Notes from Security Whitepaper

Question 1

Overview of Security Processes Part 1

Answer 1

About 20% of exam. Read this whitepaper

Question 2

Shared security model

Answer 2

AWS secures underlying infrastructure

You’re responsible for what you put on it and connect to it

Question 3

AWS responsibilities

Answer 3

protecting infrastructure that runs their services (hardware, software, networking, facilities)

security configuration of managed services (dynamoDB, RDS, Redshift, MapReduce)

Question 4

IAAS responsibilities

Answer 4

EC2, S3, VPC, are your responsibility

Question 5

Storage decommissioning

Answer 5

AWS decommissions storage devices using DoD or NIST standards

All decommissioned magnetic storage devices are degaussed, physically destroyed

Question 6

Transmission Protection

Answer 6

You can use HTTPS, VPC, VPNs

Question 7

Amazon Corporate Segregation

Answer 7

AWS production network is segregated from their corporate network

Question 8

Network monitoring and protection

Answer 8

AWS protects from

DDOS, MITM
IP Spoofing, Port scanning, Packet sniffing

Question 9

How does AWS prevent IP spoofing?

Answer 9

AWS host based firewall infrastructure prevents instances from sending traffic with source iP or MAC different from its own

Question 10

Port scanning

Answer 10

Unauthorized port scans are violation of TOS

Have to request permission in advance to scan your own services

Question 11

AWS Credentials

Answer 11

Passwords
MFA
Access Keys (for services, API requests)
Key Pairs (for SSH)
Certificates (can secure cloud front with it)

Question 12

AWS Trusted Advisor

Answer 12

inspects your AWS environment and recommends ways to save money, improve performance, alters common security misconfigurations

Question 13

Describe Instance Isolation

Answer 13

Xen hypervisor isolated instances

AWS firewall resides in hypervisor layer, between physical and virtual NIC’s.

All packets must pass through hypervisor (firewall) layer

Physical RAM separated similarly

Question 14

Describe zeroing of disks and RAM

Answer 14

Instances don’t have access to raw disks

Disk virtualization automatically resets every block of storage used

Memory allocated to guests is set to zero when it’s unallocated.

Question 15

Describe Guest OS permissions for AWS

Answer 15

instances are completely controlled by the customer.

AWS has no access to them or the guest OS

Question 16

Describe AWS EC2 Firewall

Answer 16

EC2 provides complete firewall solution, mandatory inbound firewall has default deny-all mode

Requires customers to explicitly open ports

Question 17

Describe AWS Guest OS Encryption

Answer 17

AWS can encrypt EBS volumes and snapshots with AES-256 But only with bigger instance types (M3, C3, R3, G2)to prevent performance hit

Encryption occurs on servers that host the instances, encrypting data as it moves between instances and EBS storage

Question 18

What can ELB do for security?

Answer 18

Terminate SSL on the load balancer

Lets you ID originating IP address of clients connecting to servers, whether using HTTPS or TCP load balancing

Question 19

Direct Connect

Answer 19

Lets you bypass ISP’s

Use rack space in the facility with AWS direct connect

Uses 802.1q VLANs so your direct connection can be partitioned, letting you access public and private AWS resources