M4: AWS Cloud Security

Question 1

Shared responsibility model

Answer 1

AWS responsibility for security of the cloud, customer in the cloud.

Question 2

Security of the cloud

Answer 2

Physical security of data centres, hardware, software which hosts OS, network infrastructure

Question 3

IaaS

Answer 3

Provides building blocks for cloud IT (eg EC2)

Question 4

PaaS

Answer 4

Remove the need to manage underlying infrastructure - hardware, OS… (Eg lambda, RDS) But customer responsible for security group configurations, firewalls…

Question 5

IAM policies

Answer 5

In JSON and define permissions

Question 6

IAM entities are…

Answer 6

IAM users, IAM groups and IAM roles

Question 7

IAM user

Answer 7

Provides a way for a person, application or service to authenticate to AWS.

Question 8

IAM group

Answer 8

Arches the same policies to multiple users.

Question 9

IAM role

Answer 9

Can have permission policies arched to it and can be used to delegate temporary access to users or applications.

Question 10

Types of access possible for users

Answer 10

1. Programmatic

2. Management console

Question 11

What does MFA stand for?

Answer 11

Multi factor authentication

Question 12

How can you generate MFA token?

Answer 12

1. Virtual MFA-compliant applications
2. U2F security key devices
3. Hardware MFA devices

Question 13

Default for IAM users

Answer 13

No permissions to access any resources

Question 14

Principle of least privilege

Answer 14

All permissions need to be granted explicitly

Question 15

How widely do IAM policies apply

Answer 15

The scope is global: apply across all AWS regions

Question 16

Identity - based policies

Answer 16

Permission policies attached to a principal identity - managed or inline.

Question 17

Managed policies

Answer 17

Standalone identity - based policies that can be attached to multiple users, groups and roles in your AWS account.

Question 18

Managed policies

Answer 18

Standalone identity - based policies that can be attached to multiple users, groups and roles in your AWS account.

Question 19

Inline policies

Answer 19

Policies that you create and name, and that are embedded directly into a single user group or role.

Question 20

Resource based policies

Answer 20

JSON policy documents that are attached to a resource. Inline only. E.g. ACL.

Question 21

ACL

Answer 21

Access control list

Question 22

IAM explicit deny statement

Answer 22

Takes precedence over explicit allow statement.

Question 23

IAM policy simulator

Answer 23

Test and troubleshoot IAM policies

Question 24

IAM role

Answer 24

Can attach permission policies to. Does not have any log in credentials, usually temporary change in permissions. Eg to grant access to your account to third parties so they can perform an audit on your resources.

Question 25

Best practises for securing an AWS account

Answer 25

1. Securing login with MFA 2. Delete root user access keys 3. Create individual IAM users and use principle of least privilege for permissions 4. Use groups to assign permissions to IAM users 5. Configure a strong password policy 6. Delegate using rules instead of sharing credentials 7. Monitor account activity using CloudTrail

Question 26

CloudTrail

Answer 26

Logs all API requests in your account Enabled by default Stores 90 days

Question 27

AWS Organizations security features

Answer 27

1. Organizational units with their policies 2. Integrates with IAM 3. Service control policies: maximum permissions that member accounts in the organization can have

Question 28

AWS Key Management Service

Answer 28

Create and manage encryption keys Handles encryption automatically Secure and resilient service that uses hardware security modules validated under Federal Information Processing Standards

Question 29

Amazon Cognito

Answer 29

Control access to AWS resources from application, sign on. Can be used with HIPPA, workloads compliant with Payment card industry data security standard

Question 30

AWS Shield

Answer 30

Managed distributed denial of service protection service

Question 31

Data at rest

Answer 31

Data physically stored on disk or tape

Question 32

Data at rest encryption

Answer 32

Can encrypt file systems, eg EFS. Then all data transferred between EC2 and mounted EFS is encrypted. Alternatively, AWS Storage Gateway.

Question 33

Data in transit

Answer 33

Data that is moving across a network | Transport layer security used

Question 34

AWS certificate manager

Answer 34

Provision, manage and deploy SSL and TLS certificate

Question 35

S3 bucket access

Answer 35

Private by default 1. Block public access 2. IAM policies 3. Bucket policies 4. Setting ACLs on buckets and objects 5. AWS Trusted Advisor can check permissions on buckets

Question 36

AWS Config

Answer 36

Used to access, audit, evaluate the config of AWS resources. Regional service.