Lecture 14: Secuirty and Compliance Flashcards
The security of the cloud and protecting the infrastructure that runs all the AWS services and your responsible for everything you do in the cloud
AWS responsibility is what?
It’s when your server is overload with a lot of bots sending request to your server to shut down your service
What is a DDOS attack (distributed denial of service)
____________ protects against DDOS attack for your website and applications, for all customers at no additional costs
AWS shield standard
____________ is a 24/7 premium DDOS protection
AWS shield advanced
_________ filter specific request based on rules
AWS WAF
__________ available protection using global edge network and combined with AWS shriek, provides attack mitigation at the edge
Cloudfront and Route 53
AWS Auto scaling
If your scaling and under a DDOS attack then can use __________
_________ is a free service that is activated for every AWS customer and provides protection from attack such as SYN/UDP floods, reflection attacks and other layer 3/ layer 4 attack
AWS shield standard (activated by default for every customer)
_________ optional DDOS mitigation service (3k per month per organization) and it protects against more sophisticated attacks on other AWS services and it has 24/7 access to AWS DDOD response team
AWS shield Advanced
____________ protects your web applications from common web exploits (layer 7) and layer 7 is HTTP
AWS WAF (Web application firewall)
Application load balancer, API gateway, and cloudfront
With AWS WAF you can deploy on ___________________
Web ACL (web access control list) such as :
1. Rules can include IP address, HTTP headers, HTTP body, or URI strings
- Protects from common attack-SQL injection and cross site scripting (XSS)
- Size constraints, geo-match (block countries)
- Rate based rules (to count occurrences of events) for DDOS protection
With WAF you can define what?
How would you protect your VPC entirely?
Using a AWS network firewall
_________ manage security rules in all accounts of an AWS organization
AWS Firewall Manager
What are the common set of security rules made with AWS firewall manager?
- VPC Security groups for EC2, applications load balancer, etc
- WAF rules
- AWA Shield advance
new resources
With AWS Firewall Manager, rules are applied to __________ as they are created across all and future accounts in your organization
With __________ AWS customers are welcomed to carry out security assessments or ____________ against their AWS infrastructure without prior approval for 8 services
Penetration testing
Prohibited activities (anything that looks like an attack)
With penetration testing you can’t do what _______________
What does data at rest mean?
At rest data is stored or Archie bed on a device (like on a hard disk, etc)
What does data in transit mean?
Data being moved from one location to another (transfer from on premises to AWS, EC2, DynamoDB, etc. (the data is transferred on the network)
Encryption keys
By using _____________ you can encrypt both data at rest and transit data
Anytime you hear encryption for an AWS service it’s most likely _______
KMS
What is KMS?
AWS manages the encryption keys for you
With ________ AWS provisions the hardware security module but you manage the encryption keys yourself
CloudHSM (Hardware security module)
- Customer managed keys
- AWS managed key (AWS/ -if you see tht)
- AWS owned keys
- CloudHSM keys
What are the types of KMS keys?
__________ let’s you easily provision,manage, and deploy SSL/TLS certificates and is used to provide in flight encryption for websites (HTTPS)
AWS certificate manager (ACM)
__________ is meant to store secrets and has the capability to force rotation of secrets every X days and has an integration with AMAZON RDS
AWS secret Manager
________ is a portal that provides customers with on demand access to AWS compliances documentation and AWS agreements and can be used to support internal audit or compliance
AWS artifact
___________ helps you do intelligent threat discovery to protected your AWS account and it does it my using machine learning algorithms, anomaly detection and 3rd party
Amazon GaurdDuty
- CloudTrail event logs
- VPC flow logs
- DNS Logs
- Optional features
What are the different input data the Amazon gaurduty looks at?
Can also setup _______ with Amazon gaurduty to be notified in case of findings
EventBridge rules (can target AWS lambda or SNS)
Amazon GuardDuty can protect against _______________ attacks (has a dedicated “finding” for it)
CryptoCurrency attacks
__________ is a service that allows you to run automated servility assessments
Amazon inspector
- Leverges the AWS system manager (SSM) agent
- Analyze against unintended network accessibility
- Analyze the running OS against known vulnerabilities
With EC2 instance what does Amazon inspector do?
Lambda functions and for container images push to Amazon ECR
Amazon inspector is also use for what?
Only EC2 instances, container images & lambda functions
What does Amazon inspector evaluate?
________ helps with auditing and recording compliance of your AWS resources and helps record configurations and changes overtime
AWS config
_________ is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
Amazon Maice
Macie helps identify and alert you to sensitive information data, such as ______________
Personally identifiable information (PII)
__________ is a central security tool to manage security across several AWS accounts and automate security checks
AWS security Hub
_________ analyze, investigates, and quickly identifies the root cause of security issues or suspicious activities (using ML and graphs)
Amazon Detective
automatically collects and processes events
Amazon Detective also _____________ from VPC flow logs, CloudTrail, guarduty, and create a unified view
_________ is when you report suspected AWS resources are being used for abusive or illegal purposes
AWS abuse
- Spam
- Port scanning
- DDOs attacks
- Intrusion attempts
- Hosting objectionable or copyrighted content
- Distributing malware
What are some abusive & prohibited behaviors?
What is a root user?
The account owner (created when the account is created), has complete access to all AWS services)
What must you do with your root user account?
Lock away your root user access keys
- Change account settings
- Close your AWS account
- Change or cancel your AWS support plan
- Register as a seller in the reserved instance marketplace
What actions can be performed only by the root user?
____________ used to find out which resources are shared externally (like S3 buckets, IAM roles, KMS keys, etc)
IAM access analyzer
With IAM access analyzer, you have to define ____________ which corresponds to your AWS account or organization, and anything outside of it is considered your findings
Zone of trust
____________ is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS, such as personally identifiable information (PII) or intellectual property.
Amazon Macie
___________ is your go-to, central resource for compliance-related information that matters to you.
AWS Artifact
Penetration Testing is allowed without prior approval on ___________. DDoS, port flooding and protocol flooding are examples of prohibited activities.
8 services
___________ is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/ TLS) certificates for use with AWS services and your internal connected resources.
AWS Certificate Manager
infrastructure, OS and applications
AWS is responsible for patching and fixing flaws within the __________, but customers are responsible for patching their guest ____________. Shared Controls also includes Configuration Management, and Awareness and Training.
___________ is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances.
Amazon Inspector
hardware
AWS is responsible for protecting __________. AWS is responsible for “Security OF the Cloud”. AWS is also responsible for the infrastructure that runs all services in the AWS Cloud, etc.
continuously monitors
Amazon GuardDuty is a threat detection service that _____________ for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
