what is actually happening in your account at the network level:
Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs
VPC Flow Logs
Logging info about what is actually happening in your account at the network level
Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC
Flow log data is stored using Amazon CloudWatch Logs
Flow logs can be created at the following levels:
- -VPC
- -Subnet
- -Network Interface
Which service is the correct logging service for the following:
- Capture detailed information about requests sent to the load balancer
- Use to analyze traffic patterns and troubleshoot issues
- Can identify requester, IP, request type etc.
Elastic Load Balancing Access Logs
S3 Access Logs
Elastic Load Balancing Access Logs
Capture detailed information about requests sent to the load balancer
Use to analyze traffic patterns and troubleshoot issues
Can identify requester, IP, request type etc.
Can be optionally stored and retained in S3
Which service is the correct logging service for the following:
- You enable logging and choose a target bucket
- Provides detailed records for the requests that are made to a bucket
Elastic Load Balancing Access Logs
S3 Access Logs
S3 Access Logs
You enable logging and choose a target bucket
Provides detailed records for the requests that are made to a bucket
Details include the requester, bucket name, request time, request action, response status, and error code (if applicable)
Disabled by default
Which service is used to analyze, investigate and quickly identify the root cause of potential security issues or suspicious activities:
Amazon Macie
Amazon Detective
AWS CloudTrail
AWS GuardDuty
Amazon Detective
Analyze, investigate and quickly identify the root cause of potential security issues or suspicious activities
Automatically collects data from AWS resources
Uses machine learning, statistical analysis, and graph theory
Data sources include VPC Flow Logs, CloudTrail, and GuardDuty
Which service is an intelligent threat detection service that detects account compromise, and bucket compromise?
Amazon Macie
Amazon Detective
AWS CloudTrail
AWS GuardDuty
AWS GuardDuty
Intelligent threat detection service
Detects account compromise, and bucket compromise
Continuous monitoring for events across:
- -AWS CloudTrail Management Events
- -AWS CloudTrail S3 Data Events
- -Amazon VPC Flow Logs
- -DNS Logs
Which service enables security compliance and preventive security for your sensitive data in Amazon S3 buckets?
Amazon Macie
Amazon Detective
AWS CloudTrail
AWS GuardDuty
Amazon Macie
Macie is a fully managed data security and data privacy
Looks at data in Amazon S3 and uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data
Macie enables security compliance and preventive security
Findings can be recorded in CloudWatch Events to trigger an action to remediate or notify someone
Can identify a variety of data types:
- -PII (Personally Identifiable Information)
- -PHI (Protected Health Information)
- -Regulatory documents
- -API Keys
- -Secret Keys
Firewall that creates rules to filter web traffic based on conditions:
AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact
AWS WAF
AWS WAF is web application firewall
Create rules to filter web traffic based on conditions that include:
- -IP addresses
- -HTTP headers and body
- -Custom URIs
Can block common web exploits
- -SQL injection
- -cross site scripting
The rules are known as Web Access Control Lists (ACLs)
Which service helps you mitigate and protect your resources from Distributed Denial of Service (DDoS) attacks with always-on detection and automatic inline mitigations?
AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact
AWS Shield
AWS Shield helps you mitigate and protect your resources from Distributed Denial of Service (DDoS) attacks
Always-on detection and automatic inline mitigations
Helps to minimize application downtime and latency
Two tiers:
- -Standard - no cost
- -Advanced - $3k per month w/ 1 year commitment
- —>Much better support from AWS
- —>More protections included
Automatically get some DDoS protection if your application sits behind amazon CloudFront
Standard included w/ CloudFront
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
Someone is trying to take down your systems by:
–Send huge amount of traffic
–Generate traffic using bots
—Send a type of payload that they know will case a negative effect to your application
Provides on-demand access to AWS security and compliance reports and select online agreements including Service Organization Control (SOC) reports and Payment Card Industry (PCI) reports:
AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact
AWS Artifact
Provides on-demand access to AWS’ security and compliance reports and select online agreements
Reports available in AWS Artifact include:
- -Service Organization Control (SOC) reports
- -Payment Card Industry (PCI) reports
Provides certifications from accreditation bodies that validate the implementation and operating effectiveness of AWS security controls
Useful if building something requiring high compliance/standards
Agreements available in AWS Artifact:
- -Business Associate Addendum (BAA)
- -Nondisclosure Agreement (NDA)
- Provides a comprehensive view of security alerts and security posture across AWS accounts
- Aggregates, organizes, and priorities security alerts, or findings, from multiple AWS services
- Continuously monitors your environment using automated security checks
AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact
AWS Security Hub
Provides a comprehensive view of security alerts and security posture across AWS accounts
Aggregates, organizes, and priorities security alerts, or findings, from multiple AWS services
Continuously monitors your environment using automated security checks
Configure security standards to validate against:
- -AWS Foundational Security Best Practices V1.0.0
- -CIS AWS Foundations Benchmark v1.2.0
- -PCI DSS v3.2.1
Security and privacy events affecting AWS services are published (also has an RSS feed):
AWS Shield
AWS Security Bulletins
AWS Security Hub
AWS Artifact
AWS Security Bulletins
Security and privacy events affecting AWS services are published (also has an RSS feed)
Kind of like an ESS
Who should you contact if you suspect AWS resources are being abused (spam, distributing malware, DDoS, etc):
AWS Shield
AWS Trust & Safety Team
AWS Security Hub
AWS Penetration
AWS Trust & Safety Team
Contact the AWS Trust & Safety team if AWS resources are being used for:
- -Spam
- -Port Scanning
- -Denial-of-service attacks (DDoS)
- –Intrusion attempts
- -Hosting of objectionable or copyrighted content
- -Distributing malware
abuse@amazoneaws.com
The practice of testing one’s own application’s security for vulnerabilities by simulating an attack:
Security Test
Threat Assessment
Breach Test
Penetration Test
Penetration Testing
Penetration testing is the practice of testing one’s own application’s security for vulnerabilities by simulating an attack
AWS allows penetration testing without prior approval for 8 AWS services and ONLY on your own services
*Should not have to know 'exact' permitted and prohibited events but here they are: Permitted Services: --Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers --Amazon RDS --Amazon CloudFront --Amazon Aurora --Amazon API Gateways --AWS Lamda and Lamda Edge functions --Amazon Lightsail resources --Amazon Elastic Beanstalk environments
Prohibited Activities:
- -DNS zone walking via Amazon Route 53
- -Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS Port flooding
- -Protocol flooding
- -Request flooding (login request flooding, API request flooding)
Shared Responsibility Model in Relation to Security:
Customer
- -Bucket w/ objects
- -Staff training
- -Role
- -Data Encryption
- -IAM User
- -Multi-Factor Authentication
- -Network ACL
- -Security Group
- -Firewall configurations
- -SSL encryption
- —->Using your own certificates or certificates from AWS
- -Patch management
- —–>Systems should be compliant w/ latest patches and less likely to be easily attacked
- -Auto scaling
- —–>Keeps systems available
- -EC2 instance
- -Elastic Load Balancer
AWS
- -Data Center security
- -Global infrastructure security
- -Anything that relates to underlying platform and physical hardware
