Secure Your Data Flashcards
EBS volumes
Customers responsibility to ensure availability and backup via creating EBS snapshots
Cannot be copied, only replicated using snapshots
When you create a EBS volume based on snapshot, the new volume begins as the exact replica of the original volume that was used to create the snapshot. Replicated volume loads in the background so that you can begin using it immediately
Snapshots
Incremental backups, blocks on the device that have changed after your most recent snapshots are saved
AWS config
Used to audit, evaluate configurationS of AWS resources. If there are any operational issues, AWS config can be used to retrieve configurational changes made to AWS resources that may have caused the issues
Security Groups
Control of inbound traffic. By default, outbound is free by default
INSTANCE LEVEL
After you launch an instance into VPC, you can change the SG associated for this instance at running or stopped state.
Stateful
In VPCs, the same port coming in as the port coming out
Stateless
VPC access
Does not need to go into the same port (inbound) as the port it exited (outbound)
Network access control list (NACL)
Optional security layer tied to a subnet Within a VPC to control inbound & outbound traffic.
SUBNET LEVEL
Amazon inspector
Assessment of vulnerabilities
Two packages:
- network reachability rules package checks network accessibility checks on AWS EC2 instances
- host assessment rules package checks vulnerabilities on Amazon EC2 instances
Amazon Macie
Managed service which can be used to detect personally identifiable information (PII) such as names and passwords from large amounts of data stored in S3 bucket
AWS shield
Managed DDOS (distribute denial of service) protection service that safeguards applications running on AWS
Standard is free
AWS Firewall Manager
Security management services that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS orgs
Amazon Guardduty
Threat detection service that continuously monitors malicious activities and unauthorised behavoirs to protect your AWS accounts, workloads, and data stored in S3
AWS certificate manager
Not a solution for encryption at rest but encryption in transit
Let’s you easily provision, manage, deploy public and private secure sockets layer (SSL)/transport layer security (TLS) certificates
Server side encryption managed by S3 (SSE-S3)
Encryption / decryption at rest but does not offer monitoring capabilities (who/when)
Side server encryption managed by customer (SSE-C)
Encryption/decryption at rest but without monitoring capabilities
Side server encryption managed by KMS (SSE-KMS)
Encryption / decryption at rest with monitoring capabilities
Integrated with AWS cloud trail to provide you with logs of all key usage to help meet your regulatory and compliance needs
VPC flow logs
Capture IP traffic related info passing through and from network interfaces within the VPC
AWS detective
Securit service that uses machine learning capabilities on th automatically collected log data to help customers perform efficient and fast security investigations