AWS Cloud Security & Identity

Question 1

Shared Responsibility Model

Answer 1

AWS shared responsibility model defines what you (as an AWS account holder/user) and AWS are responsible for when it comes to security and compliance
Security and Compliance is a shared responsibility between AWS and the customer

Question 2

Shared Responsibility Model:

AWS Responsibilities

Answer 2

responsible for “security of the cloud”
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud

infrastructure - hardware, software, networking, and facilities that run AWS Cloud services

Software - compute, storage, database, networking
Hardware/AWS Global Infrastructure - regions, AZ’s, edge locations

Question 3

Shared Responsibility Model:

Customer Responsibilities

Answer 3

responsible for “security in the cloud”
For EC2 this includes network level security (NACLs, security groups), operating system patches and updates, IAM user access management, and client and server-side data encryption
platform, applications, identity & access management
operating system, network and firewall configuration
client-side data encryption & data integrity authentication
server-side encryption (file system and/or data)
networking traffic protection (encryption, protection, identity)

Question 4

Inherited Controls

Answer 4

controls which a customer full inherits from AWS (Physical and Environmental)

Question 5

Shared Controls

Answer 5

Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives

Question 6

Patch Management

Answer 6

AWS - responsible for patching and fixing flaws within the infrastructure

Customers - responsible for patching their guest OS and applications

Question 7

Configuration Management

Answer 7

AWS maintains the configuration of its infrastructure devices

customer is responsible for configuring their own guest operating systems, databases, and applications

Question 8

Awareness & Training

Answer 8

AWS trains AWS employees, but a customer must train their own employees

Question 9

Customer Specific

Answer 9

Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services

Ex. - Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments

Question 10

AWS Cloud Compliance

Answer 10

enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud
as systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared
Compliance programs include: Certifications/attestations; laws, regulations, and privacy; alignments/frameworks

Question 11

AWS Artifact

Answer 11

your go-to, central resource for compliance-related information that matters to you
it provides on-demand access to AWS’ security and compliance reports and select online agreements

reports available:

• Service Organization Control (SOC) reports
• Payment Card Industry (PCI) reports
• certifications from accreditation bodies across geographies
• compliance verticals that validate the implementation and operating effectiveness of AWS security controls

Agreements available:

• Business Associate Addendum (BAA)
• Nondisclosure agreement (NDA)

Question 12

AWS Organizations Service Control Policies (SCP) & Tag Policies

Answer 12

SCPs define the AWS service actions that are available for use (for various accounts)
can restrict actions for a specific account
Tag Policies enforce rules around tagging across accounts and OUs

Question 13

Amazon Inspector

Answer 13

automated security assessment service that helps improve the security and compliance of applications deployed on AWS
automatically assesses applications for exposures, vulnerabilities, and deviations from best practices
uses an agent installed on EC2 instances
instances must be tagged

After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Question 14

AWS Web Application Firewall (WAF)

Answer 14

WAF is a web application firewall
protects against common exploits that could comprise application availability, comprise security or consume excessive resources

Question 15

AWS Shield

Answer 15

managed Distributed Denial of Service (DDoS) protection service
safeguards web application running on AWS with always-on detection and automatic inline mitigations
helps to minimize application downtime and latency
integrated with Amazon CloudFront

two tiers - standard and advanced

• standard is for everyone, automatic tier once set up;
• advanced has additional features but not free

Question 16

Amazon Macie

Answer 16

new service that has come up on exam
fully managed data security and data privacy service
uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data on Amazon S3

Macie enables security compliance and preventive security as follows:

• identify a variety of data types, including PII, Protected Health Information (PHI), regulatory documents, API keys, and secret keys
• identify changes to policy and access control lists
• continuously monitor the security posture of Amazon S3
• Generate security findings that you can view using the Macie console, AWS Security Hub, or Amazon EventBridge
• manage multiple AWS accounts using AWS Organizations

Question 17

Amazon GuardDuty

Answer 17

a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads

• Enable GuardDuty - monitors all your AWS accounts w/o additional security software or infrastructure to deploy or manage
• Continuously analyze - automatically analyze network and account activity at scale, providing broad, continuous monitoring of your AWS accounts
  CloudTrail Logs, VPC Flow Logs, DNS Logs
• Intelligently detects threats - combines managed rule-sets, threat intelligence from AWS SEcurity and 3rd party intelligence partners, anomaly detection, and ML to intelligently detect malicious or unauthorized behavior
• Take action - review detailed findings in the console, integrate into event management or workflow systems, or trigger AWS Lambda for automated remediation or prevention

Question 18

Encryption in Transit vs. Encryption at Rest

Answer 18

Transit:
Data is protected by SSL/TLS in transit or “in-flight”
entire connection is encrypted
importing data (data in transit)

Rest:
Amazon S3 encrypts the object as it is written to the bucket
Stored data (not moving)

Question 19

AWS Key Management Service (KMS)

Answer 19

best tool for encryption @ rest
gives you centralized control over the encryption keys used to protect your data

you can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data
integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control
used for most use-cases

Question 20

AWS CloudHSM

Answer 20

tool for encryption @ rest
a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud

With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs
offers the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries
hardware device that is single tenant

Question 21

Key Difference:

KMS vs CloudHSM

Answer 21

KMS - multi-tenant service (sharing amongst many customers)
CloudHSM - single tenant device; only dedicated to you
Most cases, you would probably use KMS

Question 22

AWS Certificate Manager (ACM)

Answer 22

tool for encryption in transit
used for creating and managing public SSL/TLS certificates

you can use public certificates provided by ACM (ACM certificates) or certificates that you import into ACM
can also request private certificates from a private certificate authority (CA) created using AWS Certificate Manager Private Certificate Authority
ACM certificates can secure multiple domain names and multiple names within a domain
you can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains

Question 23

AWS Secrets Manager

Answer 23

helps you meet your security and compliance requirements by enabling you to rotate secrets safely without the need for code deployments
Secrets Manager offers built-in integration for Amazon RD, Amazon Redshift, and Amazon DocumentDB and rotates these database credentials on your behalf automatically
you can customize Lambda functions to extend Secrets Manager rotation to other secret types, such as API keys and OAuth tokens

Question 24

Penetration Testing

Answer 24

practice of testing one’s own application’s security for vulnerabilities by simulating an attack
you act as an “attacker”
AWS allows penetration testing. There is a limited set of resources on which penetration testing can be performed

Question 25

Identity Providers & Federation

Answer 25

Activity Directory (AD) (self-managed) 
SAML 2.0 compatible LDAP source - AD in this case 
Web Identity Federation for mobile apps uses OpenID Connect (OIDC) - AWS recommend to use Cognito for this use case 
Authenticated and authorized users can access AWS services

Question 26

Single Sign-on (SSO)

Answer 26

you log in, and you’re able to access multiple accounts

Identity sources can be AWS SSO, Active Directory and standard providers using SAML 2.0

Question 27

AWS Directory Service - AWS Managed Microsoft Active Directory (AD)

Answer 27

BLUF: AWS-managed full Microsoft AD running on Windows Server 2012 R2

Use Case: Enterprises that want hosted Microsoft AD or you need LDAP for Linux apps

fully managed AWS services on AWS infrastructure
best choice if you have >5,000 users and/or need a trust relationship set up
runs on Windows server
you can set up trust relationships to extend authentication from on-premises Active Directories into the AWS cloud
On-premise users and groups can access resources in either domain using SSO
requires a VPN or Direct Connect connection
can be used as a standalone AD in the AWS Cloud

Question 28

AWS Directory Service - Simple AD

Answer 28

BLUF: low scale, low cost, AD implementation based on Samba. Can also join EC2 instances to the domain

Use Case: simple user directory, or you need LDAP capability

an inexpensive Active Directory - compatible service w/ common directory features
standalone, fully managed, directory on the AWS cloud
Simple AD is generally the least expensive option
best choice for <5,000 users and don’t need advanced AD features
cheaper than Microsoft AD

Question 29

AWS Directory Service - AD Connector

Answer 29

BLUF: Allows on-premise users to log into AWS services with their existing AD credentials. Also allows EC2 instances to join AD domain

Use Case: single sign-on for on-premises employees and for adding EC2 instances to the domain

Sign in to AWS application such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials
Seamlessly join Windows EC2 instances to on-premise AD domain
Provides federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles
AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory
Connects your existing on-premise AD to AWS
Best choice when you want to use an existing Active Directory with AWS services
you can also join EC2 instances to your on-premise AD through AD Connector
you can login to the AWS Management Console using your on-premise AD DCs for authentication

Question 30

AWS Security Bulletins

Answer 30

resources you can utilize, and you can find online

Vulnerabilities in their services, and things you should know about
go to AWS Security Bulletins, and filter at when the notification was released, if it was important or just informational

Question 31

AWS Abuse Team

Answer 31

resources you can utilize, and you can find online

team that can assist you if you believe AWS are used for abuse behaviour
if you suspect that AWS resources are being used for those behaviors, contact this team

Question 32

Penetration Testing:

in case an account is or may be comprised, AWS recommend that the following steps are taken….(5)

Answer 32

• change your AWS root account password
• change all IAM user’s passwords
• Delete or rotate all programmatic (API) access keys
• delete any resources in your account that you did not create
• respond to any notifications you received from AWS through the AWS Support Center and/or contact AWS Support to open a support case

Question 33

Penetration Testing:

you do not need permission (or prior approval) to perform penetration testing against the following services…(7)

Answer 33

1. Amazon EC2 Instances, NAT Gateways, and Elastic Load Balancers
2. Amazon RDS and Amazon Aurora
3. Amazon CloudFront
4. Amazon API Gateways
5. AWS Lambda and Lambda Edge functions
6. Amazon Lightsail resources
7. Amazon Elastic Beanstalk environments