Security Flashcards
What is AWS artefact?
features comprehensive list of acmes-controlled documents relevant to compliance and security
Which compliance programs does AWS have?
Can access reports for auditors: ISO CSA PCI - credit card SOC
What is the shared responsibility model?
AWS manages security of the cloud, security in the cloud is the responsibility of the customer
Customers retain control of what security they choose to implement their own content, platform, applications, systems and networks
What are examples of what the customer is responsible for with EC2?
Security groups, IAM users, patching EC2 operating systems, patching databases running on EC2
What are examples of what AWS is responsible for?
Management of data centres, security cameras, cabling, patching RDS operating system
What is the AWS WAF?
Web application firewall
Protects your web application from common web exploits that could affect application availability, compromises security, or consume excessive resources
Layer 7 - sees traffic from application layer
What is AWS shield ?
Managed distributed denial of service (DDos) protection service that safeguards web applications running on AWS
Provides always-on detection and automatic inline mitigations that minimise application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection
What are the tiers of AWS shield?
Standard
Advanced
What is AWS inspector?
Automated security assessment service that helps improve the security and compliance of applications deployed on AWS
Automatically assesses applications for vulnerabilities or deviations from best practices
After an assessment it produces a detailed list of security findings prioritised by level of severity
These findings can be reviewed directly or as part of detailed assessment reports
What is AWS trusted advisor?
Online resource to help you reduce cost, increase performance, and improve security by optimising your AWS environment
Provides real time guidance to help you provision your resources following AWS best practises
Advisors will advise you on Cost optimisation, performance, security, fault tolerance
What are the tiers of AWS trusted advisor?
Core checks and recommendations
Full trusted advisor - business and enterprise companies only
What is AWS CloudTrail?
Increases visibility into your used and resource activity. by recording AWS Management Console actions and API calls
You can identify which users and accounts called AWS, the source IP address from which the calls were made and when the calls occurred
Where does trusted advisor apply?
Global service - not regional
What is CloudWatch?
Monitors performance: Host level metrics: CPU Network Disk Status check
What is AWS Config?
Detailed view of the configuration of AWS resources in your AWS account
Includes how the resources are related to one another and how they were configured int he past so that you can see how the configurations and relationships change over time
What are the key services provided by trusted advisor?
Cost optimisation Security Performance Fault tolerance Service limits
To unlock full must upgrade to business
What is penetration testing?
Simulated cyber attack against your computer system to check for exploitable vulnerabilities
Which services can you test without approval? (8)
EC2, NAT gateways, ELB Amazon RDS Amazon CloudFront Amazon Aurora Amazon API Gateway AWS Lamda Amazon Lightsail Resources Amazon Elastic Beanstalk Environments
What are prohibited activities?
1 DNS zone walking via amazon route 53 Hosted Zones 2 DoS, DDos, Simulated DDoS 3 Port flooding 4 Protocol flooding 5 Request flooding
What is Amazon KMS?
Key management service
Regional service that does secure management and encryption/decryption
Manages customer master keys
Ideal for S3 objects, database passwords, API keys
Encrypt and decrypt data put to 4KB
Integrated with most AWS services
KMS is on shared hardware
What is CloudHSM?
Dedicated hardware security module
FIPS140-2 Level3
Single tenant, dedicated hardware, multi-AZ cluster
What is parameter store?
Component of AWS Systems manager
secure serverless storage of configuration nd secrets
Values stored encrypted KMS or plaintext
Can set TTL
No cost to use however limit of 10000 parameters per account
What is secrets manager?
Charge per secret stored and per 10000 API calls
automatically rotate secrets
apply the new key/password for RDS for you
generate random secrets
What is GuardDuty?
Uses machine learning algorithms for anomaly detection and third-party data to monitor and protect your AWS account
One click to enable (30-day trial)
Input data includes - cloud trail, VPC flow, DNS logs
What is Amazon Control Tower?
the easiest way to set up and govern a new, secure, multi-account AWS environment
Those accounts will conform to company policies
Large enterprises
What is security hub?
A comprehensive view of your security alert across multiple AWS accounts
Aggregates, organises, and prioritises your security alerts or findings
How to resolve compromised IAM credentials?
1 Determine what resources those credentials have access to 2 Invalidate the IAM credentials 3 Consider any temporary credentials 4 Restore appropriate access 5 Review access to AWS account
What is Athena?
Interactive query service which enables you to analyse and query data located in S3 using standard SQL
Serverless
No need for ETL
Works with S3
What can Athena be used for?
Log files
Business reports
Analyse AWS cost and usage reports
Run queries on click-stream data
What is PII?
Personal data used to establish an individual’s identity
Home address, email, SSN
Passport number, driver license number
DOB, phone number, bank account
What is Macie?
security service uses machine learning and NLP to discover, classify and protect sensitive data stored in S3
Can analyse CloudTrail for suspicious API activity
Includes dashboards, reports and alerting
Great for PCI-DSS compliance and preventing ID theft
What is AWS acceptable use policy?
Describes prohibited actions on AWS infrastructure:
No illegal, harmful, or offensive use or content
No security violations
No network abuse
No email or other message abuse
How can cloudwatch alarms alert the customer?
SNS via: HTTPS SQS Lambda mobile push notification Email SMS
