Security Flashcards
What is the AWS Abuse team?
Team to be contacted when AWS resources are being used for abusive behavior.
What is the AWS Security team?
AWS team responsible for security of services offered by AWS.
IAM Group vs Security Group
IAM Group is a group of users with similar permissions.
Security Group is established on EC2 instance to control network traffic.
What is a NACL or ACL?
Network Access Control List – optional layer of security for VPC that acts as a firewall on subnet level.
What are Route Tables?
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
What do Security Groups do?
Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.
What is the AWS Shared Responsibility Model?
A security model that defines what you (as an AWS account holder/user) and Amazon Web Services are responsible for when it comes to security and compliance.
AWS is responsible for security of the cloud, you are responsible for security in the cloud.
What aspects of Security and Compliance is AWS responsible for in the Shared Responsibility Model?
Components from the host operating system and the virtualization layer down to the physical security of the facilities in which the service operates.
What aspects of Security and Compliance are you responsible for in the Shared Responsibility Model?
Guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS provided security group firewall.
How would the Shared Responsibility Model apply to an EC2 instance?
AWS is responsible for:
- The setup and maintenance of the physical hardware located at each AWS data center
- The physical security of the data centers (locks, keys, security guards, etc.)
- The setup and maintenance of the host virtualization software
You are responsible for:
- Network level security (Security groups & NACL’s)
- OS patches and updates
- IAM user access management
- Client and Server side data encryption
What are the AWS services with built-in DDOS attack protection/mitigation?
- Cloudfront
- Route 53
- WAF (Web Application Firewall)
- Elastic Load Balancing
- Security groups & VPC’s
What services are customers allowed to carry out security assessments/pen tests on with no prior approval required?
- Amazon EC2 instances, NAT gateways, and ELB’s
- RDS
- Cloudfront
- Aurora
- API gateways
- Lambda & Lambda edge functions
- Lightsail resources
- Elastic Beanstalk environments
What are the currently prohibited security activities?
- DNS Zone walking via Route 53 hosted zones
- DOS, DDOS, simulated DOS, simulated DDOS
- Port flooding
- Protocol flooding
- Request flooding (login request flooding, API request flooding)