AWS Security Flashcards
What do all AWS customers benefit from?
- A data center and network architecture built to satisfy the requirements of the most security-sensitive customers
- Customers get a resilient infrastructure designed for high security without the capital overlay and operational overhead of a traditional data center
- You also get advanced security services which allow teams to proactively address emerging risks in real-time while paying for only what you use
Cloud-based governance
- Offers a lower cost of entry, easier operations and improved agility by providing greater oversight, security control, and central automation
- You inherit the many security controls AWS operates which reduces the number of controls you need to maintain
- Your own compliance and certification programs are strengthened while lowering your costs to maintain such programs/requirements
AWS network security services and capabilities:
- Built-in firewalls — allow to create private networks within AWS
- Encryption in transit
- Private/dedicated connections — connectivity options from your office or on-premise environments
- Distributed Denial of Service (DDoS) mitigations — part of your Auto Scaling or content delivery strategies
AWS tools that enable your cloud resources to comply with organizational standards:
- Deployment tools
- Inventory & configuration management tools
- Template definition & management tools
Deployment tools
- A type of AWS tools that enable your cloud resources to comply with organizational standards
- They maintain the creating and decommissioning of AWS resources
Inventory & configuration management tools
- An AWS tool that enables your cloud resources to comply with organizational standards
- They identify AWS resources and then track and manage changes to resources over time
Template definition & management tools
- An AWS tool that enables your cloud resources to comply with organizational standards
- They create standard preconfigured VM’s for Amazon EC2 instances
Encryption features:
- Data encryption — available in AWS storage and database services such as Amazon EBS, Amazon S3, Amazon Redshift, etc.
- Flexible key management options — ability to choose whether you have AWS manage the encryption keys or you maintain complete control over your keys
AWS Security facts:
- AWS provides API’s to integrate encryption and data protection with the services you develop or deploy in an environment
- AWS offers capabilities to define, force and manage user access policies across AWS services
- AWS offers hundreds of products that integrate with existing controls and your on-premise environment including — anti-malware, web application firewalls, and intrusion protection
AWS services with user access policies:
- Identity and Access Management (IAM)
- Multi-Factor Authentication (MFA)
Identity and Access Management (IAM)
- An AWS service with user access policies
- It enables you to manage access to AWS services and resources securely as it defines individual user accounts with permissions across AWS resources
Multi-Factor Authentication (MFA)
- An AWS service with user access policies
- It’s a security feature for privileged accounts that augments user name and password credentials
- Includes options for hardware-based authenticators, and integration and federation with corporate directories — in order to reduce administrative overhead and improve user experience
AWS tools and features to monitor your environment:
- Deep visibility into API calls — including who, what, when and where calls were made
- Log aggregation — streamlining investigations and compliance reporting
- Alert notifications — when specific events occur or thresholds are exceeded
The Shared Responsibility Model
- A model that looks at your application stack as a whole and divides it into different pieces — some pieces AWS is 100% responsible for, others the customer is 100% responsible for
- Third-party audits regularly occur to go through AWS network stack and physical elements to provide you with exacting information on how it’s done
- AWS has zero visibility of the Guest OS, Application, and User Data information for customers — protected by the customer’s secret access key combinations and by your encryption methods
- Customers can take advantage of shifting management of certain IT controls to AWS — which results in a new distributed control environment
AWS responsibility in ‘The Shared Responsibility Model’
- Protecting the infrastructure that all AWS services operate on
- Infrastructure is composed of — hardware, software, networking, and facilities
Customer responsibility for EC2 instances in ‘The Shared Responsibility Model’
- Management of the Guest OS — including updates and security patches
- Application software and utilities installed by the customer
- Configuration of security groups
Abstracted services
- Storage, database, or messaging services
- Include services such as Amazon S3 and Amazon DynamoDB
AWS responsibility for abstracted services in ‘The Shared Responsibility Model’
Within these services, AWS operates the infrastructure layer, OS, and platforms
Customer responsibility for abstracted services in ‘The Shared Responsibility Model’
- Managing data — including encryption options)
- Classifying assets
- Using IAM tools to apply appropriate permissions
Hypervisor
- A software that creates, runs, and manages VM’s
- Protects the physical hardware, virtualizes the CPU, storage, and networking; while providing a rich set of management capabilities
Lots of specific changes have been made to this software that make it secure, scalable and so millions of concurrent customers can run on it without worry of leakage of any data - 100% managed by AWS within ‘The Shared Responsibility Model’
API usage within IAM
- Everything in AWS is an API; which is critical because to execute an API, you have to AUTHENTICATE but then AUTHORIZE
- If you use policy documents attached to users and you’re not using root-level credentials, you can execute a single API that removes every policy document from all users, groups and roles
- AWS CloudTrail records every API action regardless if it’s successful or not
How an API goes through a process:
- First, execute the API — also known as the ‘API execution statement’
- Then, the statement gets presented to the AWS API engine where the IAM engine looks at the credentials and validates that those are active authorization credentials
- And then, you take the policy documents associated with the operator and evaluate all documents as a single view
Operator
- It’s a user, group, or role within IAM
Within the API process, details about taking policy documents and evaluating such documents as a single view:
- Look to see if the action you’re doing is authorized by any of the policy documents
- These documents have either an explicit or implicit deny
- You have to at least whitelist a function for an action to happen