Security Flashcards
What is Shared Responsibility model?
Customers – Security in the cloud
Controls the content, security of content and access to it
AWS – Security of the cloud
Controls all the physical and global infrastructure, including:
- Physical security of data centres
- Hardware and soft infrastructure
- Network infrastructure
- Virtualisation infrastructure
- AWS Regions, AZs and Edge Locations
What is AWS Identity and Access Management? (IAM)
Manage access to AWS services and resources securely
Helps configure access based on your company’s specific operational and security need
What is AWS Account Root User?
Owner of the account (e.g. owner of the coffee shop)
Should use MFA when logging in as root user
Root user shouldn’t be used for everyday tasks, instead create IAM user & assign permissions
What are IAM Users?
Create individual IAM users for each person who needs to access AWS
Assign the necessary permissions as users have no permissions by default
What is IAM Policy?
A document that allows or denies permissions to AWS services
Follows the security principle of least privilege when granting permissions
What is an IAM Group?
Assign permissions to a group and add multiple users to the group for convenience
What is an IAM Role?
An identity that you can assume to gain temporary access to permissions
What is an MFA?
Provides an extra layer of security for your AWS account by requiring multiple pieces of info
What can AWS Organisations do?
Can centrally control permissions for the accounts in your org by using service control policies (SCPs) which restrict the AWS services & that users/roles in each account can access
What are AWS Artifacts?
Provides on-demand access to AWS security and compliance reports
Artifact Agreements – review, accept & manage agreements in AWS
Artifact Reports – access compliance reports on demand
What is the Customer Compliance Centre?
Contains resources to help you learn more about AWS compliance
Here you can read customer compliance stories on how they solved compliance challenges
What is Denial of Service (DoS) Attacks?
A deliberate attempt to make a website or application unavailable to users
Attackers will often overload the capacity of an website/app, denying legitimate users
Distributed DoS (DDoS) is when the attack comes from multiple sources
What is AWS Shield?
Protects applications against DDoS attacks.
Provides standard or advanced protection:
Shield Standard – Protects AWS customers at no cost from the most common DDoS attacks. Detects malicious traffic in real time and automatically mitigates it
Shield Advanced - Provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks. Integrates with CloudFront, Route 53, ELB and AWS WAF
What are the additional Security Services?
AWS Key Management Service (AWS KMS)
You must ensure app data is secure in storage (encryption at rest) & when transmitted (encryption in transit)
KMS enables you to perform encryption operations by using cryptographic keys
Can specify which IAM users and roles are able to manage keys
AWS WAF
Web app firewall that lets you monitor requests that come into your web apps
Works with CloudFront and an app load balancer
AWS WAF controls traffic by using a web access control list (ACL)
If you have blocked certain IP addresses in the ACL, AWS WAF denies entry
Amazon Inspector
Performs automated security assessment against your apps (basically a vulnerability scanner)
Checks deviations of security best practices, vulnerabilities, and weaknesses in EC2 instances
Amazon Guard Duty
Provides intelligent threat detection for your AWS infrastructure and resources
Continuously monitors network activity and account behaviour within your AWS environment.
