AWS - Security Flashcards
Shared Responsibility Model
The shared responsibility model outlines your responsibilities vs AWS’ when it comes to security and compliance
Well-architected framework
the well-architected framework describes design principles and best practices for running workloads in the cloud.
Identity and Access Management (IAM)
IAM allows you to control access to your AWS services and resources
Web Application Firewall (waf)
WAF helps protect your web applications against common web attacks.
Shield
Shield is a managed Distributed Denial of Service (DDoS) protection service
Macie
Helps you discover and protect sensitive data
Config
allows you to assess, audit, and evaluate the configurations of your resources.
what is GuardDuty
is an intelligent threat detection system that uncovers unauthorized behavior
Inspector
works with EC2 instances to uncover and report vulnerabilities
Artifact
offers on-demand access to AWS security and compliance reports.
Cognito
helps you control access to mobile and web applications
Key Management Service (KMS)
allows you to generate and store encryption keys
CloudHSM
hardware security module (HSM) used to generate encryption keys.
Secrets Manager
allows you to manage and retrieve secrets (passwords or keys)
4 Services provided by IAM
-Helps secure cloud resources
-define who has access
-define what you can do
-free global service
4 identities
-root user
-individual users
-groups
-roles
what are 4 resources a identity can access?
-policies
-AWS managed policies
-Customer managed policies
-permissions boundaries
what is authentication
where you present your identity and provide verification
what is authorization
determines which services and resources the authenticated identity has access to
principle of least privilege
involves giving a user minimum access required to get the job done
what are groups
collection of IAM users that helps you apply common access controls to all group members
are ec2 security groups the same as IAM user groups?
no, EC2 security groups act as firewalls while IAM groups are collections of users
Roles
define access permissions and are temporarily assumed by an IAM user or service
Policies
manage permissions for IAM users, groups, and roles by creation a policy document in JSON format and attaching it
4 IAM best practices
1) enable MFA for privileged users
2) Implement strong password policies
3) Create individual users instead of using root
4) user roles for Amazon EC2 instances
IAM credential report
lists all users in your account and status of their various credentials
what is a firewall
prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined
what are 3 things WAF protects against
-common attack patterns
-SQL injection
-cross-site scripting
what is DDoS
ddos attack causes a traffic jam on a website or web application in an attempt to cause it to crash
3 things to remember shield provides
-always on detection
-standard is free
-advanced is a paid service
4 services shield advanced is supported on?
-cloudFront
-Route 53
-Elastic Load Balancing
-AWS Global Accelerator
3 services Macie provides?
-uses machine learning
-evaluates s3 environment
-uncovers personally identifiable information (PII) data
3 services config provides
-tracks configuration changes over time
-delivers configuration history file to S3
-notifications via simple notification service (SNS) of every configuration change
3 services provided by guardDuty
-uses machine learning
-build-in detection for EC2, S3, and IAM
-review CloudTrail, VPC, Flow Logs, and DNS logs
3 services inspector provides
-agent installed on EC2 instances
-reports vulnerabilities found
-checks access from the internet, remote root login, vulnerable software versions, etc
3 services artifact provdies
-central repo for compliance reports from 3rd party auditors
-service organization controls (SoC) Reports
-payment card industry (PCI) reports
3 services cognito provides
-provides authentication and authorization
-helps you manage users
-assists with user sign-up and sign-in
4 points of KMS
(key management service)
-key generator
-store and control keys
-aws manages encryption keys
-automatically enabled for certain services
3 points of cloudHSM
hardware security module
-dedicated hardware for security
-generate and manage your own encryption keys
-aws does not have access to your keys
3 points of secrets manager
-rotate, manage, and retrieve secrets
-encrypt secrets at rest
-integrates with services like RDS, redshift, and documentDB
