Security Flashcards
Permitted to conduct security assessments and penetration testing
– Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
– Amazon RDS
– Amazon CloudFront
– Amazon Aurora
– Amazon API Gateways
– AWS Lambda and Lambda Edge functions
– Amazon Lightsail resources
– Amazon Elastic Beanstalk environments
Not Permitted to conduct secuirty assessments and penetration testing
– DNS zone walking via Amazon Route 53 Hosted Zones
– Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
– Port flooding
– Protocol flooding
– Request flooding (login request flooding, API request flooding)
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield – Standard and Advanced.
GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time-consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud.
Cognito Identy Pool
Amazon Cognito Identity Pool provides temporary AWS credentials for users who are guests (unauthenticated) and for users who have been authenticated and received a token. An identity pool is a store of user identity data specific to your account.
CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. Creating a multi-region trail will allow you to keep your activity records in an S3 bucket and prevent them from getting rewritten automatically.
S3 Access Policy
Bucket policy and user policy are two of the access policy options available for you to grant permission to your Amazon S3 resources.
IAM ROLE
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
CloudTrail
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
KMS
AWS KMS or Key Management Service is a central repository for encryption keys in your account. It is not used to protect your network from potential security threats. KMS is useful if you have data that you need to encrypt, and you want a central location where you can manage your keys.
IAM Security Tools (Credentials, Access Advisor)
IAM Credentials report lists all your account’s users and the status of their various credentials.
The other IAM Security Tool is IAM Access Advisor. It shows the service permissions granted to a user and when those services were last accessed.
Detective
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
Security Hub
AWS Security Hub provides you with a comprehensive view of your security state within AWS and your compliance with security standards and best practices.
Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances.
Security Token Service
AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
