Security Flashcards

1
Q

What is a shared responsibilty model?

A

AWS is responsible for security of the cloud: hypervisor, network, physical building.
Customers are responsible for security in the cloud: data, application, os.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the security of the cloud consist of?

A

AWS controls the foundation servies - compute, storage, db, networking, data centers, infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does the security in the cloud consist of?

A

workloads, platform, applications, identity, access management, os, network, firewall, client encryption, server side encryption, network traffic connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a root user?

A

User which can do anything and control any resource in an account. Created with an account or an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is AWS IAM?

A

Identity Access Management - creating and granting access to users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the default access for a new user created in IAM?

A

No permissions, not even to log in. Each permission needs to be granted explicitly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the principle of least privilege?

A

User is granted access only to what they need.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an IAM policy?

A

A json document describing API calls user can/cannot make.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Fields in the IAM policy json item.

A

effect: allow/deny
action: any AWS API call
resource: specific resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are IAM groups?

A

They organize users that have the same policy attached to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are roles?

A

roles have associated permissions and can be assumed temporarily

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What can be granted a role?

A

users, servuces, apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are AWS Organizations used for?

A

This is a central location to manage multiple AWS accounts.
- manage billing
- control access
- control compliance
- control security
- share resources across AWS accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Features of AWS Organizations

A
  • centralized management of all AWS accounts
  • consolidated billing + bulk discounts
  • accounts can be grouped hierarchically - into Organizational Units
  • control over AWS services and API action access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is SCP

A

Service Control Policy
- specify maximum permissions for member account in an organization
- restrict resources, services, API actions for users/roles in each member account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an Organizational Unit (OU)

A

Groups of accounts in an organization. They group accounts which ned to access the same services and resources. Policies can be attached to OUs.

17
Q

What are two parts of AWS Artifact?

A

AWS Artifact Agreements
AWS Artifact Reports

18
Q

What is AWS Artifact Agreements used for?

A

when a customer needs to sign an agreement with AWS regarding the use of certain information throughout AWS services

19
Q

What does AWS Artifact Reports consist of?

A

Reports on compliance from third party auditors.

20
Q

What can be found in AWS compliance center?

A
  • documents, whitepapers, e.g. AWS risk and security whitepaper
  • compliance enabling services
  • customer stories
  • answers to compliance questions
  • auditing security checklist
  • auditor learning path
21
Q

Examples of DDoS attacks

A
  • UDP flood
  • HTTP level attacks
  • Slow Loris attack
22
Q

What is an UDP flood? What is AWS solution for it?

A

Attacker makes a request to a service which sends a lot of data in response, but attacker gives a fake return address - address under attack.
SOLUTION:
Security Groups which only allow proper request traffic. They work on the network level, not on an instance level, so they have no way of blocking an instance, they’re shrug off by AWS region capacity.

23
Q

What is a HTTP level DDoS attack? What is AWS solution for it?

A

Many bots mimicking typical customer requests.
SOLUTION:
Elastic Load Balancing. It is scaled on a regional level, so it’s not easily overwhelmed.

24
Q

What is a Slow Loris attack? What is AWS solution for it?

A

Attacker pretends th have a very slow connection, incoming message takes long to go through, blocking other users.
SOLUTION:
Elastic Load Balancing. It transfers a message through only after it receives it in full, so the attack doesn’t affect the web service.

25
Q

What is AWS Shield with AWS WAF?

A

A tool to protect against more sophisticated attacks. A web application firewall to filter incoming traffic for the signatures of bad actors. It has ML capabilities.

26
Q

What are two levels of AWS Shield?

A

Standad
Advanced

27
Q

What does AWS Shield Standard do?

A

It applies analysis techniques to detect malicious traffic in real time.
It is applied automatically, at no cost.

28
Q

What does AWS Shield Advanced do?

A

Detailed attack diagnostics. It is a paid service.

29
Q

What are two types of encryption offered by AWS?

A

At rest and in transit.

30
Q

What is AWS KMS?

A

AWS Key Management Service - access control for encryption keys, key management (e.g. disabling).

31
Q

What is Amazon Inspector?

A

Automated security assessment against customer’s infrastructure. Helps to check on deviations from security best practices, exposure of EC2 instances, vulnerabilities, etc.

32
Q

Three parts of the Amazon Inspector

A
  1. Network configuration reliability piece
  2. Amazon agent (can be installed on EC2 instances)
  3. Security assessment service
33
Q

What does Amazon Inspector do?

A

Lists security findings by level, with details and recommendations.

34
Q

What is Amazon Guard Duty?

A

Threat detection service.

35
Q

How does Amazon Guard Duty detect threats?

A

By analyzing a continuous stream of metadata generated from an account and network activity. It uses a list of known malicious IP addresses, anomaly detection, and ML.

36
Q

Features of Amazon Guard Duty

A
  • runs independently of other services, so it doesn’t affect performance
  • lists findings and recommended steps
  • can be integrated with AWS lambda to remedy findings automatically