AWS Security and Compliance

Question 1

AWS Security and Compliance shared responsibility

Answer 1

• AWS: Security of the Cloud
• Customer: Security in the Cloud
• Shared: Patch management, Configuration management, Awareness and Training

Question 2

What is AWS DDOS protection?

Answer 2

• AWS Shield Standard (no cost)
• AWS Shield Premium
• AWS WAF
• Cloudfront and Route 53
• with Shield, provides attack mitigation at the edge

Question 3

What are the Shield levels ?

Answer 3

• Standard: Free, provides basic level for command attacks
• Shield Advanced: $3000/mo, access to DDOS team, protects against higher level attachs
• Ec2, Elastic Load Balancing (ELB), CloudFront, Route 53, AWS Global Accelerator.

Question 4

AWS WAF protection?

Answer 4

• Protects at http layer 7 for web apps
• WAF cannot be deployed on EC2 instances. Application Load Balancer should be configured in front of EC2 instances to deploy WAF
• Uses Web ACL:
• rules for IP addresses, SQL injection and XSS, geo match
• Deploy on CloudFront, Application Load Balancer, API Gateway, AppSync

Question 5

AWS Pen testing ?

Answer 5

• Customers can pen test 8 services without approval

- Prohibited to stage test DDOS attack, DNS attach, others

Question 6

What is KMS? Which products are auto encrypted?

Answer 6

• Key Management Service for encryption
• Amazon managed encryption keys
• Encryption automatically enabled for: S3 Glacier, Storage Gateway (on-premise bridge to S3), CloudTrail Logs
• Other services (RDS, S3, …) are opt in

Question 7

What is CloudHSM?

Answer 7

• Cloud Hardware Security Module

- Device at AWS for customer to manage their keys

Question 8

Types of KMS Keys?

Answer 8

• Customer managed / Customer created
• AWS managed / AWS created. Customer can use
• CloudHSM Keys

Question 9

What is AWS Secrets Manager ?

Answer 9

• Encrypted ‘secrets’ integrated with RDS (MySQL, Postgresql, Aurora)

Question 10

What is Artifact?

Answer 10

• Access to AWS compliance documentation for audit and compliance purposes

Question 11

What is GuardDuty?

Answer 11

• Service that examines logs using machine learning to detect ‘anomalies’
• AWS CloudTrail event logs, VPC Flow Logs, and DNS logs
• Can be notified of findings by CloudWatch events

Question 12

What is Inspector?

Answer 12

• Inspects running EC2 instances for vulnerabilities and reports findings (vulnerabilities, network access, security assessment)

Question 13

What is Config?

Answer 13

• feature that helps with auditing and reporting of your AWS resource compliance
• records configurations and changes over time
• can determine if there are certain security issues with configurations

Question 14

What is Macie?

Answer 14

• Finds and Protects
  Uses machine learning to determine of sensitive data (ex. PII) exists in your S3 buckets
• Also protects data

Question 15

What is AWS Security Hub?

Answer 15

• Manage security across several AWS accounts.
• Dashboard based on AWS security products
• Automate security checks

Question 16

What is Detective ?

Answer 16

• use to find root cause of security issues / activities

- AWS CloudTrail logs, Amazon VPC Flow Logs and Amazon GuardDuty findings

Question 17

What is AWS Abuse?

Answer 17

• AWS used for abusive or illegal purposes

Question 18

What is Root user priviliges?

Answer 18

• has compute access to all AWS services
• Change Account Settings
• Close AWS account
• Change/Cancel Support plan
• Register as seller in Marketplace