Security Flashcards
What is a shared responsibilty model?
AWS is responsible for security of the cloud: hypervisor, network, physical building.
Customers are responsible for security in the cloud: data, application, os.
What does the security of the cloud consist of?
AWS controls the foundation servies - compute, storage, db, networking, data centers, infrastructure.
What does the security in the cloud consist of?
workloads, platform, applications, identity, access management, os, network, firewall, client encryption, server side encryption, network traffic connection.
What is a root user?
User which can do anything and control any resource in an account. Created with an account or an organization.
What is AWS IAM?
Identity Access Management - creating and granting access to users.
What is the default access for a new user created in IAM?
No permissions, not even to log in. Each permission needs to be granted explicitly.
What is the principle of least privilege?
User is granted access only to what they need.
What is an IAM policy?
A json document describing API calls user can/cannot make.
Fields in the IAM policy json item.
effect: allow/deny
action: any AWS API call
resource: specific resource
What are IAM groups?
They organize users that have the same policy attached to.
What are roles?
roles have associated permissions and can be assumed temporarily
What can be granted a role?
users, servuces, apps
What are AWS Organizations used for?
This is a central location to manage multiple AWS accounts.
- manage billing
- control access
- control compliance
- control security
- share resources across AWS accounts
Features of AWS Organizations
- centralized management of all AWS accounts
- consolidated billing + bulk discounts
- accounts can be grouped hierarchically - into Organizational Units
- control over AWS services and API action access
What is SCP
Service Control Policy
- specify maximum permissions for member account in an organization
- restrict resources, services, API actions for users/roles in each member account
What is an Organizational Unit (OU)
Groups of accounts in an organization. They group accounts which ned to access the same services and resources. Policies can be attached to OUs.
What are two parts of AWS Artifact?
AWS Artifact Agreements
AWS Artifact Reports
What is AWS Artifact Agreements used for?
when a customer needs to sign an agreement with AWS regarding the use of certain information throughout AWS services
What does AWS Artifact Reports consist of?
Reports on compliance from third party auditors.
What can be found in AWS compliance center?
- documents, whitepapers, e.g. AWS risk and security whitepaper
- compliance enabling services
- customer stories
- answers to compliance questions
- auditing security checklist
- auditor learning path
Examples of DDoS attacks
- UDP flood
- HTTP level attacks
- Slow Loris attack
What is an UDP flood? What is AWS solution for it?
Attacker makes a request to a service which sends a lot of data in response, but attacker gives a fake return address - address under attack.
SOLUTION:
Security Groups which only allow proper request traffic. They work on the network level, not on an instance level, so they have no way of blocking an instance, they’re shrug off by AWS region capacity.
What is a HTTP level DDoS attack? What is AWS solution for it?
Many bots mimicking typical customer requests.
SOLUTION:
Elastic Load Balancing. It is scaled on a regional level, so it’s not easily overwhelmed.
What is a Slow Loris attack? What is AWS solution for it?
Attacker pretends th have a very slow connection, incoming message takes long to go through, blocking other users.
SOLUTION:
Elastic Load Balancing. It transfers a message through only after it receives it in full, so the attack doesn’t affect the web service.
What is AWS Shield with AWS WAF?
A tool to protect against more sophisticated attacks. A web application firewall to filter incoming traffic for the signatures of bad actors. It has ML capabilities.
What are two levels of AWS Shield?
Standad
Advanced
What does AWS Shield Standard do?
It applies analysis techniques to detect malicious traffic in real time.
It is applied automatically, at no cost.
What does AWS Shield Advanced do?
Detailed attack diagnostics. It is a paid service.
What are two types of encryption offered by AWS?
At rest and in transit.
What is AWS KMS?
AWS Key Management Service - access control for encryption keys, key management (e.g. disabling).
What is Amazon Inspector?
Automated security assessment against customer’s infrastructure. Helps to check on deviations from security best practices, exposure of EC2 instances, vulnerabilities, etc.
Three parts of the Amazon Inspector
- Network configuration reliability piece
- Amazon agent (can be installed on EC2 instances)
- Security assessment service
What does Amazon Inspector do?
Lists security findings by level, with details and recommendations.
What is Amazon Guard Duty?
Threat detection service.
How does Amazon Guard Duty detect threats?
By analyzing a continuous stream of metadata generated from an account and network activity. It uses a list of known malicious IP addresses, anomaly detection, and ML.
Features of Amazon Guard Duty
- runs independently of other services, so it doesn’t affect performance
- lists findings and recommended steps
- can be integrated with AWS lambda to remedy findings automatically
