security Flashcards
AWS responsibility?
Physical
Network
Hypervisor
Virtualization infrastructure
Customer responsibility?
Data
Application
OS
Permissions
Patching OS software
AWS Identity and Access Management (IAM)
enables you to manage access to AWS services and resources securely
IAM Root user
created by default, should not share, has the most power
MFA should be enabled
IAM Users
can be part of 0 to n groups
no permission by default.
need permission to provide :
launching an Amazon EC2 instance or creating an Amazon S3 bucke
IAM Identities
Users
Groups
Roles
IAM Group
Contains users only
IAM policy
JSON document that describes that what API calls that a user can and cannot make.
IAM role
an identity that you can assume to gain temporary access to permissions.
AWS organization
allows to manage multiple aws accounts from a central location
centralized management
bulk discounts
consolidated bills
hierarchical groupings of accounts
control for Aws sercie and API actions access control
you can apply SCP to whom?
Organization root,
individual member account
OU (Organizational Unit)
if affects all IAM users, groups and roles within an account
DDOS
is a deliberate attempt to make a website or application unavailable to users.
AWS Shield
no cost
AWS Shield Advanced
paid service.
provided detailed attack diagnosis
ability to detect and mitigate sophisticated DDoS attack
KMS (Key manager service)
Data at rest (lying in storage)
Data in transit (Moving from one location to another)
AWS manages the encryption key
Services that have encyption enabled by default:
CloudTrail logs
S3 Glacier
Storage Gateway
