Section 4 Flashcards
Network ACL
tied to a subnet, stateless
Security Group
tied to an instance, stateful
Stateful
Any changes applied to an incoming rule will be automatically applied to the outgoing rule
Stateless
Any changes applied to an incoming rule will -NOT- be applied to the outgoing rule
Supports allow rules only, eg. You cannot deny a certain IP address from establishing a connection
Security Group
Supports allow and deny rules. eg. You can block an IP address from establishing a connection
Network ACL
KMS
Key Management Service, create and manage keys and control the use of encryption
AWS Managed Keys
- AWS generated on customer’s behalf
- Rotated once every three years automatically
- Cannot be deleted
- Scope of use- limited to a specific AWS service
- Key accessed Policy- AWS Managed
- User access management- IAM policy
Customer Managed Keys, CMK
- Customer Generated
- Rotated once a year automatically
- Can be deleted
- Scope of use- Controlled via KMS/ IAM policy
- Key Access Policy- AWS Managed
- User Access Management- IAM Policy
Custom Key Stores
- Configured cloud HSM Cluster
- Most secure way to store keys
AWS Shield Standard
Automatically applied, Free
AWS Shield Advanced
- Access to DDoS response team
- Cost Protection
- Customizable protection
- $3000/M
Web Application Firewall
lets you monitor web requests that are forwarded to an Amazon API Gateway, CloudFront distribution, or an Application LoadBalancer
AWS Firewall Manager
central management of firewall rules across accounts and applications
IAM
Identity and Access Management, used to control who is authenticated and authorized to use resources.
