Security Flashcards
Shared responsibility model
Customer responsibility: Security in the cloud
AWS responsibility: Security of the cloud
AWS Identity and Access Management (IAM)
Manages access to AWS services and resources
Configure access based on your needs
AWS account root user
accessed by signing in with email address and pw you used to create AWS account
This has complete access to all services and resources in the account
Use the root user to create your IAM user and then give it permissions to create other users
IAM user
an identity you create in AWS, consists of a name and credentials
By default it has no permissions, you must grant the user permissions
Recommended to create individual IAM users for each person who needs to access AWS
This provides security by allowing each user to have a unique set of security credentials
IAM policies
A document that allows or denies permissions to AWS services and resources
Enables you to customize users level of access to resources
Follow the security principle of least privilege when granting permissions
IAM groups
Collection of IAM users
When you assign a policy to a group, all users in that group are granted permissions specified by the policy
IAM roles
Identity you can assume to gain temporary access to permissions
When someone assumes an IAM role, they abandon all previous permissions they had under a previous role and assume permissions of the new role
AWS Organizations
Consolidates and manages multiple AWS accounts within a central location
Service control policies
Centrally control permissions for the accounts in your org
An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles
You can apply SCPs to the organization root, an individual member account, or an organizational unit
AWS Artifact
provides on-demand access to AWS security and compliance reports
AWS Artifact Agreements
You can review, accept, and manage agreements for an individual account and for all your accounts in AWS organizations
Different types of agreements are offered to address the needs of customers who are subject to specific regulations
Ie HIPAA
AWS Artifact Reports
Provides compliance reports from third party auditors
Auditors have tested and verified that AWS is compliant with a variety of global, regional, and industry-specific standards and regulations
You can provide these audit artifacts to your auditor as evidence of AWS security controls
Customer Compliance Center
Contains resources to help you learn more about AWS compliance
Access compliance whitepapers and documentation
Distributed denial of service attack
Attack on your enterprise infrastructure
Shuts down your app’s ability to function so that it can’t operate
Bad actor overwhelms capacity to deny anyone your services
Attack leverages other machines around the internet
UDP Flood
Bad actor sends a request to an API such as weather data and gives a fake return address, system gets bogged down trying to sort through
Solution: security groups - only allow in proper request traffic
HTTP Level Attacks
Look like users requesting data but it’s a bunch of bots
Slowloris Attack
Attacker pretends to have a slow connection
Servers are waiting for customer to finish request and can’t move on to next thread
Solution: elastic load balancer - handles the http traffic request first, so it waits until the entire message is complete before sending it over to the front end web server
AWS Shield
Specialized defense tools
Has machine learning capabilities, can recognize new threats as they evolve
Standard:
Automatically protects all aws customers at no cost
Protects from most common frequent types of ddos attacks
Advanced:
Paid service provides detailed attack diagnostics, ability to detect and mitigate sophisticated ddos attacks
Integrates with other services
Encryption at rest
When data is idle/stored
Enabled on all DynamoDB table data
Integrates with AWS Key Management Service (KMS)
Encryption in transit
When data is traveling between service and client
Secure sockets layer (SSL) connections to encrypt data
Use service certificates to validate and authorize a client
AWS Key Management Service (KMS)
Enables you to perform encryption operations through the use of
Cryptographic keys: a random string of digits used for encrypting and decrypting data
Create, manage and use cryptographic keys through KMS
You choose the specific levels of access control you need for your keys
You can temporarily disable keys so that they’re no longer in use
AWS WAF
Web application firewall that lets you monitor network requests that come into your web applications
Works with Amazon CloudFront and an application load balancer
Blocks or allows traffic by using a web access control list to protect your resources
Amazon Inspector
Runs an automated security assessment against your infrastructure
Checks on deviations of security best practices, exposure of EC2 instances, vulnerabilties, etc
Run the service or retrieve findings through an API
Amazon GuardDuty
Analyzes continuous streams of metadata generated from your account, and network activity found on events and logs
Uses integrated threat intelligence such as known malicious Ips, anomaly detection, and machine learning
Runs independently from other AWS services, so it won’t affect performance
AWS WAF
web application firewall filters traffic for signatures of bad actors
