SECURITY Flashcards
Identity and Access Management (IAM)
IAM allows you to control access to your AWS services and resources
Web Application Firewall(WAF)
WAF helps protect your web applications against common web attacks.
Shield
Shield is a managed distributed dental of services (DDOS) protection service.
Macie
Macie helps you discover and protect sensitive data – Discover passport numbers stored on S3 – Macie can be used to find sensitive data like passport numbers, social security numbers, and credit card numbers on S3
Config
Config allows you access, audit and evaluate the configurations of your resources. Identify system – level configuration changes made to your EC2 instances. Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.
GuardDuty
Guard duty is an intelligent threat detection system that uncovers unauthorized behavior.Detect Unusual API calls in your account. GuardDuty’s anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.
Inspector
Inspector works with EC2 instances to uncover and report vulnerabilities. Identify unintended network access to an EC2 instance via a detailed report of security finding – inspector has several built-in-rules your EC2 instances to find vulnerabilities and report them prioritized by level of severity
Artifact
Artifact offers on-demand access to AWS Security and Compliance reports.
Key Management Service (KMS)
KMS allows you to generate and store encryption keys.
CloudHSM
CloudHSM is a hardware security module (HSM) used to generate encryption keys.
AWS Responsibility(Security of the Cloud)
- AWS Global Infrastructure: AWS is responsible for its global infrastructure elements: Regions, Edge locations, and Availability Zones.
- Building Security: AWS controls access to its data centers where your data resides.
- Networking Components: AWS maintains networking components: Generators, uninterruptible power supply(UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.
- Software: AWS is responsible for any managed service like RDS, S3, ECS, or lambda, patching of host operating systems, and data access endpoints.
Customer Responsibility (Security in the Cloud)
Security in the Cloud:
Application Data: You are responsible for managing your application data, which includes encryption options.
Security Configuration: You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.
Patching: You are responsible for the guest operating system(OS), which includes updates and security patches.
IAM: You are responsible for application security and access management.
Network Traffic: You are responsible for network traffic protection, which included security group firewall configuration.
Installed: You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.
Customer Responsibility
Firewall
Encryption of EBS Volumes
Taking DB backups in RDS
Ensuring in encrypted at rest
Patching the guest operating system for EC2
AWS
Data Center security for the physical building
Language versions of lambda
Updating the fireware on the underlying EC2 hosts
Managing the network infrastructure
Physically destroying storage media at end of life.
5 Pillars of the Well Architected Framework
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
Operational Excellence
This pillar focuses on creating applications that effectively support production workloads.
o Plan for anticipate failure
o Script operations as code
o Deploy smaller, reversible changes
o Learn from failure and refine
Security
The pillar on putting mechanisms in place that help protect your systems and data.
o Automate security tasks
o Assign only the least privileges required
o Encrypt data in transit and the rest
o Track who did what and when
o Ensure security at all application layers
Reliability
o Recover from failure automatically
o Scale horizontally for resilience
o Reduce idle resources
o Manage change through automation
o Test recovery procedures
Performance Efficiency
This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.
o Use serverless ar
o Use multi-region deployments
o Delegate tasks to a cloud vendor
o Experiment with virtual resources
Cost Optimization
The pillar focuses on delivering optimum and resilient solutions at the least cost to the user.
o Utilize consumption-based pricing
o Measure overall efficiency
o Implement Cloud Financial Management
o Pay only for resources your application requires.
AWS Global Accelerator
Receive real-time notifications of suspected DDoS incidents and assistance from AWS during the attack. Shield Advanced will give you notifications of DDos attacks via CloudWatch metrics. Additionally, with Shield Advanced, you have 24/7 access to AWS experts to assist during an attack.