Ch. 4 - Security in the Cloud Flashcards
What is the Shared Responsibility Model?
Outlines the different roles and responsibilities where AWS security stops and the customer responsibility begins.
What is AWS Artifact?
This is a comprehensive list of access-controlled documents/compliance reports that pertain to Security in the AWS Cloud.
Basically a repository for Security documentation relevant to compliance and security in the AWS cloud.
How is the AWS Shared Responsibility Model divided at a high-level?
AWS - manages the security OF the cloud.
Customer - manages security IN the cloud.
What are some examples of what AWS protects in the Shared Responsibility model? (9 options)
- Regions
- AZs
- Edge Locations
- Hardware + Global Infrastructure
- Compute
- Storage
- DBs
- Networking
- SW that runs on top of the compute/storage
What are some examples of what the CUSTOMER protects in the Shared Responsibility model?
This can be dependent on what services are being run in AWS, but in general, the customer is responsible for:
- data encryption
- traffic protection/encryption
- OS/guest OS on an EC2 (unless RDS)
- IAM roles
Ex - moving data out of the cloud should be encrypted via HTTPS and not HTTP.
What is the “Rule of Thumb” for the Shared Responsibility Model?
Can you yourself do what is being asked in the AWS console or in EC2?
- If YES - you are likely responsible: creating SEC groups, IAM users, patching an OS, patching a DB instance running on EC2 (not RDS)
- If NO - AWS is likely responsible: management of a VPC/DC, physical security for the DC (like cameras), patching an RDS OS.
What is considered “middle ground” for the Shared Responsibility model?
Encryption.
Ex - AWS might be handling the encryption inside an S3 bucket, but you have to be the one who turns it on in the first place.
What is a WAF?
Web Application FW in AWS
Used to protect web apps in the cloud from common exploits that aim to affect their availability/security. Inspects traffic at L7.
Basically used to stop people from trying to hack your website. Protection against hackers.
What is AWS Shield?
A service within AWS to protect from DDoS attacks. It basically safeguards web-apps running in AWS.
This basic functionality is natively turned on in AWS.
What are the 2 options for AWS Shield?
Standard - this comes natively with any AWS account.
Advanced - provides more features. Also, if you have ADV and get DDoS’d you won’t have to pay for the associated costs incurred via Route53, CloudFront, ELB, etc. as a result of the attack.
What is AWS Inspector?
It is a security assessment service that helps improve the SEC and compliance in an AWS environment.
Auto-assesses vulnerabilities and deviations from best practices.
How is AWS Inspector deployed?
Inspector is an agent that runs on all EC2 instances, that goes in and checks for common vulnerabilities.
It will find things like - needed updates/patches for known vulnerabilities and can pump out a full report.
What is AWS Trusted Advisor?
Trusted Advisor is a service used to help reduce cost, increase performance, improve overall security, and check fault tolerance.
This scans the entire AWS environment, not just EC2’s like AWS Inspector.
What is AWS CloudTrail?
CloudTrail is used for auditing purposes - it gives visibility into your resources and user activity via tracking all the API calls being made.
What is AWS Config?
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account.
You can see settings/configs from the past to see how they’ve changed over time.
