Security and Compliance Flashcards
What dictates who is responsible for security on different parts of AWS?
Shared Responsibility Model
What is AWS responsible for in the Shared Responsibility Model?
The security of the cloud
- regions, edge locations, AZs, physical buildings, networking components, software/managed services, patching AMIs
What are you responsible for in the Shared Responsibility Model?
Security in the cloud
- application data encryption
- securing your account, VPCs, etc.
- patching the guest OS on your EC2 instance
- IAM
- network traffic and firewall configuration
- software that you build or install
EC2 Shared Responsibility Model
AWS: EC2 service, patching the host OS, security of the physical host server
You: installed applications, patching the guest OS, security controls
Lambda Shared Responsibility Model
AWS: lambda service, language upgrades, underlying infrastructure and dependencies
You: security of the code, storage of sensitive data, IAM
How do you report abuse of AWS resources?
rotate your passwords when an incident occurs, then contact the AWS Trust and Safety Team
Pillar 1 of the Well-Architected Framework
Operational Excellence
- The ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value.
Pillar 2 of the Well-Architected Framework
Security
- putting mechanisms in place that help protect your systems and data
Pillar 3 of the Well-Architected Framework
Reliability
- to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
Pillar 4 of the Well-Architected Framework
Performance Efficiency
- effective use of computing resources to meet system and business requirements while removing bottlenecks
- use serverless architures first
- multi-AZ deployments
- delegate tasks to a cloud vendor
Pillar 5 of the Well-Architected Framework
Cost Optimization
- delivering optimum and resilient solutions at the least cost to the user
What is an example of Operational Excellence?
using CodeCommit to version control your code and IaC
what is an example of Security pillar?
configuring central logging using CloudTrail
what is an example of the Reliability pillar?
use multi-AZ deployments of RDS databases
what is an example of Performance Efficiency
use Lambda without administration overhead
what is an example of Cost Optimization pillar?
use S3 intelligent tiering to move data to the most cost-effective storage tier
IAM
Identity and Access Management
- a free global service that helps you secure your cloud resources and define who has access to what
Identities
who can access your resources
- root user, individual users, groups, roles
Access
what resources someone can access
- policies, managed policies, permissions boundaries
permissions boundaries
limit the scope of what a user can do
root user permissions
- manage your AWS account (close, change support plan, email address, etc.)
applications as users
you can create a user with access keys to an on-prem application can access your cloud resources
PLP
Principle of Least Privilege
- only giving a user the minimum amount of privileges to do their job
access keys
- needed when you use the CLI
- generated by IAM
- public key and private key
