Security

Question 1

S3 IAM Policy

Answer 1

• • Applies to the user level
• • “User” policy
• • can create multiple users and give them the same policy or different policies
• • can not grant anonymous users
• • can attach or detach

Question 2

Bucket policy

Answer 2

• • Applies to the resource level

- - “resource-based “ policy

Question 3

Bucket permissions

Answer 3

specify:

• -who is allowed to access resources
• • what that user can do with those resources
• • full permissions to the owner of a resource
• • resource owner can grant access to others, even cross-account regardless of who owns them.

Question 4

Bucket Policies

Answer 4

• • Resource-based policy
• • Uses a JSON file attached to the resource
• • can grant other AWS accounts or IAM users permission for the bucket and objects inside.
• • should be used to manage cross-account permissions for all Amazon S3 permissions
• • limited to 20KB in size.

Question 5

ACLs

Answer 5

• • stands for access control list
• • used for both buckets and objects
• • grant read/write permissions to other AWS accounts
• • you can not grant conditional permissions
• • you cannot explicitly deny permissions
• • an object ACL is the only way to manage access to objects not owned by the bucket owner
• • use XML format

Question 6

S3 Bucket Policies

Answer 6

Resources
– used to identify resources with ARNs
Actions
– an explicit deny always overrides an explicit allow
Effect
– defines whether to allow or deny the above action
Principal
– an account or user that this policy applies to
– specific to s3 bucket policies, not user policies

Question 7

MFA

Answer 7

• • A security method that requires multiple separate authentications
• • One authentication option we have with AWS uses time-based codes

Question 8

Shared Responsibility – User responsibility

Answer 8

• • IAM(Identity and Access Management)
• • MFA
• • Password/Key Rotation
• • Access Advisor
• • Trusted Advisor
• • Security Groups
• • ACL(resource-based policies)
• -VPC

Question 9

AWS responsibility

Answer 9

• • Physical server level and below
• • Physical environment security and protection –fire/power/climate/management
• • storage device decommissioning according to industry standards.
• • network Device Security and ACL’s
• • API access endpoints use SSL for secure communication
• • DDOS protection
• • EC2 instances cannot send spoofed data
• • Port scanning against rules even if it’s your own environment
• • personal access to facilities

Question 10

EC2 instance hypervisor isolation

Answer 10

– independent of each other.

Question 11

AWS auditing – AWS provides

Answer 11

• • information regarding their global infrastructure
• • From the host operating system and virtualization layer down to the physical security of facilities.
• • AES provides annual certifications and reports.

Question 12

AWS auditing - customer provides

Answer 12

• • anything their organization puts on(or connects to) their AWS assets.
• • examples: guest OS, apps on virtual machine instances, objects in S3, database like RDS, etc…