Security Flashcards
What model do we use for security in AWS?
The shared responsibility model
What is specified in the shared responsibility model in AWS ?
What is the responsibilities for both the AWS side of things as well as the customer.
Shared Responsibility Model - Customer
Customer data
Platform, applications, Identity and Access Management (IAM)
Operating systems, and network and firewall configuration
Client-side data encryption, server-side data encryption, and networking traffic protection
Shared Responsibility Model - Amazon Web Services (AWS)
Software: Compute, storage, database, networking
Hardware: Regions, Availability Zones, Edge Locations
Software: Compute, storage, database, networking
Hardware: Regions, Availability Zones, Edge Locations
Is responsibility of ?
Amazon Web Services (AWS)
Customer data
Platform, applications, Identity and Access Management (IAM)
Operating systems, and network and firewall configuration
Client-side data encryption, server-side data encryption, and networking traffic protection
Is responsibility of ?
Customer
Which tasks are the responsibilities of customers? (Select TWO.)
Maintaining network infrastructure
Patching software on Amazon EC2 instances
Implementing physical security controls at data centers
Setting permissions for Amazon S3 objects
Maintaining servers that run Amazon EC2 instances
Patching software on Amazon EC2 instances
Setting permissions for Amazon S3 objects
When you create AWS account you are given ___ ?
AWS account root user
When you are given AWS account root user?
When you create AWS account
What can control any resource in the account?
The AWS account root user
What can the AWS account root user control and access?
any resource in the account
What MFA stands for?
Multi-factor authentication
What is the best practice when you create AWS account?
To turn MFA on and not use the root user for everything.
What can you create in Amazon IAM ?
IAM users and later you can set up permissions for that user.
Describe the least privileged principle :
A user is granted access only to what they need
How you give permissions to IAM users?
With IAM policy (json document)
Describe IAM groups
You can add IAM users to a group and then attach IAM policy to that group, by doing so the policy applies to every user in the group.
Describe AWS IAM roles
Associated permissions, allow or deny , assumed for temporary amounts of time, no username or password (but it is similar), access to temporary permissions, AWS resources/users/external identities/applications/other AWS resources
AWS Identity and Access Management (IAM) abbreviation
AWS IAM
What is AWS Organizations ?
A central location to manage multiple AWS accounts
Charachteristics of AWS Organizations
Centralized management
Consolidated billing
Hierarchical groupings of accounts
AWS service and API actions access control
In AWS Organizations, you can centrally control permissions for the accounts in your organization by using what service ? Also it enables you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
service control policies (SCPs)
What are service control policies (SCPs) used for?
In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs).Also it enables you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
In AWS Organizations, you can group accounts into what to make it easier to manage accounts with similar business or security requirements?
organizational units (OUs)
What does AWS Artifacts provide?
AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. AWS Artifact consists of two main sections: AWS Artifact Agreements and AWS Artifact Reports.
a service that provides on-demand access to AWS security and compliance reports and select online agreements?
AWS Artifacts
Which tasks can you complete in AWS Artifact? (Select TWO.)
Access AWS compliance reports on-demand.
Consolidate and manage multiple AWS accounts within a central location.
Create users to enable people and applications to interact with AWS services and resources.
Set permissions for accounts by configuring service control policies (SCPs).
Review, accept, and manage agreements with AWS.
Access AWS compliance reports on-demand.
Review, accept, and manage agreements with AWS.
What is DDoS?
Distributed denial-of-serice
What service protects applications against DDoS attacks. And also it provides two levels of protection: Standard and Advanced.
AWS Shield
Describe AWS Shield
AWS Shield is a service that protects applications against DDoS attacks. AWS Shield provides two levels of protection: Standard and Advanced.
Describe Encryption
Securing a message or data in a way that only authorized parties can access it
AWS Key Management Service abbreviation ?
Amazon KSM
What does Amazon KSM stand for?
Amazon Key Management Service
Describe Amazon Inspector
Improves security and compliance of your AWS deployed apps by running an automated security assessment against your infrastructure. It checks for security best practices
It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions.
After Amazon Inspector has performed an assessment, it provides you with a list of security findings. The list prioritizes by severity level, including a detailed description of each security issue and a recommendation for how to fix it.
What service consists of the following three parts :
Network configuration reachability piece
Amazon agent
Security assessment service
Amazon Inspector
Amazon inspector is composed out of three parts, which are they?
Network configuration reachability piece
Amazon agent
Security assessment service
Describe Amazon GuardDuty
It analyzes continuous streams of metadata generated from your account and network activity(found on AWS CloudTrail events, Amazon VPC Flow Logs and DNS logs)
It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
If GuardDuty detects any threats, you can review detailed findings about them from the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.
What AWS KMS used for?
You can use AWS KMS to create, manage, and use cryptographic keys.You can also control the use of keys across a wide range of services and in your applications.
What is AWS WAF (web application firewall)
Web application firewall that lets you monitor network requests that come into your web applications. (It uses web access control list (ACL) to protect the AWS resources)
Which statement best describes an IAM policy?
An authentication process that provides an extra layer of protection for your AWS account
A document that grants or denies permissions to AWS services and resources
An identity that you can assume to gain temporary access to permissions
The identity that is established when you first create an AWS account
A document that grants or denies permissions to AWS services and resources
An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?
AWS account root user
IAM group
IAM role
Service control policy (SCP)
IAM role
Which statement best describes the principle of least privilege?
Adding an IAM user into at least one IAM group
Checking a packet’s permissions against an access control list
Granting only the permissions that are needed to perform specific tasks
Performing a denial of service attack that originates from at least one device
Granting only the permissions that are needed to perform specific tasks
Which service helps protect your applications against distributed denial-of-service (DDoS) attacks?
Amazon GuardDuty
Amazon Inspector
AWS Artifact
AWS Shield
AWS Shield
Which task can AWS Key Management Service (AWS KMS) perform?
Configure multi-factor authentication (MFA).
Update the AWS account root user password.
Create cryptographic keys.
Assign permissions to users and groups.
Create cryptographic keys.
