AWS Security Flashcards
For the AWS Certified Solutions Architect—Associate exam prep. Increase understanding about AWS security services and functions, such as encryption, account management, permissions, gateways, and more.
Identity & Access Management (IAM)
Global service that secures any data in the AWS IAM database across AWS regions.
Control who is authenticated and authorized.
AWS Organizations
Centrally manage multiple AWS accounts. Includes ability to:
* Consolidate billing & manage costs
* Control access and permissions
* Share resources
* Audit for compliance
* Integrate with AWS IAM
Virtual Private Cloud (VPC)
What security is available for a VPC? (8 answers)
A virtual network dedicated to an AWS account. You can specify its IP address range, add subnets, gateways, and security groups.
Security Available:
* Create subnets in multiple AZs
* Security groups (control traffic to and from an instance)
* Network Access Control Lists (ACLs—control network traffic to and from a subnet)
* Amazon GuardDuty (detects threats to your accounts, data, workloads, etc.)
* Use IAM to manage access to your AWS resources
* Use VPC Flow Logs to monitor the IP traffic
* Use AWS Network Firewall to filter inbound and outbound VPC traffic
* Use Network Access Analyzer to identify unintended network access
Note: A subnet is a range of IP adresses in your VPC.
AWS WAF (Web Application Firewall)
What does it do and which services can you use it with?
Protects web apps and APIs from attacks by:
1. Monitoring, managing, allowing, blocking, and responding to web requests
2. Creating custom rules to block common attack patterns
3. Automating rule creation
You can use WAF with:
* Amazon CloudFront
* API Gateway
* Application Load Balancers
Site-to-Site VPN
A hybrid service for connecting on-premise networks and AWS. It uses IPSec to create encrypted tunnels.
Has a maximum throughput of 1.25 GBps. Relies on internet connection. Many resources have quota limitations that can’t be increased.
AWS PrivateLink
The service to expose your VPC to other VPC resources. It provides a private connection between a VPC and specific AWS services on a separate VPC.
Doesn’t touch the internet.
Better than VPC peering for scaling.
Use VPC peering to communicate with other VPCs and interact with ALL their services as though on the same network.
What are the best practices for securing AWS accounts?
7 Answers
- Multi-factor authentication
- Limit root user account usage
- Use IAM groups, users, roles, and policies, with least-priviledge access
- Regularly rotate access keys
- Use strong password policies
- Use CloudTrail for logging
- Encrypt data in transit and at rest
AWS Security Token Service
A web service that allows users to request temporary security credentials for AWS resources. Used in tandem with IAM.
The credentials include an access key, secret access key, and token.
When should you hard-code credentials into your application?
Never
What’s the difference between resource, identity, permission, and service control policies?
How are they evaluated when there are overlapping allow and deny rules?
Permission policies are split into two categories:
1. Identity policies that are attached to a user, group, or role.
John Doe can read and write Resource A
2. Resource policies that are attached to a resource like S3, SQS, DynamoDB, etc.
Resource A:
John Doe: Read, Write &
Jane Doe: Deny Access
Service control policies define the max permissions for an organization or individual. They don’t actually grant permissions; they serve as a filter on the permissions that can be used.
When there are conflicting policies:
1. AWS defaults to DENY when there are no policy rules. This is true for all types of policies
2. If there’s an explicit DENY in any of the policies, AWS denies the request
3. If there are no explicit DENYs, AWS looks at the SCPs (service control policies)
4. If there are no SCPs, AWS looks at the resource policies
5. Lastly, if there are no resource policies, AWS looks at the identity policies
(Note that for complicated evaluations, there are two additional steps to the logic: permission boundaries and session policies.)
Which resources and services provide traceability?
Three answers
- AWS CloudTrail
- AWS CloudWatch
- AWS Organizations
What is the difference between a default and custom VPC, and how is their security configured?
Default VPCs are automatically created for you if you have an AWS account. It comes with a default subnet in each AZ, an internet gateway, and a default security group.
Default VPC is the chosen VPC whenever you launch an instance without allocating a subnet.
Custom VPCs simply require manual creation and configuration. You must provision each of your resources.
What is the resiliency type for a VPC?
(Global, zonal, or regional)
Regional
What is the resiliency type for a subnet?
(Global, zonal, or regional)
Zonal
What is a NAT gateway?
How do you set one up?
NAT gateways allow private subnet instances in a VPC to access the internet, while preventing the internet from connecting to the instances.
You set on up through the VPC console. You must assign an elastic IP address to the NAT gateway and configure it in a public subnet. Make sure your private subnet route table includes the NAT gateway for all internet routing.
What is a security group?
How do you set one up? When would you need one?
Stateful (changes to inbound rules automatically apply to outbound rules).
A virtual firewall that controls the incoming and outgoing traffic of your EC2 instances. It determines what traffic is allowed based on rules like source IP and port number.
It’s recommended to create a security group whenever you create an EC2 instance. It can also isolate your different applications.
An instance can have multiple security groups. This is in contrast with Network ACLs, which can only have ONE per subnet.
Note: when you create a VPC, it comes with a default security group.
Default: Inbound traffic denied, outbound allowed.
What is a Network Access Control list?
Securing Application Tier
Stateless (changes to inbound rules are NOT applied to outbound rules).
A subnet-level security that allows and blocks traffic. Applies to all applications within the subnet.
A subnet can only have ONE NACL. This is in contrast with a security group, which can have multiple for one instance.
Default: All inbound and outbound traffic allowed.
What is a route table?
Rules that direct network traffic in a VPC.
A subnet can only be associated with one route. However, multiple subnets can be associated with the same route.
Traffic is usually directed to the most specific route that matches their traffic (known as the longest prefix match).
What is VPC peering?
Allows seperate VPCs to communicate with each other, as though on the same network.
It doesn’t touch the internet, making it more secure. Doesnt require a VPN, and can work across different AWS accounts and/or regions.
You can’t create a VPC peering connection between VPCs that have matching or overlapping IPv4 or IPv6 CIDR blocks.
Note: Peering has a 125 connection limit.
Use PrivateLink for connecting your VPC to specific resources in another VPC. PrivateLink is more scalable and less complex.
What are transit gateways?
A hybrid resource to connect a VPC to an on-premise network. Simple, scalable, and secure. All traffc is automatically encrypted.
Has a max bandwith per connection of 1.25 Gbps. Also tends to be more expensive than direct peering options.
What are VPN connections?
What are the VPN types?
A secure, encrypted tunnel created by Amazon Web Services (AWS) that allows you to connect your on-premises network or remote devices to your AWS cloud.
Two types:
1. Site-to-Site VPN: For connecting an on-premise network to the AWS cloud.
2. Client VPN: Allows users to access both on-premise and AWS resources from a remote location.
AWS Direct Connect
Creates a private connection between an on-premise network and AWS cloud, without using the internet.
Higher reliability and security. Not reliant on internet bandwith.
What is an endpoint service?
Gateway objects created within a VPC to connect with public services.
An alternative to NAT and internet gateways.
AWS Client VPN
Allows users to access both on-premise and AWS resources from a remote location.
