Module 9: Securing application, user and data access Flashcards
Why is it difficult to manage users when assigning individual rights ?
Each change, team growth, new access, policy… needs to be manually updated by an admin.
What mechanism makes it easier to manage users?
Create groups based on job function.The policy is attached to the group not the user
Can a user belong to multiple groups ?
Yes
Can a group belong to another group ?
No
How can group be granted permissions ?
By using access control policies
Groups do not have security credentials and cannot access web services directly. They exist solely to make it easier to manage user permissions.
TRUE or FALSE ?
TRUE
What take precedence if two rules conflict ?
The most restrictive rule takes precedence
What does it mean if i see the term RBAC in the context of managing permissions ?
Role-Based Access Control
What is the role based access control?
Create a policy and attach it to an entity (user group or role). Traditionally permissions are defined based on job function.
What does it mean if I see ABAC in the context of managing permissions
Attribute Based permissions
What are attribute based permissions ?
Permissions based on attributes (key-value paris called tags).
More flexible than policies, allows to manage granular permissions, highly scalable and fully auditable.
What is the pre-requisite of a clean ABAC ?
Correct Tagging
What is an identity federation ?
An agreement between a Service provider and an identity provider. (Like connect with facebook, or connect with apple)
IdP is identity provider, SP is the service provider.
What are AWS service supporting identity federation
AWS IAM
Aws IAM Identity center
AWS Security Token Services
Amazon Cognito
What is IAM Identity center ?
A service to create or connect identities and manage access centrally
What is AWS Security Token Service?
It’s a web service to request temporary limited priviledge credentials. Can be used by users or applications
What is AWS Organizations?
A service that helps you centrally manage and govern multiple AWS accounts.
What is a Service Control Policy (SCP)?
SCPs allow administrators to control permissions for accounts in an AWS Organization, applying restrictions across accounts.
How can AWS SSO simplify access management across multiple accounts?
WS SSO (Single Sign-On) enables users to log in once and gain access to all assigned accounts and applications without needing multiple credentials.
What is a primary advantage of using AWS Control Tower?
It automates the setup of a multi-account environment following AWS best practices.
How does IAM role switching work in a multi-account setup?
Users in one AWS account assume a role in another account to gain temporary, limited access without creating additional IAM users.
What is the purpose of tagging AWS resources across accounts?
ags help track resource usage, apply policies, and simplify management across accounts
Why is it important to use separate accounts for different environments (e.g., dev, test, prod)?
To enforce isolation and reduce the risk of unintended impacts across environments
What feature of AWS Organizations ensures billing is centralized?
Consolidated billing aggregates costs across accounts, simplifying billing and enabling volume discounts.
Can SCPs grant permissions?
No, SCPs only restrict permissions; they cannot grant permissions beyond what IAM allows.
What is the benefit of enabling AWS CloudTrail across all accounts?
Ensures centralized logging of API activities for security and compliance monitoring.
What service can be used to manage encryption keys in AWS?
AWS Key Management Service (KMS).
What is server-side encryption (SSE)?
Encryption that AWS performs on your behalf when storing data in services like S3, RDS, or EBS.
What is the difference between SSE-S3, SSE-KMS, and SSE-C?
SSE-S3: Managed by AWS with default keys.
SSE-KMS: Uses customer-managed keys via AWS KMS.
SSE-C: Customer provides and manages encryption keys.
How does client-side encryption differ from server-side encryption?
Data is encrypted by the client before being sent to AWS, ensuring AWS only stores encrypted data.
What is an AWS CMK?
Customer Master Key used in KMS to encrypt and decrypt data securely.
How can you ensure encryption at rest for S3 objects?
By enabling default encryption at the bucket level or applying encryption settings to individual objects.
What AWS service automatically encrypts data stored in a database?
Amazon RDS can automatically encrypt databases using KMS keys.
How is EBS volume encryption enabled?
By enabling encryption when creating a volume or enforcing it using an account-level default.
What is envelope encryption?
Encrypting data keys with a master key (like KMS CMK), which in turn encrypts the actual data.
Can you encrypt data in transit and at rest simultaneously?
Yes, by using TLS for in-transit encryption and KMS or server-side encryption for data at rest.
What is the purpose of AWS Identity and Access Management (IAM)?
To control access to AWS resources securely by defining policies and roles.
What does Amazon Cognito provide for application developers?
User authentication, authorization, and user pool management for web and mobile apps.
What is AWS WAF and its use case?
AWS Web Application Firewall protects web applications from common exploits like SQL injection and cross-site scripting.
How does AWS Shield enhance security?
AWS Shield provides DDoS protection for applications running on AWS.
What does AWS Secrets Manager manage?
Storage, retrieval, and rotation of sensitive information like database credentials and API keys.
What is the use of AWS Certificate Manager (ACM)?
Simplifies provisioning, managing, and deploying SSL/TLS certificates for secure communications.
How does Amazon Macie protect sensitive data?
By using machine learning to discover, classify, and protect sensitive data like PII stored in S3.
What is AWS Config used for in security?
Ensures resource configurations comply with governance and compliance rules
How does AWS CloudTrail improve application security?
By logging all API requests, enabling audit trails for activity analysis.
What AWS service can manage permissions boundaries?
IAM allows setting permissions boundaries to restrict the maximum permissions a role or user can have.
