Module 6 - Security Flashcards
Shared Responsibility Model
AWS is responsible for some parts of your environment and the customer is responsible for other parts.
Customer responsibilities
“security in the cloud”.
Customers responsible for security of everything they create and put in AWS Cloud.
Customer maintains complete control over their content when using AWS services.
Responsible for managing security requirements for your content.
- Which content you choose to store on AWS.
- Which AWS services you use.
- Who has access to that content.
- How access rights are granted, managed and revoked.
Customer security steps factors
- Services that you use.
- Complexity of your systems.
- Company’s specific operational and security needs.
Customer security steps include:
- Selecting, configuring and patching operating systems that will run on Amazon EC2 instances.
- Configuring security groups.
- Managing user accounts.
AWS responsibilities
“security of the cloud”.
AWS responsible for security of the cloud.
AWS operates, manages, and controls components at all layers of infrastructure.
• Host operating system.
• Virtualisation layer.
• Physical security of data centres from which services operate.
AWS responsible for protecting global infrastructure that runs all of services offered in AWS Cloud.
• AWS Regions.
• Availability Zones.
• Edge locations.
AWS manages security of cloud specifically physical infrastructure that hosts your resources. • Physical security of data centres. • Hardware and software infrastructure. • Network infrastructure. • Virtualisation infrastructure.
AWS provides several reports from third-party auditors.
• Auditors verified compliance with variety of computer security standards and regulations.
AWS Identity and Access Management (IAM)
- Enables you to manage access to AWS services and resources securely.
- Gives you flexibility to configure access based on your company’s specific operational and security needs.
IAM features
IAM users, groups, roles.
IAM policies.
Multi-factor authentication.
AWS Account Root User
• Root user – first create an AWS account and begin identity.
o Accessed by signing in with email address and password that you used to create your AWS account.
o Complete access to all AWS services and resources in account.
AWS Account Root User Best Practice
o Do not use root user for everyday tasks.
o Use root user to create first IAM user and assign it permissions to create other users.
o Continue to create IAM users and access those identities for performing regular tasks throughout AWS.
o Only use root user when need perform limited number of tasks only available to root user.
o E.g. changing root user email address, changing AWS support plan.
IAM Users
- Identity you create in AWS.
- Represents person or application that interacts with AWS services and resources.
- Consists of name and credentials.
- Default – when you create new IAM user in AWS, has no permissions associated with it.
- Allow IAM user to perform specific actions in AWS – must grant IAM user necessary permissions.
IAM Users Best Practice
o Create individual IAM users for each person who needs access AWS.
o Provides additional security by allowing each IAM user to have unique set of security credentials.
IAM Policies
- Document that allows/denies permissions to AWS services and resources.
- Enable you to customise users’ levels of access to resources
IAM Policies Best Practice
o Follow security principle of least privilege when granting permissions.
o Help prevent users/roles from having more permissions than needed to perform tasks.
IAM Groups
- Collection of IAM users.
- Assign IAM policy to group – all users in group granted permissions specified by policy.
• Assigning IAM policies at group level makes it easier to adjust permissions when employee transfers to different job.
o Ensures employees have only permissions that are required for their current role.
IAM Roles
- Identity that you can assume to gain temporary access to permissions.
- Before IAM user, application, or service can assume IAM role – must be granted permissions to switch to role.
- Someone assumes IAM role – abandon all previous permissions they had under previous role and assume permissions of new role.
IAM Roles Best Practice
o IAM roles ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.
Multi-Factor Authentication
Provides extra layer of security for AWS account.
AWS Organisations
- Use to consolidate and manage multiple AWS accounts within central location.
- Create organisation – AWS Organisations automatically creates root which is parent container for all accounts in your organisation.
- Consolidated billing another feature of AWS Organisations.
Service Control Policies (SCPs)
enable you to place restrictions on AWS services, resources, and individual API actions that users and roles in each account can access.
o Centrally control permissions for accounts in organisation.
Organisational Units (OUs)
• Can group accounts into organisational units (OUs).
o Make easier to manage accounts with similar business/security requirements.
o More easily isolate workloads/applications that have specific security requirements.
• Apply policy to OU.
o All accounts in OU automatically inherit permissions specified in policy.
Compliance
AWS Artifact
Customer Compliance Centre
AWS Artifact
• Service that provides on-demand access to AWS security and compliance reports and select online agreements.
Two sections: AWS Artifact Agreements + AWS Artifact Reports
AWS Artifact Agreements
Review, accept and manage agreements for an individual account and for all your accounts in AWS Organisations.
Different types agreements offered to address needs of customers subject to specific regulations.
AWS Artifact Reports
Provide compliance reports from third-party auditors.
Auditors tested and verified AWS is compliant with variety of global, regional and industry-specific security standards and regulations.
Remains up to date with latest reports released.
Can provide AWS audit artifacts to your auditors/regulators as evidence of AWS security controls.
Customer Compliance Centre
- Contains resources to help you learn more about AWS compliance.
- Can read customer compliance stories to discover how companies in regulated industries solved various compliance, governance, and audit challenges.
Customer Compliance Centre Whitepapers and Documentation
o AWS answers to key compliance questions.
o An overview of AWS risk and compliance.
o An auditing security checklist.
Customer Compliance Centre Auditor Learning Path
o Designed for individuals in auditing, compliance, legal roles who want to learn more about how their internal operations demonstrate compliance using AWS Cloud.
Denial-of-service (DoS) Attacks
Deliberate attempt to make a website or application unavailable to users.
Distributed Denial-of-service Attacks (DDoS)
- Multiple sources used to start an attack that aims to make website/application unavailable.
- Group of attackers or single attacker.
- Single attacker can use multiple infected computers (“bots”) to send excessive traffic to website or application.
AWS Shield
Service that protects applications against DDoS attacks.
AWS Shield Standard
AWS Shield Advanced
AWS Shield Standard
Automatically protects all AWS customers at no cost.
Protects your AWS resources from most common types of DDoS attacks.
Uses variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.
AWS Shield Advanced
Paid service that provides detailed attack diagnostics and ability to detect and mitigate sophisticated DDoS attacks.
Integrates with other services:
• Amazon CloudFront.
• Amazon Route 53.
• Elastic Load Balancing.
can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
Additional Security Services
AWS Key Management Service (AWS KMS)
AWS WAF
Amazon Inspector
Amazon GuardDuty
AWS Key Management Service (AWS KMS)
• Enables you to perform encryption operations through use of cryptographic keys.
o Random string of digits used for locking (encrypting) and unlocking (decrypting) data.
o Can use AWS KMS to create, manage, and use cryptographic keys.
o Control use of keys across wide range of services and in your applications.
• Can choose specific levels of access control you need for your keys.
o Can temporarily disable keys so that they are no longer in use by anyone.
- Keys never leave AWS KMS and you are always in control of them.
- must ensure applications’ data is secure while in storage (encryption at rest) and while it is transmitted (encryption in transit).
Amazon Inspector
• Helps to improve security and compliance of applications by running automated security assessments.
• Checks applications for security vulnerabilities and deviations from security best practices.
o E.g. open access to Amazon EC2 instances and installations of vulnerable software versions.
• After performed assessment – provides you with list of security findings.
o List prioritises by severity level – including detailed description of each security issue and recommendation for how to fix it.
• AWS does not guarantee provided recommendations resolves every potential security issue.
• Shared responsibility model.
o Customers responsible for security of their applications, processes, tools run on AWS services.
Amazon GuardDuty
• Service that provides intelligent threat detection for your AWS infrastructure and resources.
• Identifies threats by continuously monitoring network activity and account behaviour within your AWS environment.
o GuardDuty begins monitoring your network and account activity.
o Do not have to deploy/manage additional security software.
o GuardDuty continuously analyses data from multiple AWS sources including VPC Flow Logs and DNS logs.
o GuardDuty detects threats – can review detailed findings about them from AWS Management Console.
Findings include recommended steps for remediation.
Can configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.