Security

Question 1

What is a shared responsibilty model?

Answer 1

AWS is responsible for security of the cloud: hypervisor, network, physical building.
Customers are responsible for security in the cloud: data, application, os.

Question 2

What does the security of the cloud consist of?

Answer 2

AWS controls the foundation servies - compute, storage, db, networking, data centers, infrastructure.

Question 3

What does the security in the cloud consist of?

Answer 3

workloads, platform, applications, identity, access management, os, network, firewall, client encryption, server side encryption, network traffic connection.

Question 4

What is a root user?

Answer 4

User which can do anything and control any resource in an account. Created with an account or an organization.

Question 5

What is AWS IAM?

Answer 5

Identity Access Management - creating and granting access to users.

Question 6

What is the default access for a new user created in IAM?

Answer 6

No permissions, not even to log in. Each permission needs to be granted explicitly.

Question 7

What is the principle of least privilege?

Answer 7

User is granted access only to what they need.

Question 8

What is an IAM policy?

Answer 8

A json document describing API calls user can/cannot make.

Question 9

Fields in the IAM policy json item.

Answer 9

effect: allow/deny
action: any AWS API call
resource: specific resource

Question 10

What are IAM groups?

Answer 10

They organize users that have the same policy attached to.

Question 11

What are roles?

Answer 11

roles have associated permissions and can be assumed temporarily

Question 12

What can be granted a role?

Answer 12

users, servuces, apps

Question 13

What are AWS Organizations used for?

Answer 13

This is a central location to manage multiple AWS accounts.
- manage billing
- control access
- control compliance
- control security
- share resources across AWS accounts

Question 14

Features of AWS Organizations

Answer 14

• centralized management of all AWS accounts
• consolidated billing + bulk discounts
• accounts can be grouped hierarchically - into Organizational Units
• control over AWS services and API action access

Question 15

What is SCP

Answer 15

Service Control Policy
- specify maximum permissions for member account in an organization
- restrict resources, services, API actions for users/roles in each member account

Question 16

What is an Organizational Unit (OU)

Answer 16

Groups of accounts in an organization. They group accounts which ned to access the same services and resources. Policies can be attached to OUs.

Question 17

What are two parts of AWS Artifact?

Answer 17

AWS Artifact Agreements
AWS Artifact Reports

Question 18

What is AWS Artifact Agreements used for?

Answer 18

when a customer needs to sign an agreement with AWS regarding the use of certain information throughout AWS services

Question 19

What does AWS Artifact Reports consist of?

Answer 19

Reports on compliance from third party auditors.

Question 20

What can be found in AWS compliance center?

Answer 20

• documents, whitepapers, e.g. AWS risk and security whitepaper
• compliance enabling services
• customer stories
• answers to compliance questions
• auditing security checklist
• auditor learning path

Question 21

Examples of DDoS attacks

Answer 21

• UDP flood
• HTTP level attacks
• Slow Loris attack

Question 22

What is an UDP flood? What is AWS solution for it?

Answer 22

Attacker makes a request to a service which sends a lot of data in response, but attacker gives a fake return address - address under attack.
SOLUTION:
Security Groups which only allow proper request traffic. They work on the network level, not on an instance level, so they have no way of blocking an instance, they’re shrug off by AWS region capacity.

Question 23

What is a HTTP level DDoS attack? What is AWS solution for it?

Answer 23

Many bots mimicking typical customer requests.
SOLUTION:
Elastic Load Balancing. It is scaled on a regional level, so it’s not easily overwhelmed.

Question 24

What is a Slow Loris attack? What is AWS solution for it?

Answer 24

Attacker pretends th have a very slow connection, incoming message takes long to go through, blocking other users.
SOLUTION:
Elastic Load Balancing. It transfers a message through only after it receives it in full, so the attack doesn’t affect the web service.

Question 25

What is AWS Shield with AWS WAF?

Answer 25

A tool to protect against more sophisticated attacks. A web application firewall to filter incoming traffic for the signatures of bad actors. It has ML capabilities.

Question 26

What are two levels of AWS Shield?

Answer 26

Standad
Advanced

Question 27

What does AWS Shield Standard do?

Answer 27

It applies analysis techniques to detect malicious traffic in real time.
It is applied automatically, at no cost.

Question 28

What does AWS Shield Advanced do?

Answer 28

Detailed attack diagnostics. It is a paid service.

Question 29

What are two types of encryption offered by AWS?

Answer 29

At rest and in transit.

Question 30

What is AWS KMS?

Answer 30

AWS Key Management Service - access control for encryption keys, key management (e.g. disabling).

Question 31

What is Amazon Inspector?

Answer 31

Automated security assessment against customer’s infrastructure. Helps to check on deviations from security best practices, exposure of EC2 instances, vulnerabilities, etc.

Question 32

Three parts of the Amazon Inspector

Answer 32

1. Network configuration reliability piece
2. Amazon agent (can be installed on EC2 instances)
3. Security assessment service

Question 33

What does Amazon Inspector do?

Answer 33

Lists security findings by level, with details and recommendations.

Question 34

What is Amazon Guard Duty?

Answer 34

Threat detection service.

Question 35

How does Amazon Guard Duty detect threats?

Answer 35

By analyzing a continuous stream of metadata generated from an account and network activity. It uses a list of known malicious IP addresses, anomaly detection, and ML.

Question 36

Features of Amazon Guard Duty

Answer 36

• runs independently of other services, so it doesn’t affect performance
• lists findings and recommended steps
• can be integrated with AWS lambda to remedy findings automatically