Security Flashcards
Security of the cloud:
Amazon’s Responsibility
Protecting and securing infrastructure
Building security
Networking components – generators, uninterruptible power supplies, computer room air conditioning, fire suppression systems
Software – Managed services (RDS, S3, ECS, Lambda)
Security In the cloud:
My responsibility
App data and encryption options
Security config – API calls, account, rotating credentials, restricting internet
Patching – Guest operating system
Identity and Access Management – Security and identity
Network Traffic – Firewall configuration
Installed Software
Shared responsibilities
Patch management
AWS: patching infrastructure
Me: patching guest OS and apps
Config management
AWS: Configuring infrastructure devices
Me: Configuring databases and apps
Awareness and training
AWS: their employees
Me: my employees
5 Pillars
Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Operational Excellence -
Creating apps that effectively support production workloads
Plan for and anticipate failure
Deploy smaller, reversible changes
Script operations as code
Learn from failure and refine
In the real world:
CodeCommit – Version control to enable tracking of changes in code
Security –
Putting mechanisms in place to protect systems and data
Automate security tasks
Encrypt data in transit and at rest
Assign only the least privileges required
Track who did what when
Ensure security at all app layers
In the real world:
CloudTrail – Logging of all actions
Reliability –
Design systems that work consistently and recover quickly
Recover from failure automatically
Scale horizontally for resilience
Reduce idle resources
Manage change through automation
Test recovery procedures
In the real world:
RDS – Use multi AZ deployments for enhanced availability and reliability
Performance Efficiency –
The effective use of computing resources to meet system and business requirements while removing bottlenecks
Use serverless architecture first
Use multi-region deployments
Delegate tasks to a cloud vendor
Experiment with virtual resources
In the real world:
Lambda – Severless, run with zero administration
Cost Optimization –
Delivering optimum and resilient solutions at the lowest cost to the user
Using consumption-based pricing
Measure overall efficiency
Implement Cloud Financial Management
Pay only for resources your app requires
In the real world:
S3 – Intelligent tiering to automatically move data between tiers
IAM –
Controls access to AWS services and resources
Secure cloud resources
You define who has access
You define what they can do
Free global service
Identities –
Who can access your resources
Root user
Individual user
Groups
Collection of users
Administrators
Creating new users
Developers
Use compute and db services to build apps
Analysts
Run budgets and use reports
Roles
Access –
What resources they can access
Policies
AWS managed policies
Customer managed policies
Permissions boundaries
Authentication –
Who
Present identity through username and password
Authorization –
What
Which services the authenticated identity has access to
Users –
Entities you create in IAM to represent the person or app needing access to AWS resources
Root user – not meant for day to day tasks.
Individual users – used for every day tasks
Applications can be users – For instance, you’ll generate access keys for an app running on-premises that needs access to the cloud
IAM Roles –
Define access permission and are temporarily assumed by a user or service
Key takeaways when dealing w/ roles:
Assume a role to perform a single task in a session
Assumed by any user or service that needs it
Access assigned using policies
Grant users in one AWS account access resource in another AWS account using roles
Real world uses:
Attach a role to an EC2 instance for access to S3
IAM Policies –
Managed permissions for IAM users, groups, roles, by creating a policy doc in JSON format and attaching it
Policies in real world:
Limit access to an S3 bucket to specific users
IAM Best Practices:
Enable MFA for privileged users
Implement strong password policies
Create individual users instead of using root user
Use roles for Amazon EC2 instances
IAM Credential Report
Lists all users in account and status of pws, access keys, and MFA devices
Used for auditing and compliance
WAF –
Helps protect web apps against common attacks
Protects against SQL Injection
Protects against cross-site scripting
Real world:
Protect EC2 against cross-site scripting
Shield –
Managed DDoS protection service
Always-on detection
Shield standard is free
Protects against common and frequently occurring attacks
Shield advanced is a paid service
Enhanced protection and 24/7 access to an expert
Supported on several services:
CloudFront, Route53, Elastic Load Balancing, AWS Global Accelerator
Real world:
Receive real-time notifications of suspected DDoS incidents and assistance from AWS during the attack
Macie –
Discover and protect sensitive data
Uses machine learning
Evaluates S3 environment
Uncovers personally identifiable information
Real world:
Discover passport #s stored on S3
Config
Assess, audit, evaluate config of resources
Track config changes overtime
Delivers config history file to S3
Notifies using SNS of every config change
Real World:
Identify system-level config changes made to EC2 instances
GuardDuty
Threat detection that uncovers unauthorized behavior
Uses machine learning
Built in detection for EC2, IAM, S3
Reviews CloudTrail, VPC Flow Logs, and DNS logs
Real world:
Detects unusual API calls in account
Inspector
Works with EC2 instances to uncover and report vulnerabilities
Agent installed directly on EC2 instance
Reports vulnerabilities found
Checks access from the internet, remote root login, vulnerable software versions, etc.
Real world:
Identify unintended network access to an EC2 instance via detailed report of security findings
Artifact
Offers on-demand access to AWS security and compliance reports
Central repository for compliance reports from third party auditors
Service Organization Controls (SOC) reports
Payment Card Industry (PCI) reports
Real world:
Access AWS cert for ISO compliance
KMS
Generate and store encryption keys
Key generator
AWS manages encryption keys
Automatically enabled for certain services
Real world:
Create encrypted EBS volumes
CloudHSM
Hardware security module used to generate encryption keys
Dedicated hardware
Generate and manage your own encryption keys
AWS does not have access to your keys
Real world:
Meet compliance req for data security by using dedicated hardware
Secrets Manager
Allows you to manage and retrieve secrets
Rotate, manage, and retrieve secrets
Encrypt secrets at rest
Integration with RDS, redshift, documentDB
Real-world:
Retrieve database credentials needed for app
