Basic Security and Compliance Aspects of The AWS Platform and The Shared Security Model

Question 1

What is an easy way to remember the AWS Shared Responsibility Model?

Answer 1

AWS is responsible for the Security OF the Cloud and the customer is responsible for Security IN the Cloud.

Question 2

What is the customer responsible in the Shared Security Model?

Answer 2

Customer Data

Platform, Applications, Idendity & Access Management

Operating System, Network & Firewall Configuration.

Cliend Side Data Encryption & Data Integrity Authentication

Server-Side Encryption (File system and/or data)

Networking Traffic Protection (Encryption, Integrity, Identity)

Question 3

What is AWS responsible in the Shared Security Model?

Answer 3

Software

Compute, Storage, Database, Networking

Hardware/AWS Global Infrastructure

Regions, Availability Zones, Edge Locations

Question 4

What does the acronym Scam Sidi stand for?

Answer 4

Secure Support
Compliance Assurance Programs
Access Control and Identity
Monitoring and Logging

Standard and Best Practices
Infrastructure Resilience
Data Encryption
Infrastructure Security

Question 5

How does Amazon provide Secure Support?

Answer 5

• Real-time insight through AWS Trusted Advisor

- Proactive support and advocacy with a Technical Account Manager (TAM)

Question 6

How does Amazon provide Compliance Assurance Programs?

Answer 6

From certifications, regulations to frameworks, AWS has you covered.

Question 7

Names the three of the certifications AWS has for security?

Answer 7

https://aws.amazon.com/compliance/programs/

Cyber Essentials Plus (UK)
DoD SRG (US)
FIPS (US)
ISO 9001
CISPE
GLBA
UK Data Protection Act
EU Data Protection Directive
FFIEC
G-Cloud (UK)
NIST
UK Cloud Security Principles

Question 8

How does AWS secure it’s infrastructure?

Answer 8

• Network firewalls built into Amazon VPC.
• In transit encryption using TLS across all services.
• Private or dedicated connections into your data center

Question 9

How does AWS ensure Infrastructure Resilience?

Answer 9

• Technologies built from the ground up for resilience in the face of DDoS attacks.
• Services can be used in combination to automatically scale for traffic load.
• Autoscaling, CloudFront, Route 53 can be used to prevent DDoS.

Question 10

How does AWS encrypt Data?

Answer 10

• At rest encryption available in EBS, S3, Glacier, RDS (Oracle and SQL Server) and Redshift.
• Key management through AWS KMS - you can choose -whether to control the keys or let AWS.
• Server side encryption of message queues in SQS.
• Dedicated hardware-based cryptographic key storage using AWS CloudHSM, allowing you to satisfy compliance requirements.
• APIs to integrate AWS security into any applications you create.

Question 11

What are some of AWS’s security Standards and Best Practices?

Answer 11

• A security assessment service, Amazon Inspector, that automatically assesses applications for vulnerabilities or deviations from best practices, including impacted networks, OS, and attached storage
• Deployment tools to manage the creation and decommissioning of AWS resources according to organizational standards
• Inventory and configuration management tools, like AWS Config, that identify AWS resources then track, and manage changes to those resources over time
• Template definition and management tools, including AWS CloudFormation to create standard, preconfigured environments

Question 12

How does AWS manage and log user activity?

Answer 12

• Deep visibility into API calls through AWS CloudTrail, including who, what, when, and from where calls were made
• Log aggregation options, streamlining investigations and compliance reporting
• Alert notifications through Amazon CloudWatch when specific events occur or thresholds are exceeded

Question 13

How does AWS provide Identity and Access Control?

Answer 13

• AWS Identity and Access Management (IAM) lets you define individual user accounts with permissions across AWS resources
• AWS Multi-Factor Authentication for privileged accounts, including options for hardware-based authenticators
• AWS Directory Service allows you to integrate and federate with corporate directories to reduce administrative overhead and improve end-user experience

Question 14

What are the main features and functions of Amazon AIM?

Answer 14

• Manage IAM users and their access
• Manage IAM roles and their permissions
• Manage federated users and their permissions
• Grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
• Grant granular, different permission to different people for different resources
• Enables you to add specific conditions such as time of day to control how a user can use AWS, their originating IP address, whether they are using SSL, or whether they have authenticated with a multi-factor authentication device.
• Use IAM features to securely give applications that run on EC2 instances the credentials that they need in order to access other AWS resources
• Add two-factor authentication to your account and to individual users for extra security.

Question 15

What is AWS Support and how does it help the end user?

Answer 15

• AWS Support provides tools and resources to help you make sure your AWS environment is built and operated to be secure, highly available, efficient, and cost effective
• Real-time insight through AWS Trusted Advisor
• Proactive support and advocacy through Technical Account Manager (TAM)