Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS > AWS Security Fundamentals > Flashcards

AWS Security Fundamentals Flashcards

1
Q

Components of a strong identity foundation

A
  • implement principles of least privilege, start with denying access, then grant access as needed
  • enforce separation of duties
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Components of traceability

A
  • enable the following
    • monitoring
    • alerting
    • audit actions and changes
    • integrate logs and metrics with automated systems to respond and take action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Defense in depth

A
  • apply security at all layers, not just at the perimeter
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Automate security best practices

A
  • define and implement controls as managed code, which will allow you security mechanisms to scale with your applications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Protect data in transit and at rest

A
  • classify your data into sensitivity levels and apply the appropriate encryption and access control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Prepare for security events

A
  • create incident management processes
  • run incident response simulations
  • use tools to automate detection, investigation and recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Shared security model

A
  • AWS is responsible for securing: hardware, software, networking and facilities running AWS services
  • Customer is responsible for securing: your data, OSes, networks, platforms, and other resources you create in AWS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS Availability Zones

A
  • logical groupings of physical data centers that are interconnected with low latency, redundant circuits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS Regions

A
  • regions usually contain two or more availability zones, which are physically isolated from each other
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Considerations when choosing an AWS Region

A
  • distance from your users
  • compliance requirements for data locality
  • service availability, not all AWS services are available in all regions
  • cost, some regions have cost savings over others
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS physical data center security

A
  • follows principles of least privilege, only pre-approved access is granted to employees and contractors
  • only AWS employees who require routine access are granted permissions to the relevant areas. Other AWS employees must go through the visitors process and be escorted during their visit
  • professional security staff use video surveillance, intrusion detection and access log monitoring
  • AWS data centers are housed in nondescript, undisclosed facilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS physical data center environment considerations

A
  • AWS data center locations are chosen to mitigate risks like flooding, extreme weather and seismic activity
  • AWS performs regular business continuity plan simulations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS physical data center infrastructure

A
  • fully redundant electrical systems, UPS units provide backup power for critical loads, generators provide backup power for the entire facility
  • climate control maintain a constant operating temperature
  • automatic fire detection and suppression reduces the risk of fire
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS data layer

A
  • storage devices are decommissioned by using NIST800-88 techniques to deploy customer data
  • AWS is audited by external auditors who inspect the data centers
  • AWS servers notify employees of any attempts to remove data and automatically disable the server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS IAM

A
  • Identity and access management
  • every interaction you make with AWS is authenticated, IAM is the centralized mechanism for creating and managing individual users and their permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of credentials supported by AWS

A
  • username and password - password policies define the requirements for the passwords set by IAM users
  • MFA - more than one authentication factor is checked before access is granted
  • user access keys - used when making programmatic calls to AWS using the CLI, SDKs or HTTPS API. Each access key credential has an access key ID and a secret key. Each user can have two active access keys, which is useful when rotating keys or revoking permissions.
  • EC2 key pairs - used for SSH or RDP connections to EC2 instances. You can provide your own or let AWS generate them for you
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Authentication vs Authorization

A
  • Authenticate is who you are (username & password, access keys, etc)
  • Authorization is what you can do (RBAC, Service Control Policy (SCP), etc)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

AWS Secrets Manager

A
  • designed to centrally manage secrets used to access resources on AWS, on-premises and 3rd party services
  • can be database credentials, passwords, 3rd party API keys, even arbitrary text
  • allows code to make API calls to retrieve the secret
  • can automatically rotate the secret on a schedule
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

AWS Single Sign-On (SSO)

A
  • enables users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications
  • includes built-in SAML integrations to many business applications
  • may be integrated with Microsoft Active Directory, so users can authenticate with their AD credentials
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

AWS Security Token Service (STS)

A
  • a web service that enables you to request temporary, limited-privilege credentials for IAM users who are taking on a different role or for users who are being federated
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

AWS Directory Service

A
  • enables your domain workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

AWS Organizations

A
  • lets you centrally manage and enforce policies for multiple AWS accounts
  • allows grouping accounts into organizational units and use service control policies to centrally control AWS services across multiple AWS accounts.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Amazon Cognito

A
  • lets you add user sign-up, sign-in, and access controls to your web and mobile apps
  • Cognito user pool is a user directory that manages the overhead of handling the tokens that are returned from social sign-in providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0
  • the user pool tokens are then used to retrieve AWS credentials via Amazon Cognito identity pools, eliminating the need to embed long-term AWS credentials in your app
24
Q

What are detective controls

A
  • part of a governance framework that can be used to identify a potential security threat or incident.
  • detective controls help track changes, troubleshoot issues and ensure compliance
25
Q

AWS CloudTrail

A
  • records API calls made on AWS accounts
  • the CloudTrail API call history can be used to track changes to AWS resources, including creation, modification and deletion.
  • CloudTrail logs show who made the request, when and from where the request was made, and what happened
  • to prevent any log tampering, you can copy all CloudTrail logs from one AWS account to another, where no user from the first account has access to the second, that way any event forensics can prove that no person has the ability to cover their own tracks
26
Q

Amazon CloudWatch

A
  • monitors resources and logs, sends notifications, routes events, and triggers automated actions
  • CloudWatch events delivers a near real-time stream of system events to AWS resources, using simple rules you can match events and route them to one or more targets for processing, for example Lambda
  • CloudWatch Alarms can be triggered through changes in metrics to send notifications (via Amazon SNS) or automatically take action (via Lambda). For example you could set a CloudWatch Alarm to trigger a notification and action if an EC2 instance goes offline.
27
Q

Amazon SNS

A
  • managed messaging service that sends messages to subscribing endpoints, which may consist of an Amazon SQS queue, web servers, email addresses, SMS text message, mobile devices or Lamdba functions.
28
Q

Key services to audit on AWS

A
  • S3 buckets, Elastic Load Balancers, CloudWatch, CloudTrail and VPCs
29
Q

Auditing S3 buckets

A
  • access logs are used to audit S3 buckets, they - contain details such as request type, the resource requested and the date and time the request was made
30
Q

Auditing Elastic Load Balancer

A
  • access logs capture information about each request sent to your load balancer, including the client’s IP, latencies and server responses.
  • access logs allow you to analyze traffic patterns and troubleshoot issues
31
Q

Auditing CloudWatch

A
  • CloudWatch logs allow monitoring and troubleshooting of all the OSes and applications running in your AWS environment
  • allows monitoring for specific phrases, patterns, and values
32
Q

Auditing VPCs

A
  • VPC Flow logs capture information about the IP traffic going into and out of your network interfaces and subnets
  • Can be used to troubleshoot why traffic is not reaching a certain instance
33
Q

Audting CloudTrail

A
  • auditing your CloudTrail logs allows you to obtain a history of API calls to your account made via the console, CLI, SDKs or other AWS services
34
Q

Amazon GuardDuty

A
  • a threat detection services that monitors AWS accounts and workloads
  • uses machine learning to identify suspected attackers and detect anomalies in account and workload activity
35
Q

AWS Trusted Advisor

A
  • service that draws upon best practices and inspects your AWS environment and makes recommendations for saving money, improving performance and closing security gaps
36
Q

AWS Security Hub

A
  • provides a single pane of glass to view your high-priority security alerts and compliance status across AWS accounts
  • aggregates alerts from multiple services such as GuardDuty, Inspector, & Macie
37
Q

AWS Config

A
  • runs continuous assessment checks on your resources to verify they comply with your own security policies, industry best practices and compliance standards
38
Q

VPC Security Groups

A
  • act as a virtual firewall for your EC2 instances
  • when you launch an EC2 instance, you must specify a security group
  • in each security group you add one set of rules for inbound connections and one set of rules for outbound connections
  • security groups are stateful
  • traffic can be restricted by IP protocol, service port and source/destination IP address
39
Q

VPC Network ACLs

A
  • optional layer of security that controls traffic at the subnet level
  • VPCs come with a default ACL that allows all traffic, to control traffic you need to add allow and deny rules for specific IP addresses, protocols and ports
40
Q

VPC Subnet Routing

A
  • enable you to group instances and AWS resources based on your security needs
  • allows you to configure routing for your network, which allows you to specify targets for your resources and whether they can be reached via the internet
41
Q

AWS Systems Manager features

A
  • automation - automate common tasks across AWS resources
  • inventory - collect information about your instances and the software installed on them, collected data includes applications, files, network configs, updates and other system properties
  • patch manager - deploy software patches across large groups of EC2 or on-premises instances
  • parameter store - centralized store to manage your config data, such as plain text strings or secrets such as passwords
  • run command - provides a simple way to automate common tasks across groups of instances, such as registry edits, user management and software installation
  • session manager - manage Windows and Linux EC2 instances via a browser or interactive sheel without the need to open inbound ports or use a bastion host
42
Q

AWS Firewall Manager

A
  • centrally manages and configures AWS WAF rules across your accounts and applications
43
Q

AWS Direct Connect

A
  • used to establish a dedicated network connection from your data center, office or colocation to AWS
44
Q

AWS CloudFormation

A
  • automates the task of repeatedly creating and deploying AWS resources in a consistent manner
  • assures that security and compliance controls are deployed along with new environments
45
Q

Amazon Inspector

A
  • assesses applications for vulnerabilities or deviations from best practices
46
Q

Amazon Inspector example work flow

A
    1. inspector runs assessment on a group of EC2 instances
    1. security finding are sent to an Amazon SNS to notify the admin
    1. a Lambda function is invoked by the notification
    1. the Lambda function uses AWS Systems Manager to patch the EC2 instance
47
Q

AWS recommendations for protecting data in transit

A
  • AWS uses HTTPS for all API calls
  • use AWS to generate, deploy and manage certs on your workloads
  • use IPSec with VPN connectivity into AWS
48
Q

AWS CloudHSM

A
  • provides hardware security modules in the AWS cloud

- allows you to generate, store, import, export and manage symmetric and asymmetric key pairs

49
Q

Amazon S3 Glacier

A
  • extremely low cost storage service for cold data with security features for data archiving and backup
  • can enforce compliance controls with a vault lock policy
50
Q

AWS Certificate Manager

A
  • manages TLS certs for AWS based websites and applications
  • can also be used to issue private certs that identify users, computers, applications, services and other devices internally
51
Q

Amazon Macie

A
  • uses machine learning to automatically discover, classify and protect sensitive data in AWS
  • provides dashboards and alerts to give viability into how the data is being used
52
Q

AWS Key Management Service (KMS)

A
  • allows you to create and control the keys used in data encryption
53
Q

Three factors that make incident response easier on AWS

A
  • use APIs to automate routine tasks that need to be performed during an incident
  • create snapshots of EBS or EC2 instances for forensics
  • use CloudFormation to spin up a new, trusted environment in which to conduct deeper investigation
54
Q

AWS Step Functions

A
  • provides serverless workflows, comprised of steps, to build and update apps quickly
  • can be used to design and run workflows that stitch together services such as Lambda and CloudFormation to respond to an incident
55
Q

Amazon services that mitigate DDoS attacks

A
  • AWS Edge locations - physical data centers, separate from availability zones, that cache your most access data in locations closest to your customers. Threats are handled at the edge location
  • Amazon Route 53 - DNS service that includes advanced features like traffic flow, latency-based routing, weighted round-robin, Geo DNS, health checks and monitoring
  • CloudFront - content delivery system (CDN) that delievers your website to your customers. Only accepts well formed HTTPS and HTTP requests, which helps prevent many common DDoS attacks
  • AWS Shield - managed DDoS protection service. provides always-on detection and automatic mitigations
56
Q

AWS Web Application Firewall (WAF)

A
  • protects your web applications from common web exploits that could affect availability, compromise security or consume excessive resources
57
Q

AWS Well-Architected Tool

A
  • tool that assess a workload that you define to see if it meets the five pillars of the Well-Architected framework, which are: operational excellence, security, reliability, performance efficiency, cost optimization

AWS (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions