security Flashcards
Well-architected framework
design principles and best practices for running workloads in the cloud.
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost optimization
Operational Excellence
CODECOMMIT Focuses on creating applications that effectively support production workloads. -plan for and anticipate failure -script operations as code -deploy smaller, reversible changes -Learn from failure and refine
Security
CLOUDTRAIL
Focus on putting mechanisms in place that help protect your systems and data
-Automate security tasks
-encrypt data in transit and at rest
-Assign only the least privilege’s required
-track who did what and when
-ensure security at all application layers
Reliability
RDS Focuses on designing systems that works consistently and recover quickly -Recover from failure automatically -Scale horizontally for resilience -Reduce idle resources -Manage change through automation -Test recovery procedures
Performance efficiency
LAMBDA Effectively use of computing resources to meet system and business requirements while removing bottlenecks -Use serverless architectures first -Use multi-region deployments -Delegate tasks to a cloud vendor -Experiment with virtual resources.
Cost Optimization
S3 intelligent -tiering
Focuses on delivering optimum and resilient solutions at the least cost to the user.
-Utilize consumption-based pricing
-Implement cloud financial management
-Measure overall efficiency
-Pay only for resources your application requires.
CodeCommit
to enable tracking of code changes and version-control
Cloudformation templates of your infrastructure
CloudTrail
You can configure central logging of all actions performed in your account
RDS
You can use Multi-AZ Deployments for enhanced availability and reliability of RDS databases
Lambda
To run code with zero administration
S3 Intelligent-Tiering
automatically move your data between access tiers based on your usage patterns.
IAM
Allows you to control access to your AWS Services and resources.
- Helps secure your cloud resources
- You define who has access.
- You define what they can do
- a free global service
Identities
WHO can access your resources
- root user
- individual user
- groups-roles
Access
WHAT resources they can access
- policies
- aws managed policies
- customer managed policies
- permissions boundaries
Authentication
Where you present your identity and provide verification
Authorization
Determines which services and resources the authenticated identity has access to.
Users
Users are entities that you create in IAM to represent the person or application needing to access your AWS resources.
Root user
Created when you first open your AWS account.
- close account
- change email address
- modify support plan
Individual users
created in IAM and are used for everyday tasks.
- Perform Administrative tasks
- Access application code
- Launch EC2 instances
- configure databases
Applications
You create a user in IAM so you can generate access keys for application running on-premises that needs access to your cloud resources.
Principle of least privilege
Giving a user the minimum access required to get the job done
Developers
Responsible for building applications
Project managers
Responsible for managing the budget
CLI
Command line interface.
Allows you to access resources in your AWS account through terminal or command windows. Access keys are needed when using the CLI and can be generated using IAM.
Groups
Collection of users of IAM users that helps you apply common access controls to all group members
- -used to group users that perform similar tasks
- access permissions apply to all members of the group
- access is assigned using policies and roles.
Administrators
Perform admin tasks like creating new users
Developer
Use compute and database services to build applications.
Analysts
Run budget and usage reports
Roles
Define access permissions and are temporarily assumed by an IAM user or service
- You assume a role to perform a task in a single session.
- Assumed by any user or service that needs it.
- Access is assigned using policies
- You grant users in one AWS account access to resources in another AWS account
Policies
you manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.
Bucket access policy
Add directly to an Amazon S3 bucket to grant IAM users access permissions for the bucket and objects in it.
IAM best practices
- Enable MFA for privilaged users.
- Always implement strong password policies.
- Create individual users instead of using root user.
Shouldn’t use the root user for daily tasks. - Use roles for Amazon EC2 instances
IAM Credential Report
Lists all users in your account and the status of their various credentials.
- Lists all users and status of passwords, access keys, and MFA devices
- used for auditing and compliance
Firewall
prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined.
WAF
Web application firewall.
Protects apps against common attack patterns
-Protects against SQL injection
-protects against cross-site scripting.
IRL: Deploy web application directly to EC2 instance. You can also deploy WAF on cloudfront as part of you CDN solution to block malicious traffic
DDos
Distributed denial of service.
DDos attach causes traffic jam on a website or web application in attempt to cause it to crash.
Shield
a managed ddos protection service.
- Always-on detection
- Shield standard is free
- shield advanced is a paid service
Shield Standard
Provides free protection against common and frequent occurring attacks
Shield Advanced
Provides enhanced protections and 24/7 access to AWS experts for a fee
DDos Protection via shield advanced is supported on several services
- Cloudfront
- Route53
- Elastic load balancing
- AWS Global accelerator.
Macie
Helps discover and protect sensitive data.
- Uses machine learning
- evaluates s3 environment
- uncovers PII (personal identifiable identifications)
Config
Allows you to asses, audit, and evaluate the configurations of your resources.
- Track configuration changes over time.
- Delivers configuration history file to S3
- Notifications via SNS of every configuration change
- Allows you to record configuration changes with your EC2 instances. You can view network, software and OS configuration changes, system-level updates
GuardDuty
An intelligent threat detection system that uncovers unauthorized behavior
-uses machine learning
-built-in detection for EC2, S3, and IAM
-Reviews Cloudtrail, VPC flow logs, and DNS logs
IRW: anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.
Inspector
Works with EC2 instances to uncover and report vulnerabilities.
-Agent installed on EC2 instances (only works for EC2 instances)
-Reports vulnerabilities found
-Checks access from the internet, remote root login, vulnerable software versions
IRW: has several built in rules to access your EC2 instances to find vulnerabilities and report them prioritized by level of severity
Artifact
Offers on-demand access to AWS security and compliance reports.
-Central repository for compliance reports from third-party auditors.
-Service organization controls (SOC) reports
-Payment card industry (PCI) reports.
IRW: provides a central repository for AWS’s security and compliance reports via self-service portal.
Cognito
Helps you control access to mobile and web applications.
-provides authentication and authorization.
-Helps you manage users
-Assist with user sign up and sign in to mobile or web app.
IRW: provides functionality that allows your users to sign in to your application through social media accounts like facebook or google.
data in flight
data that is moving from one location to another
data at rest
Data that is inactive or stored for later use
KMS
Key management service (KMS).
Allows you to generate and store encryption keys
-Key generator
-Store and control keys
-AWS manages encryption keys
-automatically enabled for certain services.
IRW: When you create a encrypted Amazon EBS volume, you are able to specify a KMS customer master key.
CloudHSM
a hardware security module (HSM) used to generate encryption keys
-Dedicated hardware for security
-generate and manage your own encryption keys
-AWS does not have access to your keys
IRW: Allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.
Secrets Manager
Allows you to manage and retrieve secrets (password or keys).
-rotate, manage and retrieve secrets
-encrypt secrets at rest
-integrates with services like RDS, Redshift and DocumentDB
IRW: Allows you to retrieve database credentials with a call to secrets Manager APIs, removing the need to hardcode sensative information in plain tedxt within your application code.
Fault tolerance
Property that e4nables a system to continue to operating properly in the event of the failure of one or more components
Firewall
a type of software that either allows or blocks certain kinds of internet traffic to pass through it
Folder
Any “subfolder” created in a bucket
High Availability
refers to systems that are durable and likely to operate continuously without failure for a long time
organizations
Access manage billing and access to multiple AWS accounts in one user interface
Publishers
Human/alarm/event that gives the SNS message to be sent
RDS
relational database service.
SQL database service that provides a wide range of SQL database options to select from
subnet
a subsection of a network and generally includes all the computers in specific region
subscriptions
endpoints to which a topic sends messages
Topic
how you label and group different endpoints to which you send messages
Trusted advisor
service that “advises” and help you optimize apsects of your aws account
Elastic beanstalk
service for deploying and scaling web applications and services developed with java, net, php, node.js
