Security and Compliance Flashcards
What dictates who is responsible for security on different parts of AWS?
Shared Responsibility Model
What is AWS responsible for in the Shared Responsibility Model?
The security of the cloud
- regions, edge locations, AZs, physical buildings, networking components, software/managed services, patching AMIs
What are you responsible for in the Shared Responsibility Model?
Security in the cloud
- application data encryption
- securing your account, VPCs, etc.
- patching the guest OS on your EC2 instance
- IAM
- network traffic and firewall configuration
- software that you build or install
EC2 Shared Responsibility Model
AWS: EC2 service, patching the host OS, security of the physical host server
You: installed applications, patching the guest OS, security controls
Lambda Shared Responsibility Model
AWS: lambda service, language upgrades, underlying infrastructure and dependencies
You: security of the code, storage of sensitive data, IAM
How do you report abuse of AWS resources?
rotate your passwords when an incident occurs, then contact the AWS Trust and Safety Team
Pillar 1 of the Well-Architected Framework
Operational Excellence
- The ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value.
Pillar 2 of the Well-Architected Framework
Security
- putting mechanisms in place that help protect your systems and data
Pillar 3 of the Well-Architected Framework
Reliability
- to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
Pillar 4 of the Well-Architected Framework
Performance Efficiency
- effective use of computing resources to meet system and business requirements while removing bottlenecks
- use serverless architures first
- multi-AZ deployments
- delegate tasks to a cloud vendor
Pillar 5 of the Well-Architected Framework
Cost Optimization
- delivering optimum and resilient solutions at the least cost to the user
What is an example of Operational Excellence?
using CodeCommit to version control your code and IaC
what is an example of Security pillar?
configuring central logging using CloudTrail
what is an example of the Reliability pillar?
use multi-AZ deployments of RDS databases
what is an example of Performance Efficiency
use Lambda without administration overhead
what is an example of Cost Optimization pillar?
use S3 intelligent tiering to move data to the most cost-effective storage tier
IAM
Identity and Access Management
- a free global service that helps you secure your cloud resources and define who has access to what
Identities
who can access your resources
- root user, individual users, groups, roles
Access
what resources someone can access
- policies, managed policies, permissions boundaries
permissions boundaries
limit the scope of what a user can do
root user permissions
- manage your AWS account (close, change support plan, email address, etc.)
applications as users
you can create a user with access keys to an on-prem application can access your cloud resources
PLP
Principle of Least Privilege
- only giving a user the minimum amount of privileges to do their job
access keys
- needed when you use the CLI
- generated by IAM
- public key and private key
IAM groups
a collection of IAM users that helps you apply common access controls to all group members
EC2 groups
security groups that act as firewalls
how is group access assigned?
using policies and roles
roles
allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.
example use of roles:
attach a role to an EC2 instance for access to S3 so applications running on the instance can assess storage
policies
a document in JSON format that defines permissions for IAM users, groups and/or roles
Example use case for policies
limit access to an S3 bucket to specific users with a bucket access policy
What are some IAM best practices?
1) enable MFA for privileged users
2) implement strong password policies
3) create individual users instead of using root
4) use roles for Ec2 instances for apps running on the instance
IAM Credential Report
a list of all users in your account and the status of their credentials. used for auditing and compliance.
What does the Well Architected Tool do?
provides recommendations for making your workloads more reliable, secure, efficient, and cost-effective.
Component
the code, configuration, and AWS Resources that together deliver against a requirement. A component is often the unit of technical ownership, and is decoupled from other components.
Workload
a set of components that together deliver business value. A workload is usually the level of detail that business and technology leaders communicate about.
When making architecture trade-offs which two pillars are generally not traded-off?
Security and operational excellence are generally not traded-off against the other pillars.
