Domain 3: Design Secure Applications and Architectures Flashcards
Encrypt EBS volumes restored from the unencrypted EBS snapshots
Copy the snapshot and enable encryption with a new symmetric CMK while creating an EBS volume using the snapshot.
Limit the maximum number of requests from a single IP address.
Create a rate-based rule in AWS WAF and set the rate limit.
Grant the bucket owner full access to all uploaded objects in the S3 bucket.
Create a bucket policy that requires users to set the object’s ACL to bucket-owner-full-control.
Protect objects in the S3 bucket from accidental deletion or overwrite.
Enable versioning and MFA delete.
Access resources on both on-premises and AWS using on-premises credentials that are stored in Active Directory.
Set up SAML 2.0-Based Federation by using a Microsoft Active Directory Federation Service.
Secure the sensitive data stored in EBS volumes
Enable EBS Encryption
Ensure that the data-in-transit and data-at-rest of the Amazon S3 bucket is always encrypted
Enable Amazon S3 Server-Side or use Client-Side Encryption
Secure the web application by allowing multiple domains to serve SSL traffic over the same IP address.
Use AWS Certificate Manager to generate an SSL certificate. Associate the certificate to the CloudFront distribution and enable Server Name Indication (SNI).
Control the access for several S3 buckets by using a gateway endpoint to allow access to trusted buckets.
Create an endpoint policy for trusted S3 buckets.
Enforce strict compliance by tracking all the configuration changes made to any AWS services.
Set up a rule in AWS Config to identify compliant and non-compliant services.
Provide short-lived access tokens that act as temporary security credentials to allow access to AWS resources.
Use AWS Security Token Service
Encrypt and rotate all the database credentials, API keys, and other secrets on a regular basis.
Use AWS Secrets Manager and enable automatic rotation of credentials.