Security

Question 1

Security of the cloud:

Answer 1

Amazon’s Responsibility

Protecting and securing infrastructure

Building security

Networking components – generators, uninterruptible power supplies, computer room air conditioning, fire suppression systems

Software – Managed services (RDS, S3, ECS, Lambda)

Question 2

Security In the cloud:

Answer 2

My responsibility

App data and encryption options

Security config – API calls, account, rotating credentials, restricting internet

Patching – Guest operating system

Identity and Access Management – Security and identity

Network Traffic – Firewall configuration

Installed Software

Question 3

Shared responsibilities

Answer 3

Patch management

AWS: patching infrastructure

Me: patching guest OS and apps

Config management

AWS: Configuring infrastructure devices

Me: Configuring databases and apps

Awareness and training

AWS: their employees

Me: my employees

Question 4

5 Pillars

Answer 4

Operational Excellence

Security

Reliability

Performance Efficiency

Cost Optimization

Question 5

Operational Excellence -

Answer 5

Creating apps that effectively support production workloads

Plan for and anticipate failure

Deploy smaller, reversible changes

Script operations as code

Learn from failure and refine

In the real world:

CodeCommit – Version control to enable tracking of changes in code

Question 6

Security –

Answer 6

Putting mechanisms in place to protect systems and data

Automate security tasks

Encrypt data in transit and at rest

Assign only the least privileges required

Track who did what when

Ensure security at all app layers

In the real world:

CloudTrail – Logging of all actions

Question 7

Reliability –

Answer 7

Design systems that work consistently and recover quickly

Recover from failure automatically

Scale horizontally for resilience

Reduce idle resources

Manage change through automation

Test recovery procedures

In the real world:

RDS – Use multi AZ deployments for enhanced availability and reliability

Question 8

Performance Efficiency –

Answer 8

The effective use of computing resources to meet system and business requirements while removing bottlenecks

Use serverless architecture first

Use multi-region deployments

Delegate tasks to a cloud vendor

Experiment with virtual resources

In the real world:

Lambda – Severless, run with zero administration

Question 9

Cost Optimization –

Answer 9

Delivering optimum and resilient solutions at the lowest cost to the user

Using consumption-based pricing

Measure overall efficiency

Implement Cloud Financial Management

Pay only for resources your app requires

In the real world:

S3 – Intelligent tiering to automatically move data between tiers

Question 10

IAM –

Answer 10

Controls access to AWS services and resources

Secure cloud resources

You define who has access

You define what they can do

Free global service

Question 11

Identities –

Answer 11

Who can access your resources

Root user

Individual user

Groups

Collection of users

Administrators

Creating new users 

Developers

Use compute and db services to build apps 

Analysts

Run budgets and use reports 

Roles

Question 12

Access –

Answer 12

What resources they can access

Policies

AWS managed policies

Customer managed policies

Permissions boundaries

Question 13

Authentication –

Answer 13

Who

Present identity through username and password

Question 14

Authorization –

Answer 14

What

Which services the authenticated identity has access to

Question 15

Users –

Answer 15

Entities you create in IAM to represent the person or app needing access to AWS resources

Root user – not meant for day to day tasks.

Individual users – used for every day tasks

Applications can be users – For instance, you’ll generate access keys for an app running on-premises that needs access to the cloud

Question 16

IAM Roles –

Answer 16

Define access permission and are temporarily assumed by a user or service

Key takeaways when dealing w/ roles:

Assume a role to perform a single task in a session

Assumed by any user or service that needs it

Access assigned using policies

Grant users in one AWS account access resource in another AWS account using roles

Real world uses:

Attach a role to an EC2 instance for access to S3

Question 17

IAM Policies –

Answer 17

Managed permissions for IAM users, groups, roles, by creating a policy doc in JSON format and attaching it

Policies in real world:

Limit access to an S3 bucket to specific users

Question 18

IAM Best Practices:

Answer 18

Enable MFA for privileged users

Implement strong password policies

Create individual users instead of using root user

Use roles for Amazon EC2 instances

Question 19

IAM Credential Report

Answer 19

Lists all users in account and status of pws, access keys, and MFA devices

Used for auditing and compliance

Question 20

WAF –

Answer 20

Helps protect web apps against common attacks

Protects against SQL Injection

Protects against cross-site scripting

Real world:

Protect EC2 against cross-site scripting

Question 21

Shield –

Answer 21

Managed DDoS protection service

Always-on detection

Shield standard is free

Protects against common and frequently occurring attacks

Shield advanced is a paid service

Enhanced protection and 24/7 access to an expert

Supported on several services:

CloudFront, Route53, Elastic Load Balancing, AWS Global Accelerator

Real world:

Receive real-time notifications of suspected DDoS incidents and assistance from AWS during the attack

Question 22

Macie –

Answer 22

Discover and protect sensitive data

Uses machine learning

Evaluates S3 environment

Uncovers personally identifiable information

Real world:

Discover passport #s stored on S3

Question 23

Config

Answer 23

Assess, audit, evaluate config of resources

Track config changes overtime

Delivers config history file to S3

Notifies using SNS of every config change

Real World:

Identify system-level config changes made to EC2 instances

Question 24

GuardDuty

Answer 24

Threat detection that uncovers unauthorized behavior

Uses machine learning

Built in detection for EC2, IAM, S3

Reviews CloudTrail, VPC Flow Logs, and DNS logs

Real world:

Detects unusual API calls in account

Question 25

Inspector

Answer 25

Works with EC2 instances to uncover and report vulnerabilities

Agent installed directly on EC2 instance

Reports vulnerabilities found

Checks access from the internet, remote root login, vulnerable software versions, etc.

Real world:

Identify unintended network access to an EC2 instance via detailed report of security findings

Question 26

Artifact

Answer 26

Offers on-demand access to AWS security and compliance reports

Central repository for compliance reports from third party auditors

Service Organization Controls (SOC) reports

Payment Card Industry (PCI) reports

Real world:

Access AWS cert for ISO compliance

Question 27

KMS

Answer 27

Generate and store encryption keys

Key generator

AWS manages encryption keys

Automatically enabled for certain services

Real world:

Create encrypted EBS volumes

Question 28

CloudHSM

Answer 28

Hardware security module used to generate encryption keys

Dedicated hardware

Generate and manage your own encryption keys

AWS does not have access to your keys

Real world:

Meet compliance req for data security by using dedicated hardware

Question 29

Secrets Manager

Answer 29

Allows you to manage and retrieve secrets

Rotate, manage, and retrieve secrets

Encrypt secrets at rest

Integration with RDS, redshift, documentDB

Real-world:

Retrieve database credentials needed for app