DOMAIN 6 - MANAGEMENT PLANE SECURITY Flashcards
APIs and _______ are the way the management plane is delivered.
web consoles
_______ allow for programmatic management of the cloud. They are the glue that holds the cloud’s components together and enables their orchestration.
Application Programming Interfaces
Cloud providers and platforms will also often offer _______ and Command
Line Interfaces (CLIs) to make integrating with their APIs easier.
Software Development Kits (SDKs)
_______are managed by the provider. They can be organization-specific [typically using Domain Name Server (DNS) redirection tied to federated identity].
Web consoles
APIs are typically _______ for cloud services, since REST is easy to implement across the Internet. ________ APIs have become the standard for web-based services since they run over HTTP/S and thus work well across diverse environments.
REST
there is no single standard for authentication in REST. HTTP request signing and _______ are the most common; both of these leverage cryptographic techniques to validate authentication requests.
OAuth
No matter the platform or provider there is always an account owner with _______ privileges to manage the entire configuration.
super-admin
Separate from the ______ you can usually create super-admin accounts for individual admin
use.
account-owner
Your platform or provider may support lower-level administrative accounts that can only manage parts of the service. We sometimes call these ________ or “day to day administrators”.
“service administrators”
All privileged user accounts should use _______.
multi-factor authentication (MFA)
Protecting from attacks against the management plane’s components itself, such as the web and API servers. It includes both lower-level network defenses as well as higher-level defenses against application attacks.
Perimeter security
Providing secure mechanisms for customers to authenticate to the management plane. This should use existing standards (like OAuth or HTTP request signing) that are cryptographically valid and well documented
Customer authentication
The mechanisms your own employees use to
connect with the non-customer-facing portions of the management plane. It also includes any translation between the customer’s authentication and any internal API requests.
Internal authentication and credential passing
Granular _______ better enable customers to securely manage their own users and administrators
entitlements
Robust _________ of administrative is essential for effective security and compliance. This applies both to what the customer does in their
account, and to what employees do in their day-to-day management of the service. Alerting of unusual events is an important security control to ensure that monitoring is actionable, and not merely something you look at after the fact. Cloud
logging and monitoring
