Domain 3: Design Secure Applications and Architectures Flashcards
IAM- User Access Types
- Programmatic Access
- Management Console Access
IAM- Users
Entity you create in AWS which you can use to login to the AWS console or access API’s through the AWS CLI using Access keys
IAM- Roles
- Used for resources to interact with other resources,
- The policy assigned to it can decide who or what services get permission to do the actions you described.
NACL
Network Access Control List
- Tied to subnet
- Stateless
- Supports allow and deny rules
Security Groups
- Tied to an instance
- Statefull
- Supports allow rules only
Stateless
changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.
Statefull
This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened
AWS WAF
- Web Application Firewall,
- lets you monitor web requests that are forwarded to an Amazon API Gateway, an Amazon CloudFront distribution, or an Application Load Balancer.
- You can protect those resources based on conditions that you specify, such as the IP addresses that the requests originate from.
AWS Shield
Distributed Denial of Service Protection
- Standard
- Advanced
AWS Shield- Standard
- Automatically applied
- Free
AWS Shield- Advanced
- Access to DDoS Response Team
- Cost protection
- Visibility
- Customizable protection
- 3000/M
AWS Firewall Manager
Central management of firewall rules across accounts and applications
-100/m
AWS KMS
- Key Management Service,
- makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services.
AWS KMS- Types
- AWS Managed
- Customer Managed (CMK)
- Customer Managed, imported key material
AWS KMS- AWS Managed
- Rotates automatically every 3 years
- You cannot manage rotation yourself
- Managed keys cannot be deleted
AWS KMS- CMK
Customer Managed Keys
- Rotates once a year automatically
- On-demand manually
- Create a new CMK and manually change your applications to aliases to use the new CMK
- You control the rotation frequency
- Keys can be deleted
AWS KMS- Imported Key Material
- No automatic rotation
- Manual rotation
- Create new CMK and update your applications to use the new CMK or key Alias
AWS Cloud HSM
- Hardware Security Module,
- Uses dedicated HSM instances within the AWS cloud to encrypt and protect data
AWS VPC
- Virtual Private Cloud,
- Provides multiple network connectivity options for you to use, depending on your current network designs and requirements.
- These connectivity options include using either the internet or an AWS Direct Connect connection as the network backbone and terminating the connection into AWS or user-managed network endpoints.
AWS CloudTrail
you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
AWS CloudTrail Benefits
- Simplify your compliance by automatically recording and storing event logs for actions made within your AWS account
- Increases visibility into your user and resource activity by recording AWS Management Console actions and API calls
- Track and automatically respond to account activity threatening the security of your AWS resources