AWS Security Flashcards
Shared Responsibility Model
AWS manages security OF the cloud;
Customer is responsible for security IN the cloud.
Benefits of AWS Security
Keep Your Data Safe – the AWS infrastructure puts strong safeguards in place to help.
Protect your privacy – All data is stored in highly secure AWS data centers.
Meet Compliance Requirements – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.
Save Money – cut costs by using AWS data centers. Maintain the highest standard of s security without having to manage your own facility.
Scale Quickly – security scales with your AWS Cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe.
Compliance
AWS Cloud Compliance enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud.
As systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared.
Compliance programs include:
Certifications / attestations.
Laws, regulations, and privacy.
Alignments / frameworks.
Go-to, central resource for compliance-related information that matters to you.
AWS Artifact
AWS Artifact Features and Benefits
Provides on-demand access to AWS’ security and compliance reports and select online agreements.
Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.
Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).
Offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.
Intelligent threat detection service.
Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise.
Amazon GuardDuty
Amazon GuardDuty provides continuous monitoring for:
AWS CloudTrail Management Events.
AWS CloudTrail S3 Data Events.
Amazon VPC Flow Logs.
DNS Logs.
AWS WAF
AWS WAF is a web application firewall.
Protects against common exploits that could compromise application availability, compromise security, or consume excessive resources.
WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs.
WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.
The rules are known as Web ACLs.
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.
Safeguards web application running on AWS with always-on detection and automatic inline mitigations.
Helps to minimize application downtime and latency.
Two tiers – Standard and Advanced.
Gives you centralized control over the encryption keys used to protect your data.
AWS Key Management Service (AWS KMS)
AWS Key Management Service (AWS KMS) Features and Benefits
You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data.
AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control.
AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when.
AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console or using the AWS SDK to easily add encryption in their application code.
A cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
AWS CloudHSM
A service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.
This service removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
AWS Certificate Manager
AWS Inspector:
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
Uses an agent installed on EC2 instances.
Instances must be tagged.