Domain 2 - Security and Compliance

Question 1

2.1 What is the AWS Shared Responsibility Model?

Answer 1

The Shared Responsibility Model defines how customer operational burdens can be relieved by sharing Security & Compliance duties with AWS.

It defines which components of the customer’s infrastructure AWS is responsible for, which components the Customer is responsible for, and where responsibility overlaps.

Basically, AWS is responsible for “Security of the Cloud” and the Customer is responsible for “Security in the Cloud.”

Question 2

2.1.1 What are the 6 main areas of Customer responsibility in the AWS Shared Responsibility Model?

Answer 2

1. Customer Data
2. Platform, Apps, Identity, & Access Management
3. OS, Network & Firewall Config
4. Client-side data encryption & data integrity authentication
5. Server-side encryption
6. Networking traffic protection

Question 3

2.1.1 What are the 7 main areas of AWS responsibility in the AWS Shared Responsibility Model?

Answer 3

Software:
1. Cloud Compute
2. Cloud Storage
3. Cloud Managed DBs
4. Cloud Networking
Hardware/AWS Global Infrastructure:
5. Regions
6. Availability Zones
7. Edge Locations

Question 4

2.1.2 How does the customer’s responsibility shift depending on the AWS service they use?

Answer 4

Different AWS products offer different levels of service, requiring more or less customer configuration work.

e.g. Infrastructure as a Service (IaaS) services like EC2 are simply infrastructure offerings and as such the customer is responsible for all security configuration and management of whatever they put on that infrastructure. However, abstracted services like Amazon S3 & DynamoDB involve Amazon taking responsibility for the infrastructure management with customers only needing to be responsible for their data, permissions, etc on those services.

Question 5

2.2.1 Where can you find AWS Compliance Information with lists of recognized available compliance controls?

Answer 5

aws.amazon.com/compliance
or

AWS Audit Manager

Question 6

2.2.2.1 - How can customers achieve compliance on AWS?

Answer 6

Compliance and its evidence can be setup in AWS Audit Manager where an admin can setup Assessment Frameworks

Question 7

2.2.2.2 - What are the different encryption options on AWS

Answer 7

In Transit
At Rest

Question 7

2.2.4.2.1 - What is Amazon CloudWatch

Answer 7

Collects & visualizes real-time logs, metrics, & event data monitoring your cloud resources & applications

Question 8

2.2.4.2.2 - What is AWS Config

Answer 8

Continually assesses, audits, & evaluates the configurations and relationships of your resources. When config changes happen on your AWS resources, it records & normalizes those changes to evaluate them against your configured compliance policies.

Question 9

2.2.4.2.3 - What is AWS CloudTrail

Answer 9

Monitors & records account/user activity in your AWS account, giving you monitoring & auditing capabilities to improve your security and allow you to prove compliance with regulations such as SOC/HIPAA/etc,

Question 10

2.2.5 - What is the concept of least privileged access?

Answer 10

When you set permissions with IAM policies, you should grant only the minimum permissions required to perform a task. Do this by defining the actions that can be taken on specific resources under specific conditions.

Question 11

2.3.1 - User & Identity Management - What is the purpose of access keys and password policies (rotation, complexity)

Answer 11

Access keys should be rotated often, to keep credentials temporary and avoid long-term credentials which are more likely to be compromised or misused. Passowrd policies are of course important to ensure that credentials to critical infrastructure are not easily compromised.

Question 12

2.3.1 - User & Identity Management - What is the purpose of Multi-Factor Authentication (MFA)

Answer 12

MFA is critical, especially for root users in your account whose credentials are not temporary. This provides an additional layer of confirmation via an authenticated challenge on another device owned by a user to better ensure that credentials are only used by their authorized users.

Question 13

2.3.1 - User & Identity Management - What is the purpose of AWS IAM groups/users

Answer 13

IAM users are entities you create AWS that allow specific people/services to interact with your AWS account.

When you create an IAM user, you grant them permissions which will allow them specific access to your AWS resources.

These permissions can be assigned directly to the user, but this is not recommended.

The recommended approach is to create a user group, which can have permissions assigned to it relevant to that group’s required functions, and then an admin can simply assign a user to various groups to grant them the permissions they need as part of those groups.

Question 14

2.3.1 - User & Identity Management - What are the purpose of IAM Roles?

Answer 14

IAM Roles are granted specific permissions to access your AWS resources. These roles can then be given to machine identities so that they can access AWS within a role session. Essentially, an IAM Role is like an IAM user, except that it is not assigned to a specific person, and its access is not permanent and is limited to a “role session.”

Question 15

2.3.1 - User & Identity Management - What’s the difference between IAM Managed Policies vs IAM Custom Policies?

Answer 15

IAM Policies are the feature which can be assigned to users/groups/roles to allow specific access to an AWS resource. Managed Policies are created by AWS whereas Custom Policies are created and managed by customers. Inline Policies are policies which are embedded within an IAM identity itself. The recommended approach is to use Managed Policies, as these are reusable, have versioning, can be rolled back, etc.

Question 16

2.3.1 - User & Identity Management - What 9 types of tasks require the use of your root account?

Answer 16

1. Change account settings (account name, email, root user password, root user access keys)
2. Restore an IAM user’s permissions
3. Activate IAM access to Billing & Cost Management
4. View certain tax invoices
5. Close your AWS Account
6. Register as a seller in Reserved Instance Marketplace
7. Configure an S3 bucket to enable MFA
8. Edit/delete an S3 bucket policy including a virtual private cloud (VPC) ID or VPC endpoint ID
9. Sign up for GovCloud`

Question 17

2.3.1 - User & Identity Management - What steps should you take to protect your root account?

Answer 17

1. Enable MFA
2. Never share root account password
3. Use a strong password
4. Create an admin user in IAM for daily tasks
5. Only use the root user for tasks that can only be performed by the root user
6. Don’t creater access keys for the root user

Question 18

2.4.1 - What native AWS services are available for security support & capabilities?

Answer 18

1. Security Groups - a virtual firewall that controls inbound and outbound traffic from your AWS infrastructure instances
2. Network ACLs (Access Control Lists) - allow or deny traffic to AWS resources at the subnet level.
3. AWS WAF (Web App Firewall) - monitors requests forwarded to protected web app resources to protect against common web exploits & bots that can affect availability, security, or excessive resource consumption
4. 3rd party security products from AWS Marketplace

Question 19

2.4.2 - Where can security support documentation be found?

Answer 19

1. AWS Knowledge Center
2. AWS best practices articles
3. AWS Security Center
4. security blogs & forums
5. Partner Systems Integrators

Question 20

2.4.3 - What is AWS Trusted Advisor how does it related to security checks?

Answer 20

AWS Trusted Advisor provides advice on the cost optimization, performance, fault tolerance, service limits, and security in your AWS environment. Its security checks can help ensure you’re following best practices in the realm of security.