AWS Cloud Security & Identity Flashcards
Shared Responsibility Model
AWS shared responsibility model defines what you (as an AWS account holder/user) and AWS are responsible for when it comes to security and compliance
Security and Compliance is a shared responsibility between AWS and the customer
Shared Responsibility Model:
AWS Responsibilities
responsible for “security of the cloud”
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud
infrastructure - hardware, software, networking, and facilities that run AWS Cloud services
Software - compute, storage, database, networking
Hardware/AWS Global Infrastructure - regions, AZ’s, edge locations
Shared Responsibility Model:
Customer Responsibilities
responsible for “security in the cloud”
For EC2 this includes network level security (NACLs, security groups), operating system patches and updates, IAM user access management, and client and server-side data encryption
platform, applications, identity & access management
operating system, network and firewall configuration
client-side data encryption & data integrity authentication
server-side encryption (file system and/or data)
networking traffic protection (encryption, protection, identity)
Inherited Controls
controls which a customer full inherits from AWS (Physical and Environmental)
Shared Controls
Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives
Patch Management
AWS - responsible for patching and fixing flaws within the infrastructure
Customers - responsible for patching their guest OS and applications
Configuration Management
AWS maintains the configuration of its infrastructure devices
customer is responsible for configuring their own guest operating systems, databases, and applications
Awareness & Training
AWS trains AWS employees, but a customer must train their own employees
Customer Specific
Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services
Ex. - Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments
AWS Cloud Compliance
enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud
as systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared
Compliance programs include: Certifications/attestations; laws, regulations, and privacy; alignments/frameworks
AWS Artifact
your go-to, central resource for compliance-related information that matters to you
it provides on-demand access to AWS’ security and compliance reports and select online agreements
reports available:
- Service Organization Control (SOC) reports
- Payment Card Industry (PCI) reports
- certifications from accreditation bodies across geographies
- compliance verticals that validate the implementation and operating effectiveness of AWS security controls
Agreements available:
- Business Associate Addendum (BAA)
- Nondisclosure agreement (NDA)
AWS Organizations Service Control Policies (SCP) & Tag Policies
SCPs define the AWS service actions that are available for use (for various accounts)
can restrict actions for a specific account
Tag Policies enforce rules around tagging across accounts and OUs
Amazon Inspector
automated security assessment service that helps improve the security and compliance of applications deployed on AWS
automatically assesses applications for exposures, vulnerabilities, and deviations from best practices
uses an agent installed on EC2 instances
instances must be tagged
After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
AWS Web Application Firewall (WAF)
WAF is a web application firewall
protects against common exploits that could comprise application availability, comprise security or consume excessive resources
AWS Shield
managed Distributed Denial of Service (DDoS) protection service
safeguards web application running on AWS with always-on detection and automatic inline mitigations
helps to minimize application downtime and latency
integrated with Amazon CloudFront
two tiers - standard and advanced
- standard is for everyone, automatic tier once set up;
- advanced has additional features but not free