AWS Security - Pluralisight Flashcards
Part 3 to pass the AWS Cloud Pracitioner Exam
Name 3 core concepts of Security
- Acceptable Use
- Shared Responsibility Model
- Identity Management
Shared Responsibility Model
AWS is responsible for the security of the cloud
Customer is responsible for security in the cloud
AWS Responsibility Details
x access control
x training for their employees
x global datacenters and the underlying network
x Global AWS Infrastructure
x those different availability zones and those regions and making sure that all of the connectivity exists between those
x hardware for global infrastructure
x replacing servers and switches and all the other bits of networking gear that they have
x configuration management for the infrastructure
x determining how bits of data get from one location to another
x patching of the cloud infrastructure and services
the core servers, the bare metal servers that are actually running some of your virtual servers or the servers that are running many of the services you use on AWS
x patching those bits of cloud infrastructure
.
.
Customer Responsibility
- Individual access to cloud resources and training
- Data security and encryption (in transit and at rest)
- Operating system, network, and firewall configuration
- All the code deployed onto the cloud infrastructure
- Guest OS and custom applications
AWS Well Architected Framework - what is it and what are the 5 pillars?
Collection of Best Practices across 5 pillars
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimizations
Where to learn more about the WAF?
microsite - aws.amazon.com/architecture/well-architected
Reliabilty features - what are the two sides of this? Best attitude?
- High availabilty
- Fault tolerance
Attitude - Assume everything fails all the time
Explain Fault Tolerance
Able to support the failure of components within your architecture
Explain High Avaiability
Keeping your entire system up and running in the expected manner despite issues that may occur
Building systems - S3 and EC2
- S3 - High availability out of the box - diff availability zones
- EC2 - fault tolerance must be architected
- Use multiple availability zones
Fault Tolerance - 2 examples
Simple Queue Service
Route 53
Compliance Standards
PCI DSS - credit card processing HIPPA - healthcare SOC1, SOC2, SOC3 - data center compliance FEDRAMP - us govt re datacenters ISO27018 - standard for handling PII
Compliance Services
AWS Config - conformance packs for standards
AWS Artifact - Self service access to reports
Amazon GuardDuty - intelligent threat detection
Explain Least Privilege Access
grant the minimum permissions to complete their task
What is AWS IAM
AWS IAM - identity and access management -service that controls access to AWS resources
Details about IAM - name 3 capabilities
Authentication
Authorization
Identity federation through SAML - using external identity management
Main AWS Identities - name the 3 main types
User
Group - cluster users into a group
Role - user or AWS service to assume permissions for a task
What is a policy in AWS IAM? Who manages it?
- A json document that defines permissions for an AWS IAM identity/principal
- what services the identity can access and the tasks it can do - Customer managed or managed by AWS
AWS IAM Best Practices - examples
Multifactor Authentication
Least Privilege Access
What is Amazon Cognito? What are four capabilities?
User directory service for your custom applications
- Out of the box UI controls for various devices
- Security capabilities to control access
- Controlled access to AWS resources
- Works with social and enterprise identity providers
On premise data integration - 2 solutions
- AWS Storage Gateway - hybrid of your & AWS
2. AWS DataSync - Transfer data (not Snowball)
AWS Storage Gateway - 3 gateways
- Tape gateway
- Volume gateway
- File gateway
AWS Storage Gateway - 2 aspects
- VM or specific hardware device
2. Integrates with EBS and S3
