AWS Cloud Security & Identity Flashcards

1
Q

Shared Responsibility Model

A

AWS shared responsibility model defines what you (as an AWS account holder/user) and AWS are responsible for when it comes to security and compliance
Security and Compliance is a shared responsibility between AWS and the customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Shared Responsibility Model:

AWS Responsibilities

A

responsible for “security of the cloud”
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud

infrastructure - hardware, software, networking, and facilities that run AWS Cloud services

Software - compute, storage, database, networking
Hardware/AWS Global Infrastructure - regions, AZ’s, edge locations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Shared Responsibility Model:

Customer Responsibilities

A

responsible for “security in the cloud”
For EC2 this includes network level security (NACLs, security groups), operating system patches and updates, IAM user access management, and client and server-side data encryption
platform, applications, identity & access management
operating system, network and firewall configuration
client-side data encryption & data integrity authentication
server-side encryption (file system and/or data)
networking traffic protection (encryption, protection, identity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Inherited Controls

A

controls which a customer full inherits from AWS (Physical and Environmental)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Shared Controls

A

Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Patch Management

A

AWS - responsible for patching and fixing flaws within the infrastructure

Customers - responsible for patching their guest OS and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Configuration Management

A

AWS maintains the configuration of its infrastructure devices

customer is responsible for configuring their own guest operating systems, databases, and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Awareness & Training

A

AWS trains AWS employees, but a customer must train their own employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Customer Specific

A

Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services

Ex. - Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AWS Cloud Compliance

A

enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud
as systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared
Compliance programs include: Certifications/attestations; laws, regulations, and privacy; alignments/frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS Artifact

A

your go-to, central resource for compliance-related information that matters to you
it provides on-demand access to AWS’ security and compliance reports and select online agreements

reports available:

  • Service Organization Control (SOC) reports
  • Payment Card Industry (PCI) reports
  • certifications from accreditation bodies across geographies
  • compliance verticals that validate the implementation and operating effectiveness of AWS security controls

Agreements available:

  • Business Associate Addendum (BAA)
  • Nondisclosure agreement (NDA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS Organizations Service Control Policies (SCP) & Tag Policies

A

SCPs define the AWS service actions that are available for use (for various accounts)
can restrict actions for a specific account
Tag Policies enforce rules around tagging across accounts and OUs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Amazon Inspector

A

automated security assessment service that helps improve the security and compliance of applications deployed on AWS
automatically assesses applications for exposures, vulnerabilities, and deviations from best practices
uses an agent installed on EC2 instances
instances must be tagged

After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Web Application Firewall (WAF)

A

WAF is a web application firewall
protects against common exploits that could comprise application availability, comprise security or consume excessive resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Shield

A

managed Distributed Denial of Service (DDoS) protection service
safeguards web application running on AWS with always-on detection and automatic inline mitigations
helps to minimize application downtime and latency
integrated with Amazon CloudFront

two tiers - standard and advanced

  • standard is for everyone, automatic tier once set up;
  • advanced has additional features but not free
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amazon Macie

A

new service that has come up on exam
fully managed data security and data privacy service
uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data on Amazon S3

Macie enables security compliance and preventive security as follows:

  • identify a variety of data types, including PII, Protected Health Information (PHI), regulatory documents, API keys, and secret keys
  • identify changes to policy and access control lists
  • continuously monitor the security posture of Amazon S3
  • Generate security findings that you can view using the Macie console, AWS Security Hub, or Amazon EventBridge
  • manage multiple AWS accounts using AWS Organizations
17
Q

Amazon GuardDuty

A

a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads

  • Enable GuardDuty - monitors all your AWS accounts w/o additional security software or infrastructure to deploy or manage
  • Continuously analyze - automatically analyze network and account activity at scale, providing broad, continuous monitoring of your AWS accounts
    CloudTrail Logs, VPC Flow Logs, DNS Logs
  • Intelligently detects threats - combines managed rule-sets, threat intelligence from AWS SEcurity and 3rd party intelligence partners, anomaly detection, and ML to intelligently detect malicious or unauthorized behavior
  • Take action - review detailed findings in the console, integrate into event management or workflow systems, or trigger AWS Lambda for automated remediation or prevention
18
Q

Encryption in Transit vs. Encryption at Rest

A

Transit:
Data is protected by SSL/TLS in transit or “in-flight”
entire connection is encrypted
importing data (data in transit)

Rest:
Amazon S3 encrypts the object as it is written to the bucket
Stored data (not moving)

19
Q

AWS Key Management Service (KMS)

A

best tool for encryption @ rest
gives you centralized control over the encryption keys used to protect your data

you can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data
integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control
used for most use-cases

20
Q

AWS CloudHSM

A

tool for encryption @ rest
a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud

With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs
offers the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries
hardware device that is single tenant

21
Q

Key Difference:

KMS vs CloudHSM

A

KMS - multi-tenant service (sharing amongst many customers)
CloudHSM - single tenant device; only dedicated to you
Most cases, you would probably use KMS

22
Q

AWS Certificate Manager (ACM)

A

tool for encryption in transit
used for creating and managing public SSL/TLS certificates

you can use public certificates provided by ACM (ACM certificates) or certificates that you import into ACM
can also request private certificates from a private certificate authority (CA) created using AWS Certificate Manager Private Certificate Authority
ACM certificates can secure multiple domain names and multiple names within a domain
you can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains

23
Q

AWS Secrets Manager

A

helps you meet your security and compliance requirements by enabling you to rotate secrets safely without the need for code deployments
Secrets Manager offers built-in integration for Amazon RD, Amazon Redshift, and Amazon DocumentDB and rotates these database credentials on your behalf automatically
you can customize Lambda functions to extend Secrets Manager rotation to other secret types, such as API keys and OAuth tokens

24
Q

Penetration Testing

A

practice of testing one’s own application’s security for vulnerabilities by simulating an attack
you act as an “attacker”
AWS allows penetration testing. There is a limited set of resources on which penetration testing can be performed

25
Q

Identity Providers & Federation

A
Activity Directory (AD) (self-managed) 
SAML 2.0 compatible LDAP source - AD in this case 
Web Identity Federation for mobile apps uses OpenID Connect (OIDC) - AWS recommend to use Cognito for this use case 
Authenticated and authorized users can access AWS services
26
Q

Single Sign-on (SSO)

A

you log in, and you’re able to access multiple accounts

Identity sources can be AWS SSO, Active Directory and standard providers using SAML 2.0

27
Q

AWS Directory Service - AWS Managed Microsoft Active Directory (AD)

A

BLUF: AWS-managed full Microsoft AD running on Windows Server 2012 R2

Use Case: Enterprises that want hosted Microsoft AD or you need LDAP for Linux apps

fully managed AWS services on AWS infrastructure
best choice if you have >5,000 users and/or need a trust relationship set up
runs on Windows server
you can set up trust relationships to extend authentication from on-premises Active Directories into the AWS cloud
On-premise users and groups can access resources in either domain using SSO
requires a VPN or Direct Connect connection
can be used as a standalone AD in the AWS Cloud

28
Q

AWS Directory Service - Simple AD

A

BLUF: low scale, low cost, AD implementation based on Samba. Can also join EC2 instances to the domain

Use Case: simple user directory, or you need LDAP capability

an inexpensive Active Directory - compatible service w/ common directory features
standalone, fully managed, directory on the AWS cloud
Simple AD is generally the least expensive option
best choice for <5,000 users and don’t need advanced AD features
cheaper than Microsoft AD

29
Q

AWS Directory Service - AD Connector

A

BLUF: Allows on-premise users to log into AWS services with their existing AD credentials. Also allows EC2 instances to join AD domain

Use Case: single sign-on for on-premises employees and for adding EC2 instances to the domain

Sign in to AWS application such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials
Seamlessly join Windows EC2 instances to on-premise AD domain
Provides federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles
AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory
Connects your existing on-premise AD to AWS
Best choice when you want to use an existing Active Directory with AWS services
you can also join EC2 instances to your on-premise AD through AD Connector
you can login to the AWS Management Console using your on-premise AD DCs for authentication

30
Q

AWS Security Bulletins

A

resources you can utilize, and you can find online

Vulnerabilities in their services, and things you should know about
go to AWS Security Bulletins, and filter at when the notification was released, if it was important or just informational

31
Q

AWS Abuse Team

A

resources you can utilize, and you can find online

team that can assist you if you believe AWS are used for abuse behaviour
if you suspect that AWS resources are being used for those behaviors, contact this team

32
Q

Penetration Testing:

in case an account is or may be comprised, AWS recommend that the following steps are taken….(5)

A
  • change your AWS root account password
  • change all IAM user’s passwords
  • Delete or rotate all programmatic (API) access keys
  • delete any resources in your account that you did not create
  • respond to any notifications you received from AWS through the AWS Support Center and/or contact AWS Support to open a support case
33
Q

Penetration Testing:

you do not need permission (or prior approval) to perform penetration testing against the following services…(7)

A
  1. Amazon EC2 Instances, NAT Gateways, and Elastic Load Balancers
  2. Amazon RDS and Amazon Aurora
  3. Amazon CloudFront
  4. Amazon API Gateways
  5. AWS Lambda and Lambda Edge functions
  6. Amazon Lightsail resources
  7. Amazon Elastic Beanstalk environments