Security and Compliance Flashcards
The Shared Responsibility Model
Shared Responsibility between you and AWS: AWS is responsible for securing the cloud, and you are responsible for securing the things you put into it.
In the shared responsibility model, AWS is responsible for:
Their global infrastructure, Building Security, Networking Components, and their Software.
In the shared responsibility model, YOU are responsible for:
Your application data, security configurations, patching, network traffic, and your application code.
5 Pillars of a Well-Architected Framework
Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization
Operational Excellence
Effectively support production workloads. EX: Using CodeCommit
Performance Efficiency
effectively using cloud resources to meet requirements while removing bottlenecks. EX: Using Lambda to respond to events
Cost Optimization
Delivering optimum solutions at the least cost EX: using S3 intelligent tiering
Identity and Access Management (IAM)
Controlling access to your AWS tools and resources. Define who has access to what, and what they can do with that access.
IAM Users
entities created to represent the person OR SERVICE that needs access. They’re created under your account, so you will be billed for anything they do!
The principle of least priviledge
Only give users the bare minimum level of access required to do their job.
IAM Groups
A collection of Users with common access controls. EX: Developers, Admins, or Analysts may need access to different things
IAM Roles
define access permissions, are temporarily assumed by a User. EX: They put on their developer hat.
Access is granted using policies, and roles are great for protecting against unauthorized access, and to avoid sharing access keys
IAM Policies
JSON documents that manage permissions for whatever it is attached to: Users, Groups, and Roles
Best Practices for IAM
Enable MFA for privileged users
Create individual users instead of using root
Implement strong PW policies
Use roles for EC2 instances
IAM Credential Report
Generates a list of all Users in your account, and the status of their credentials. Used for auditing and compliance.
Firewall
Prevents unauthorized access to your network by inspecting traffic against security rules that you’ve defined
Web-Application Firewall (WAF)
Used to protect against common attack patterns, such as SQL Injection and Cross-Site Scripting.
DDoS
Distributed Denial of Service - an attack that attempts to crash a webapp by overloading the network traffic
AWS Shield
DDoS protection service
AWS Macie
Discover and protect sensitive data in S3, using Machine Learning
AWS Config
Allows you to assess, audit, and evaluate the configurations of your resources. Records configuration changes and tracks them over time.
AWS Guard Duty
ML based threat detection system for EC2, S3 and IAM. Reviews logs and identifies events that are associated with common attacks
AWS Inspector
Uncover and report vulnerabilities in EC2. Installed on an instance to check access from the internet, remote root log ins, and vulnerable software versions
AWS Artifact
On-demand access to AWs security and compliance reports. Includes audits from 3rd parties.
