Security Flashcards
Shared Responsibility Model - high level
You (in) v. AWS (of)
IN - security IN the cloud (data, configuration)
OF - security OF the cloud (hardware, operation of managed services, global infrastructure)
Shared Responsibility Model - details
YOU Customer data Platforms, Apps, IAM OS, Network and Firewall config Client-side data encryption, Server-side encryption, Networking traffic protection
AWS
Software (Compute, Storage, DB, Networking)
Hardware/Global Infrastructure (Region, AZ, Edge Locations)
AWS Compliance Programs
Set of internal policies and procedures of a company to comply with laws, rules, and regs or to uphold business reputation.
ex: HIPAA, PCI DSS (payment card industry data security standard)
AWS Artifact
Free, self-service portal for access to AWS’ security and compliance reports
Checks based on global compliance frameworks
Hardening
The act of eliminating as many security risks as possible
AWS Inspector
Runs security benchmarks v. selected EC2 instances
Can perform Network and Host Assessments
Most popular benchmark is by CIS (Center fo Internet Security) - 699 checks
AWS Inspector - Network Assessments
Checks whether ports are open / reachable to the internet
AWS Inspector - Host Assessments
Checking the OS / app
AWS WAF
Web Application Firewall
Can write your own rules or use a ruleset from a trusted AWS Security Partner in the AWS WAF Rules Marketplace (cheap)
Can be attached to either CloudFront or Application Load Balancer
AWS WAF - write your own
Write your own rules to ALLOW or DENY traffic based on the contents of an HTTP request
AWS WAF - ruleset from marketplace
These rulesets usually protect v. the OWASP Top 10 most dangerous attacks:
(1. Injection
(2. Broken Authentication
(3. Sensitive data exposure
(4. XXE - XML External Entities
(5. Broken Access control
(6. Security misconfigurations
(7. XSS - Cross Site Scripting
(8. Insecure Deserialization
(9. Using Components with known vulnerabilities
(10. Insufficient logging and monitoring
OWASP
Open Web Application Security Project
AWS Shield
A managed DDoS (Distributed Denial of Service) protection service that safeguards apps running on AWS
DDoS attack
Distributed Denial of Service
A malicious attempt to disrupt normal traffic by flooding a website with a large amount of fake traffic
Shield Standard
Free and automatically available
When you route your traffic through Route53 or CloudFront, you are using this
Shield Standard attack protection types
Protects against layer 3, 4, and 7 attacks
7 Application
4 Transport
3 Network
Shield Advanced
$3000/y, 24/7 support, dashboard
Defends v. large, sophisticated attacks
Route53, Cloudfront, ELB, Global Accelerator, Elastic IP
DDoS Cost Protection
PenTesting
Penetration Testing
An authorized simulated cyberattack on a computer system, to evaluate its security
There are Permitted Services and Prohibited Activities. Must submit a request for Other Simulated Events - reply can take 7 days
PenTesting Permitted Services
(1. EC2 instances, NAT Gateways, ELBs
(2. RDS
(3. CloudFront
(4. Aurora
(5. API Gateways
(6. AWS Lambda and Lambda@Edge fxs
(7. Lightsail resources
(8. Elastic Beanstalk environments
PenTesting Prohibited Activities
Mainly no flooding
DNS zone walking via Route53 Hosted Zones
Denial of Service, Distributed DoS, Simulated DoS, Simulated DDoS
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)
IDS / IPS
Intrusion Detection System / Intrusion Protection System
Device or software app that monitors a network or systems for malicious activity or policy violations
Amazon Guard Duty
A threat detection service - continuously monitors for malicious, suspicious activity and unauthorized behavior.
Uses Machine Learning to analyze AWS logs (CloudTrail, VPC Flow, DNS)
Alerts you of Findings - can automate incident report via CloudWatch Events or with 3rd party services
KMS
Key Management Service
Managed service that helps you create and control the encryption keys used to encrypt your data.
KMS is a multi-tenant HSM (hardware security module) - highly secure
Can use with many AWS services via checkbox
Uses Envelope Encryption
Envelope Encryption
When you encrypt your data it is protected, but you have to then protect your encryption key. This encrypts your data key with a master key - additional security layer.
Amazon Macie
Fully managed service - continuously monitors S3 data access activity and generates alerts when it detects risks.
Works by using Machine Learning to analyze your CloudTrail logs, and ID your most at-risk users.
Security Groups v NACLs
NACLs - firewall at Subnet Level
SGs - firewall at Instance Level
NACLs - You create Allow and Deny rules
SGs - Denies all traffic - you create Allow rules.
AWS VPN
Virtual Private Network
Lets you est a secure and private tunnel from your network/device to AWS global network.
Site-to-Site - on-prem network to VPC
Client - users/laptops to VPC
