Deck 3 Flashcards
How many policies per role?
2
What to do to avoid storing credentials in EC2 instances?
Assign role/s to instance
STS user’s procedence
• Federation (AD):
- Uses Security Assertion Markup Language (SAML)
- Grants temporary access based on the users AD credentials (does not need to
be an user in AWS)
• Federation with mobile apps
- Use Facebook / Amazon / Google or other OpenID providers to login
• Cross Account Access:
- Let users from one AWS account access resources in another.
Define federation
Combining or joining lists of users from one domain to another (Ex: IAM and AD or IAM and Google)
Define Identity broker
Service that allows you to take an identity from point A and federate it to point B.
Define identity store
Services that create identities, like AD, Google, Facebook, etc.
Define identitie
User of a service like Facebook, etc.
Responsibilities in shared security model
- AWS is responsible for securing the underlying infrastructure that supports the cloud (hardware, software, networking and facilities that runs AWS services)
- You’re responsible for anything you put on the cloud or connect to the cloud.
User responsability in managed services
Account management and user access.
What does CloudTrail logs?
API calls
What AWS does when a storage device has reached the end of its useful life?
AWS procedures include a decommissioning process that is designed to prevent data to being exposed (degauss and physically destroyed).
What can customers who require additional layers of network security do?
- VPC private subnet within the AWS cloud
- Use an IPSec VPN device to provide an encrypted tunnel between AWS VPN and your data centre.
AWS protects networks from?
- DDOS
- MITM
- Packet sniffing
- Port scanning
Is it possible to perform a vulnerability scan in your AWS resources?
Yes, but you have to ask AWS for permision
AWS credential types
• Passwords: AWS root account and IAM user account to the AWS management console.
• MFA: AWS root account and IAM user account to the AWS management console.
• Access keys: Digitally signed requests to AWS APIs.
• Key Pairs: SSH login to EC2 instances. Cloudfront signed URLs.
• X.509 certificates: Digitally signed SOAP requests to AWS APIs. SSL server
certificates for HTTPS.
What can you do to make sure S3 is secure?
Create a temporary URL and sent it to the user
To which service is related trusted advisor?
IAM
What is Direct connect?
Dedicated network connection from your premises to AWS
From where is served route 53?
Edge locations
What you should do in order to increase network performance?
Increase instance size
Can EBS throughput vary depending on the size of the instance?
Yes
Main difference between NACLs and SGs?
- SGs are stateful
* NACLs are stateless
How to restore default VPC?
Contact AWS to get it back