Section 15: Security in the Cloud Flashcards
What is AWS Directory Service?
Also known as AWS Managed Microsoft Active Directory, AWS Directory Service is a managed implementation of Microsft Active Directory running on Windows Server.
What is Active Directory?
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.
The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.
AWS Simple Active Directory
Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes.
Small - Supports up to 500 users (approximately 2,000 objects including users, groups, and computers). Large - Supports up to 5,000 users (approximately 20,000 objects including users, groups, and computers).
Simple AD provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO). However, note that Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications.
What is a Federated user?
A federated identity is a user who can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) -compatible IdP.
What is IAM Identity Center
AWS IAM (Identity Access Management) Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type
What is AWS Cognito?
AWS Cognito primary purpose is to allows for sign-in and sign-up functionality on web and mobile apps.
It has two types of pools:
* User Pools: a directory for managing sign-in and sign-up for mobile apps (create user). Identities can come from a Cognity user pool.
* Identify Pools - used to obtain temporary, limited-privilage credentials for AWS services.
Encryption in Transit vs at Rest
Encryption in transit - data is protected by SSL/TLS in transit (as its being transferred over the network). E.g. HTTPS connection.
Encryption at rest - encrypted at source/destination
Asymmetric vs symmetric encryption
Asymmetric encryption - uses two keys, public for encryption and private for decryption.
Symmetric encryption - uses one key to encrypt and decrypt data.
Asymmetric encryption is stronger type of encryption of the two.
AWS Key Management Services (KMS)
- create and manage symmetric and asymmetric encryption keys
- keys are protected by HSM (hardware security modules)
- automatic key rotation (usually every 365 days)
- use alias for the key to save having to change code
Key rotation - https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
AWS Cloud HSM
- AWS Cloud HSM (hardware security modules)
- generate and use your own encryption key on AWS Cloud
- CloudHSM runs in your own Amazon VPC
AWS CloudHSM is a cryptographic service for creating and maintaining hardware security modules (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys.
AWS Certificate Manager (ACM)
- Create, store and renew SSL/TLS x.509 certificates
- integrates with several AWS services (load balancing, CloudFront, Beanstalk, CloudFormation)
- import certs from 3rd party providers
- public and private certs can be generates
ACM vs KMS
Encryption in Transit = AWS Certificate Manager (ACM)
Encryption at Rest = AWS Key Management Service (KMS)
AWS WAF (Web Application Firewall)
- web app firewall
- lets your create rules to filter web traffice based on conditions such as IP address, HTTP headers and body, custom URI’s, geolocation, rate limiting
- protects common web exploits such as SQL injection, XSS attacks.
Amazon Inspector
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Amazon Macie
Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.
This applies to data in Amazon S3
AWS GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Continuous monitoring for events across:
* CloudTrail management events
* CloudTrail S3 data events
* VPC Flow Logs
* DNS Logs