Security

Question 1

Shared Responsibility Model - high level

Answer 1

You (in) v. AWS (of)
IN - security IN the cloud (data, configuration)
OF - security OF the cloud (hardware, operation of managed services, global infrastructure)

Question 2

Shared Responsibility Model - details

Answer 2

YOU
Customer data
Platforms, Apps, IAM
OS, Network and Firewall config
Client-side data encryption, Server-side encryption, Networking traffic protection

AWS
Software (Compute, Storage, DB, Networking)
Hardware/Global Infrastructure (Region, AZ, Edge Locations)

Question 3

AWS Compliance Programs

Answer 3

Set of internal policies and procedures of a company to comply with laws, rules, and regs or to uphold business reputation.
ex: HIPAA, PCI DSS (payment card industry data security standard)

Question 4

AWS Artifact

Answer 4

Free, self-service portal for access to AWS’ security and compliance reports
Checks based on global compliance frameworks

Question 5

Hardening

Answer 5

The act of eliminating as many security risks as possible

Question 6

AWS Inspector

Answer 6

Runs security benchmarks v. selected EC2 instances
Can perform Network and Host Assessments
Most popular benchmark is by CIS (Center fo Internet Security) - 699 checks

Question 7

AWS Inspector - Network Assessments

Answer 7

Checks whether ports are open / reachable to the internet

Question 8

AWS Inspector - Host Assessments

Answer 8

Checking the OS / app

Question 9

AWS WAF

Answer 9

Web Application Firewall
Can write your own rules or use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace (cheap)
Can be attached to either CloudFront or Application Load Balancer

Question 10

AWS WAF - write your own

Answer 10

Write your own rules to ALLOW or DENY traffic based on the contents of an HTTP request

Question 11

AWS WAF - ruleset from marketplace

Answer 11

These rulesets usually protect v. the OWASP Top 10 most dangerous attacks:

(1. Injection
(2. Broken Authentication
(3. Sensitive data exposure
(4. XXE - XML External Entities
(5. Broken Access control
(6. Security misconfigurations
(7. XSS - Cross Site Scripting
(8. Insecure Deserialization
(9. Using Components with known vulnerabilities
(10. Insufficient logging and monitoring

Question 12

OWASP

Answer 12

Open Web Application Security Project

Question 13

AWS Shield

Answer 13

A managed DDoS (Distributed Denial of Service) protection service that safeguards apps running on AWS

Question 14

DDoS attack

Answer 14

Distributed Denial of Service

A malicious attempt to disrupt normal traffic by flooding a website with a large amount of fake traffic

Question 15

Shield Standard

Answer 15

Free and automatically available

When you route your traffic through Route53 or CloudFront, you are using this

Question 16

Shield Standard attack protection types

Answer 16

Protects against layer 3, 4, and 7 attacks
7 Application
4 Transport
3 Network

Question 17

Shield Advanced

Answer 17

$3000/y, 24/7 support, dashboard
Defends v. large, sophisticated attacks
Route53, Cloudfront, ELB, Global Accelerator, Elastic IP
DDoS Cost Protection

Question 18

PenTesting

Answer 18

Penetration Testing
An authorized simulated cyberattack on a computer system, to evaluate its security
There are Permitted Services and Prohibited Activities. Must submit a request for Other Simulated Events - reply can take 7 days

Question 19

PenTesting Permitted Services

Answer 19

(1. EC2 instances, NAT Gateways, ELBs
(2. RDS
(3. CloudFront
(4. Aurora
(5. API Gateways
(6. AWS Lambda and Lambda@Edge fxs
(7. Lightsail resources
(8. Elastic Beanstalk environments

Question 20

PenTesting Prohibited Activities

Answer 20

Mainly no flooding
DNS zone walking via Route53 Hosted Zones
Denial of Service, Distributed DoS, Simulated DoS, Simulated DDoS
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)

Question 21

IDS / IPS

Answer 21

Intrusion Detection System / Intrusion Protection System

Device or software app that monitors a network or systems for malicious activity or policy violations

Question 22

Amazon Guard Duty

Answer 22

A threat detection service - continuously monitors for malicious, suspicious activity and unauthorized behavior.
Uses Machine Learning to analyze AWS logs (CloudTrail, VPC Flow, DNS)
Alerts you of Findings - can automate incident report via CloudWatch Events or with 3rd party services

Question 23

KMS

Answer 23

Key Management Service
Managed service that helps you create and control the encryption keys used to encrypt your data.
KMS is a multi-tenant HSM (hardware security module) - highly secure
Can use with many AWS services via checkbox
Uses Envelope Encryption

Question 24

Envelope Encryption

Answer 24

When you encrypt your data it is protected, but you have to then protect your encryption key. This encrypts your data key with a master key - additional security layer.

Question 25

Amazon Macie

Answer 25

Fully managed service - continuously monitors S3 data access activity and generates alerts when it detects risks.
Works by using Machine Learning to analyze your CloudTrail logs, and ID your most at-risk users.

Question 26

Security Groups v NACLs

Answer 26

NACLs - firewall at Subnet Level
SGs - firewall at Instance Level
NACLs - You create Allow and Deny rules
SGs - Denies all traffic - you create Allow rules.

Question 27

AWS VPN

Answer 27

Virtual Private Network
Lets you est a secure and private tunnel from your network/device to AWS global network.
Site-to-Site - on-prem network to VPC
Client - users/laptops to VPC