AWS Cloud Security Flashcards
What is AWS Artifact
A comprehensive list of access controlled documents relevance to compliance and security within AWS
Compliance on AWS and AWS Artifact
Global Compliance Programs at AWS
- ISO 27001 - SOC1 - SOC2 - SOC3 - PCI DSS Level 1 - CSA
Shared Responsibility Model
- AWS manages security of the cloud, while
customer manages security in the cloud
• Customers control what security
those choose to implement their
own content, platform, applications,
and networks - AWS is responsible for protecting the infrastructure that runs all of AWS’s Cloud services allowing customers to cut back their own internal cost and focus on internal matters (like their client data)
- Customers responsible for customer data, platform, IAM, applications, guest operating system, firewall, network
- AWS responsible for software, compute, storage, database, networking, global infrastructure (regions, availability zones, edge locations)
Customer is responsible for
security groups (firewall for inbound/outbound traffic), IAM users, patching EC2 Operating Systems, patching databases
AWS is responsible for
management of data centers, security cameras, cabling, patching RDS operating systems
If you think you’re responsible
then chances are you probably are
- Encryption is a shared responsibility
Data Classification
A process of organizing data into categories for specific purpose. Each category has a security policy
Tenets ensure you’re making the right decision at the right for both customer and company data
o Strike right balance between delivering value to customers and protecting customer and company data
o Business needs to be established in every decision to access or share data
o AWS Clear Desk and Clear Screen policy contains guidelines for all employees handling data that may be heard by unintended audiences
o Amazon Legal provides instructions for storage, retention, and dissemination of data (confidential INFO and NDA guideline, document record retention and destruction, communication policy)
Customer Account Info
Customer Account Information – name, username, email, phone #, billing info
Handling policy – you can only access customer account info to support customers, but cannot provide it for them. They can reach out to AWS billing and account support for that
Customer Content
Customer Account Information – name, username, email, phone #, billing info
Handling policy – you can only access customer account info to support customers, but cannot provide it for them. They can reach out to AWS billing and account support for that
Service Attributes
any of the service usage data related to a customer’s account
ex: Security controls and access
Handling policy – may use it to support customer only to help improve AWS services or growing business relationship. May not use to compete with customer
Business Contracts
Handling policy – may use it to support customer only to help improve AWS services or growing business relationship. May not use to compete with customer
Business Data
any type of data that is created, stored, or shared with or by an AWS employee such as ticketing info or roadmap details
Handling policy – data can only be shared following the confidential information policy which requires AWS legal and director level approval as well as permission from the customer
AWS Data
AWS content for AWS services such as website, API, documentation, templates which can be used to assist customer
Handling Policy – may be shared to support a valid business need – review AWS customer agreement for more info
Employee Data
employee data such as personal email or address
Handling policy – this cannot be shared internally or externally unless consulting with HR first