Cloud Security

Question 1

Identity and Access Management(IAM)

Answer 1

Used to manage access to AWS Resources.

Fine-grained access rights:
WHO can access;
WHICH resources;
HOW they can be accessed;

No Cost account feature.

Question 2

IAM User

Answer 2

Person/Application that can authenticate with an AWS account.

Programmatic Access:
Authenticate using Access key ID and Secret Access Key;
Provides AWS CLI and AWS SDK Access;

AWS Management Console Access:
Authenticate using 12-digit Account ID or alias;
IAM Username;
IAM Password;
MFA;

Question 3

IAM Group

Answer 3

Collection of IAM Users that are granted identical authorization.

A User can belong to multiple;
There is no default;
Cannot be nested;

Question 4

IAM Policy

Answer 4

Document that defines which resources can be accessed and the level of access to each resource.

Identity-based:
Attach a policy to any IAM entity;
A single policy can be attached to multiple entities;
A single entity can have multiple policies attached to it;

Resource-based:
Attached to a resource(such as S3 Bucket);

Question 5

IAM Role

Answer 5

Used to grant a set of permissions for making AWS service requests.

IAM Identity with specific permissions;
Attach Permissions policies to it;
Intended to be assumable by a person, application, or service;

Role provides temporary security credentials.

Question 6

IAM MFA

Answer 6

Increased Security, in addition to username and password.

Question 7

IAM Authorization

Answer 7

Assign permissions by creating an IAM policy.

Permissions are implicitly denied by default;
If something is explicitly denied, it is never allowed;

Question 8

IAM Permission Flow

Answer 8

Explicitly Denied = Deny
Explicitly Allowed = Allow
Implicit Deny

Question 9

AWS Root User

Answer 9

Accessed by signing in with the email and password;

Best practice to not use when necessary and use principle of least privilege;

Remove access keys;

Question 10

CloudTrail

Answer 10

Tracks user activity on your account.

Question 11

Billing Reports

Answer 11

Provide information about your use of AWS resources and estimated costs for that use.

Delivers reports to an S3 Bucket that you specify.

Question 12

AWS Organizations

Answer 12

Enables you to consolidate multiple AWS accounts so that you centrally manage them.

Can attach different access policies to each Organizational Unit(OUs);

Use service control policies to establish control over the AWS services and API actions that each AWS account can access;

Question 13

AWS Key Management Service(KMS)

Answer 13

Enables you to create and manage encryption keys;
Enables you to control the use of encryption across AWS services and in your applications;

Integrates with AWS CloudTrail to log all key usage;
Uses hardware security modules (HSMs) that are validated by Federal Information Processing Strandards(FIPS) 140-2 to protect keys;

Question 14

Cognito

Answer 14

Adds user sign-up, sign-in, and access control to your web and mobile applications.​

Question 15

AWS Shield

Answer 15

DDoS protection service;
Safeguards applications running on AWS;

Use it to minimize application downtime and latency;

Question 16

Encryption of data at rest​

Answer 16

Encryption encodes data with a secret key.

AWS KMS can manage your secret keys​;

Can encrypt data in:
S3, EBS, EFS, RDS;

​

Question 17

Encryption of data in transit​

Answer 17

Transport Layer Security (TLS)—formerly SSL—is an open standard protocol.

AWS Certificate Manager provides a way to manage, deploy, and renew TLS or SSL certificates .

HTTPS uses TLS or SSL for the bidirectional exchange of data.

Question 18

AWS Config

Answer 18

Assess, audit, and evaluate the configurations of AWS resources. ​

Simplify compliance auditing and security analysis.​

Question 19

AWS Artifact​

Answer 19

A resource for compliance-related information​ such as reports.