Module 6: Security Flashcards
Shared Responsibility Model
AWS is responsible for some parts of the environment (security of the cloud) and the customer is responsible for other parts (security in the cloud).
Customers (Security in the Cloud)
- Customers are responsible for the security of everything that they create and put in the cloud.
- Maintain complete control over the content stored on AWS, which AWS services are used, and who has access.
AWS (Security of the Cloud)
- Operates, manages, and controls the components at all layers of infrastructure.
- Responsible for protecting the global infrastructure that runs all the services offered in the AWS Cloud.
AWS Identity and Access Management (IAM)
Enables you to manage access to AWS services and resources securely.
IAM Users
- Represents the person or application that interacts with AWS services and resources.
- Consists of name and credentials.
- By default it has no permissions associated with it when created.
IAM Policy
A document that allows or denies permissions to AWS services and resources.
IAM Group
A collection of IAM users.
IAM Role
- An identity that you can assume to gain temporary access to permissions.
- Before an entity can switch roles, they must be granted permissions to switch to the role.
- All permissions of the previous role are abandoned and the permissions of the new role are assumed.
AWS Organizations
- Used to consolidate and manage multiple AWS accounts within a central location.
- Accounts ca be grouped into organization units to make it easier to manage accounts with similar business or security requirements.
Service Control Policies (SCPs)
Enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
AWS Artifact
A service that provides on-demand access to AWS security and compliance reports and select online agreements.
AWS Artifact Agreements
Agreements can be reviewed, accepted, and managed for an individual account or all accounts in AWS Organizations.
AWS Artifact Reports
Provide compliances reports from third-party auditors.
Customer Compliance Center
Contains resources to help you learn more about AWS compliance.
Denial-of-Service (DoS) Attack
A deliberate attempt to make a website or application unavailable to users.
Distributed Denial-of-Service (DDoS) Attack
- Multiple sources are used to start an attack that aims to make a website or application unavailable.
- A single attacker can use multiple infected computers knows as “bots” to send excessive traffic to a website or application.
AWS Shield
A service that protects applications against DDoS attacks.
AWS Shield Standard
- Automatically protects all AWS customers at no cost.
- Protects AWS resources from the most common, frequently occurring types of DDoS attacks.
AWS Shield Advanced
- A paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.
- Can integrate it with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
AWS Key Management Service (AWS KMS)
Enables you to perform encryption operations through the use of cryptographic keys.
AWS WAF
- A web application firewall that lets you monitor requests that come into your web applications.
- Does this by using a web access control list (ACL) to protect resources.
Amazon Inspector
- Helps to improve the security and compliance of applications by running automated security assessments.
- Checks applications for security vulnerabilities and deviations from security best practices.
Amazon GuardDuty
- A service that provides intelligent threat detection for your AWS infrastructure and resources.
- Identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
