Security Flashcards
What is the AWS shared responsibility model
AWS controls security of the cloud and customers control security in the cloud
What is AWS Identity and Access Management (IAM)
enables you to manage access to AWS services and resources securely.
What is the AWS account root user
It has complete access to all the AWS services and resources in the account
What are the best practices for using the Root User account
-Do not use the root user for everyday tasks
-use the root user to create your first IAM user and assign it permissions to create other users.
-continue to create other IAM users, and access those identities for performing regular tasks throughout AWS
-Only use the root user when you need to perform a limited number of tasks that are only available to the root user
What is an IAM user
an identity that you create in AWS
What are the permissions associated by default when you create a new IAM user in AWS
no permissions associated with it.
What is the best practice when creating IAM users in AWS
create individual IAM users for each person who needs to access AWS
What is an IAM policy
a document that allows or denies permissions to AWS services and resources
What do IAM policies enable you to do
customize users’ levels of access to resources
What is the best practice when creating IAM policies
Follow the security principle of least privilege when granting permissions
What is an IAM group
a collection of IAM users
What occurs when you assign an IAM Policy to an IAM Group
all users in the group are granted permissions specified by the policy
What are IAM roles
an identity that you can assume to gain temporary access to permissions
What occurs when a user assumes an IAM role
they abandon all previous permissions that they had under a previous role and assume the permissions of the new role
What is the best practice when creating IAM Roles
ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term
What does multi-factor authentication (MFA) in IAM provide
an extra layer of security for your AWS account
What is the best practice for using MFA
enable MFA for the root user and all IAM users in your account
What is AWS Organizations
consolidate and manage multiple AWS accounts within a central location
What are service control policies (SCPs)
enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
What are Organizational units in AWS
accounts with similar business or security requirements
What happens whe you apply a policy to an OU
all the accounts in the OU automatically inherit the permissions specified in the policy
Which identities and resources can SCPs be applied to
-An individual member account
-An Organizational Unit (OU)
What is AWS Artifact
a service that provides on-demand access to AWS security and compliance reports and select online agreements
AWS Artifact consists of 2 main sections
-AWS Artifact Agreement
-AWS Artifact Reports
What are AWS Artifact Agreements
review, accept, and manage agreements for an individual account and for all your accounts in AWS Organizations. Different types of agreements are offered to address the needs of customers who are subject to specific regulations
What are AWS Artifact Reports
provide compliance reports from third-party auditors. These auditors have tested and verified that AWS is compliant with a variety of global, regional, and industry-specific security standards and regulations.
What is the Customer Compliance Center
contains resources to help you learn more about AWS compliance
What is available in the Customer Compliance Center
-Read customer compliance stories
-access compliance whitepapers and documentation
-auditor learning path
What is a Denial-of-service (DoS) attacks
a deliberate attempt to make a website or application unavailable to users
What is a Distributed denial-of-service (DDoS) attacks
multiple sources are used to start an attack that aims to make a website or application unavailable
What AWS service can you use to help minimize the effect of DoS and DDoS attacks
AWS Shield
What is AWS Shield
a service that protects applications against DDoS attacks
AWS Shield provides two levels of protection
-Standard
-Advanced
What is AWS Shield Standard
automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks
What is AWS Shield Advanced
a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks
What are the advantages of using AWS Shield Advanced
-Integrates with other AWS services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing
-can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks
What is AWS Key Management Service (AWS KMS)
enables you to perform encryption operations through the use of cryptographic keys
What is a cryptographic key
a random string of digits used for locking (encrypting) and unlocking (decrypting) data
What is AWS WAF
a web application firewall that lets you monitor network requests that come into your web applications
What does AWS WAF use to protect from network attacks
web access control list (ACL)
What is Amazon Inspector
a service that checks applications for security vulnerabilities and deviations from security best practices
What is Amazon GuardDuty
a service that provides intelligent threat detection for your AWS infrastructure and resources
How does Amazon GuardDuty work
Identifies threats by continuously monitoring the network activity and account behavior within your AWS environment
What can you configure to automatically take remediation steps in response to GuardDuty’s security findings
AWS Lambda functions
