Security Flashcards
Coupling
Coupling defines the interdependencies or connections between components of systems
Loose coupling
Loose coupling helps reduce the risk of cascading failures between components
Loose coupling components are connected but not dependent on one another
Tight Coupling
Components are highly dependent on each other
If one fails they all fail
Queues
Queues are used to implement loosely coupled systems
Simple Queue Service (SQS)
A message queueing service that allows you to build loosely coupled systems
Allows component to component communication using messages
Multiple components (or producers) can add messages to the queue
Messages are processed in an a synchronous manner
Simple Notification Service (SNS)
Send email and text messages
Publish messages to a topic
Subscribers receive messages
Allows sending of email and text from your apps
Simple Email Service
An email service that allows you to send richly formatted HTML emails from your app
Ideal choice for marketing campaigns or professional emails
Unlike SNS, SES sends HTML formatted emails
Cloud Watch
A collection of services that help you monitor & observe your cloud resources
Collect metrics, logs, & events
Detect anomalies in your environment
Set alarms
Visualize logs
Can set high res alarms, monitor app logs, visualize time series data, and trigger an event based on a condition
Cloud Trail
Tracks user activity & API calls with in your account
Log and retain account activity
Track activity through the console, SDKs, and CLI
Identify which user made changes
Detect unusual activity in your account
Shared Responsibility Model
Outlines your responsibility vs. AWS’s when it comes to security and compliance
Well Architected Framework
Describes design principles & best practices for running workloads in the cloud
Identity & Access Management (IAM)
Control access to AWS services and resources
Shield
Managed distributed denial of service (DDOS) protection service service
Always on detection
Shield standard is free - provides free protection against common & frequently occurring attacks
Shield advanced is paid - provides enhanced protections & 24/7 access to AWS experts
Shield DDOS Protection Supported by:
Cloud Front, Route 53, Elastic Load Balancing, & AWS Global Accelerator
Web Application Firewall
WAF helps protect your web apps against common web attacks
Protects against SQL injection
Protects against cross site scripting
Macie
Helps discover and protect sensitive data
Uses machine language
Evaluates S3 environment
Discovers PII
Config
Allows assessment, auditing, & evaluation of config of resources
Track configuration changes over time
Delivers config history file to S3
Notifications via Simple Notification Service (SNS) of every configuration change
Guard Duty
Intelligent threat detection system that uncovers unauthorized behavior
Uses machine learning
Built in detection for EC2, S3, & IAM
Reviews cloud trail, Vpc flow logs & DNS logs
Great for detecting things like unusual API calls which are common techniques for attackers
Inspector
Works with EC2 instances to uncover and report vulnerabilities
Agent installed on EC2 instance
Reports vulnerabilities found
Checks access from the internet, remote root login, vulnerable software versions, etc.
Helps identify unintended network access to an EC2 instance via reporting
Artifact
Offers on demand access to AWS security & compliance reports
Central repository for compliance reports from 3rd party auditors
Service organization controls (SOC) reports
PCI Reports
Repository for security and compliance reports via self service portal
Key Management Service (KMS)
Allows generation and storing of encryption keys
Key generator
Store and control keys
AWS manages encryption keys
Automatically enabled for certain services
Great for encrypting things like EBS storage volumes, can also specify a customer master key
Cloud HSM
Hardware Security Module (HSM) used to generate encryption keys
Dedicated hardware for security
Generate & manage your own encryption keys
AWS does not have access to your keys
Great for meeting security and compliance requirements
Secrets Manager
Allows management & retrieval of secrets (passwords and keys)
Like Last Pass
AWS’s Responsibility in Shared Responsibility Model
Securing their Infrastructure
Your Responsibility Shared in the Shared Responsibility Model
Security in the Cloud
How to Report Abuse of AWS Resources
Contact AWS Trus & Safety Team using the report Amazon AWS abuse form or by contacting abuse@amazonaws.com
5 Pillars: operational Excellence
Focused on creating apps support prod workload
Plan for & anticipate failure
Deploy smaller reversible changes
Script operations as code
Learn from failure and refine
5 Pillars: Security
Focused on putting mechanisms in place to help protect your systems & data
Automate security tasks
Assign only the least privileges
Encrypt data in & @ rest
Track who did what & when
Ensure security @ all application layers
5 Pillars: Reliability
Focused on designing systems that work consistently & recover quickly
Recover from failure automatically
Scale horizontally for resilience
Reduce idle resources
Manage change through automations
Test recovery procedures
5 Pillars: Performance Efficiency
Focused on effective use of computing resources to meet system and business reps. while removing bottlenecks
Use serverless architecture first
Use multi-region deployments
Delegate tasks to a cloud vendor
Experiment with virtual resources
5 Pillars: Cost Optimizations
Focused on optimum and resilient solutions at the least cost to the user
Utilize consumption based pricing
Implement cloud financial management
Measure overall efficiency
Pay only for your resources your app requires
IAM Identities
Who can access your resources
Root user
Individual users
Groups
Roles
IAM Access
What resources they can access
Policies
AWS Managed Policies
Customer Managed Policies
Permissions Boundaries
IAM Authentication
Authentication is where you present your identity (username) and provide verification (password) who!
IAM Authorization
Determines which services and resources the authenticated identity has access to. What!
Users
Users are entities you create in IAM or represent the person or app needing to access your resources
Applications can be users (you generate access keys for them for apps running on prem that need access to your cloud resources)
You can generate access keys in IAM to access things like AWS CLI
Principle of Least Privilege
Involves giving a user the minimum access required to get their job done
Groups
A group is a collection of IAM users that helps you apply common access controls to all group members
Policies
Manage permission s for IAM users, groups, & roles by creating a policy document in JSON format and attaching it
IAM Best Practices
1 enable MFA for privileged users
2 implement strong password policies
3 create individual users instead of using root
4 use roles for Amazon EC2 Instances and apps that run on them
IAM Credential Report
Lists all users in your account & the status of their various credentials
Lists all users and status of passwords, MFA Devices & access keys
Used for auditing and compliance
Cognito
Helps control access to mobile & web apps
Provides authentication and authorization
Helps you manage users
Assists user sign up and sign in
Great for taking advantage of sign in w/ google, Facebook, options ,etc.
Data in Flight
Data moving from one location to another
Data at Rest
Data that is inactive or stored for later use
