Security

Question 1

Describe the Shared Responsibility Model - Customer responsibilities

Answer 1

1) “Security in the cloud”
2) The customer is responsible for the security of everything created and put in the AWS Cloud
3) Have complete control over content:
* Which content choose to store
* Which AWS services use
* Who has access to the content
4) Have control over how access rights are granted, managed and revoked
5) Security steps depends on factors:
* The services used
* The complexity of the systems
* Company’s specific operational and security needs
6) Security steps include:
* Selecting, configuring and patching the operations systems that will run on Amazon EC2 instances
* Configuring security groups
* Managing user accounts

Question 2

Describe the Shared Responsibility Model - AWS responsibilities

Answer 2

1) Security of the cloud
2) Operates, manages and controls the components at all layers of infrastructure
3) Includes:
* Host operating system
* Virtualization layer
* Physical security of the data centers from which services operate
4) Protecting the global infrastructure that runs all of the services offered in the AWS Cloud: AWS Regions, Availability Zones, edge locations
5) Physical infrastructure that hosts the resources
* Physical security of data centers
* Hardware and software infrastructure
* Network infrastructure
* Virtualization infrastructure

Question 3

Describe AWS Identify and Access Management (IAM)

Answer 3

1) Enables to manage access to AWS services and resources securely
2) Gives flexibility to configure access based on a company’s specific operational and security needs
3) Use:
* IAM users, groups and roles
* IAM policies
* Multi-factor authentication (MFA)

Question 4

Describe the AWS Account Root User

Answer 4

1) When create an AWS account, begin with an identity know as the root user
2) Root user is accessed by signing in with the email address and password that were used to create the AWS account
3) Has complete access to all the AWS services and resources in the account
BEST PRACTICE
* Do not use the root user for every day tasks
* Use the root user to create the first IAM user and assign it permissions to create other users
* Only use the root user when need to perform a limited number of tasks that are only available to the root user
* Examples: Changing the root user email address and changing the AWS support plan

Question 5

Describe IAM Users

Answer 5

1) An identity that created in AWS
2) Represents the person or application that interacts with AWS services and resources
3) Consists of a name and credentials
4) When create, it has o permissions associated with it
5) To allow the IAM user to perform specific actions in AWS, must grant the IAM user the necessary permissions
BEST PRACTICE:
* Create an individual IAM user for each person who needs to access with AWS
* Provides additional security by allowing each IAM user to have a unique set of security credentials

Question 6

Describe IAM Polices

Answer 6

1) Document that allows or denies permissions to AWS services and resources
2) Enables to customize users’ levels of access to resources
3) Example: Allow users to access all of the Amazon S3 buckets w/in the AWS account, or only a specific bucket
BEST PRACTICE:
* Follow the security principle of least privilege when granting permissions

Question 7

Describe IAM Groups

Answer 7

1) Collection of IAM users
2) When assign an IAM policy to a group, all users in the group are granted permissions specified by the policy
3) Easier to adjust permissions when an employee transfers to a different job -> remove from group for original job and then add to group for new job

Question 8

Describe IAM Roles

Answer 8

1) An identity that can assume to gain temporary access to permissions
2) Before an IAM user, application or service can assume an IAM role, they must be granted permissions to switch to the role
3) When someone assumes an IAM role, they abandon all previous permissions that they had under a previous role and assume the permissions of the new role
BEST PRACTICE
* IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term

Question 9

Describe Multi-factor Authentication (MFA)

Answer 9

1) Extra layer of protection on top of user name and password
2) When a user signs in to an AWS Management Console, they are prompted for their user name and password (the first factor - what they know), as well as for an authentication code from their AWS MFA device (the second factor what they have)

Question 10

Describe AWS Organizations

Answer 10

1) Consolidate and manage multiple AWS accounts within a central location
2) Can centrally control permissions for the accounts by using service control policies (SCPs)

Question 11

Describe Service Control Policies (SCPs)

Answer 11

1) Enable to place restrictions on the AWS services, resources and individual API actions that users and roles in each account can access
2) Can apply to:
* Organizational root account
* Individual member account
* Organizational Unit (OU)

Question 12

Describe Organizational Units (OU)

Answer 12

1) Group accounts
2) Makes it easier to manage accounts with similar business or security requirements
3) When apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy
4) More easily isolate workloads or applications that have specific security requirements

Question 13

Describe AWS Artifact

Answer 13

1) Service that provides on-demand access to AWS security and compliance reports and select online agreements.
2) Consists of two main sections:
* AWS Artifact Agreements
- Review, accept and manage agreements for an individual account and for all accounts in AWS Organizations
- Different types of agreements (HIPAA)
* AWS Artifact Reports
- Provide compliance reports from third-party auditors

Question 14

Describe Denial-of-service attacks (DoS) & Distributed denial-of-service attacks (DDos)

Answer 14

DoS
1) Deliberate attempt to make a website or application unavailable to users
2) Attacker might flood a website or application w/excessive network traffic until the targeted website or application becomes overloaded and is no longer able to respond
DDos
1) Multiple sources are used to start an attack that aims to make a website or application unavailable
2) Group of attackers or single attacker using multiple infected computers (bots)

Question 15

Describe AWS Shield

Answer 15

1) Service that protects applications against DDos attacks
2) Two levels of protection
* AWS Shield Standard
- Automatically protects all AWS customers at no cost
- It protects your AWS resources from the most common, frequently occurring types of DDoS attacks
- Uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it
* AWS Shield Advanced
- Paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks
- Integrates with other services such as Amazon CloudFront, Amazon Route 53 and Elastic Load Balancing
- Can integrate AWS with AWS WAF by writing custom rules to mitigate complex DDoS attacks

Question 16

Describe AWS Key Management Service (AWS KMS)

Answer 16

1) Enables to perform encryption operations through the use of cryptographic keys (random string of digits used for locking (encrypting) and unlocking (decrypting) data)
2) Can use AWS KMS to create, manage and use cryptographic keys.
3) Can also control the use of keys across a wide range of services and in the application
4) Choose the specific levels of access control needed for the keys
5) Example: Specify which IAM users and roles are able to manage keys
6) Example: Temporarily disable keys so that they are no longer in use by anyone

Question 17

Describe AWS WAF

Answer 17

1) Web application firewall that allows to monitor network requests that come into web applications
2) Work together with CloudFront and an Application Load Balancer
3) Uses a web access control list (ACL) to protect AWS resources
4) Example: Configure the web ACL to allow all requests except those from IP addresses that have been specified
5) Request comes into AWS WAF, it checks against the list of rules that have been configured in the web ACL. If a request did not come from one of the blocked IP addresses, it allows access to the application
6) If a request came from one of the blocked IP addresses specified in the web ACL, it is denied acces

Question 18

Describe Amazon Inspector

Answer 18

1) Helps to improve the security and compliance of applications by running automated security assessments
2) It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions
3) After assessment is performed, it provides a list of security findings
4) The list prioritizes by severity level, including a detailed description of each security issues and a recommendation for how to fix it
5) AWS does not guarantee that following the provided recommendations resolves every potential security issue
6) Under the shared responsibility model, customers are responsible for the security of their applications, processes and tools that run on AWS services

Question 19

Describe Amazon GuardDuty

Answer 19

1) Service that provides intelligent threat detection for the AWS infrastructure and resources
2) It identifies threats by continuously monitoring the network activity and account behavior within the AWS environment
3) Once enabled, monitors network and account activity
4) Do not have to deploy or manage any additional security
5) If detects any threats, review detailed findings about them from the AWS Management Console
6) Findings include recommended steps for remediation
7) Can also configure AWS Lambda functions to take remediation steps automatically in response to the security findings