Domain 2.0 Security and Compliance Flashcards
Associated with the access keys that are used in managing your cloud resources via the AWS Command Line Interface (AWS CLI)?
IAM User
- Not associated with the access keys used for the AWS CLI
2. Associated with an identity or resource, defines their permissions
IAM Policy
How can you apply and easily manage the common access permissions to a large number of IAM users in AWS?
Attach the necessary policies or permissions required to a new IAM Group then afterwards, add the IAM Users to the IAM group
Is a collection of IAM users. It lets you specify permissions for multiple users, which can make it easier to manage the permissions for those users
IAM Group
An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices
AWS Inspector
What are the things that you can implement to improve the security of your Identity and Access Management (IAM) users?
Configure a strong password policy for your users and Enable Multi-Factor Authentication (MFA)
In the VPC dashboard of your AWS Management Console, which of the following services or feature below can you manage?
Network ACLs and Security Groups
These services have their own respective dashboards
Amazon CloudFront, AWS Lambda, and Amazon Route 53
Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
Amazon Virtual Private Cloud (Amazon VPC)
Shared control between AWS and the customer
- Patch Management
- Configuration Management
- Awareness and Training
Inherited controls (which a customer fully inherits from AWS)
- Physical and Environmental controls
Customer specific controls (which are solely the responsibility of the customer based on the application they are deploying within AWS services)
Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments
Customer Responsibility for security ‘in’ the cloud
- Customer Data
- Platform, applications, identity & access management
- OS, Network & Firewall Configuration
- Client-side data encryption & data integrity authentication
- Server-side encryption
- Networking traffic protection
AWS Responsibility for security ‘of’ the Cloud
- Software (compute, storage, database, networking)
2. Hardware/AWS Global Infrastructure (regions, availability zones, edge locations)
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?
Configure MFA delete on the S3 bucket
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources?
Amazon RDS and Amazon Aurora
Permitted Services to conduct security assessments
- Amazon EC2 instances, Nat Gateways, and ELB’s
- Amazon RDS, CloudFront, Aurora, API Gateways, Lightsail resources
- AWS Lambda and Lambda Edge functions
- Amazon Elastic Beanstalk environments
Prohibited Activities to conduct security assessments
- DNS zone walking via Amazon Route 53 Hosted Zones
- DoS, DDoS, simulated Dos, Simulated DDoS
- Port flooding
- Procotol flooding
- Request flooding (login request flooding, API request flooding)
An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets
Network Access Control List (ACL)
Used to secure your EC2 instances and RDS databases in a similar way with how network ACLs work. However, they are not used for subnet security
Security Group
It is a service used for account and user management
AWS IAM
It is a tool that checks for resource compliance in your account
AWS Config