Security and Compliance

Question 1

The Shared Responsibility Model

Answer 1

Shared Responsibility between you and AWS: AWS is responsible for securing the cloud, and you are responsible for securing the things you put into it.

Question 2

In the shared responsibility model, AWS is responsible for:

Answer 2

Their global infrastructure, Building Security, Networking Components, and their Software.

Question 3

In the shared responsibility model, YOU are responsible for:

Answer 3

Your application data, security configurations, patching, network traffic, and your application code.

Question 4

5 Pillars of a Well-Architected Framework

Answer 4

Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization

Question 5

Operational Excellence

Answer 5

Effectively support production workloads. EX: Using CodeCommit

Question 6

Performance Efficiency

Answer 6

effectively using cloud resources to meet requirements while removing bottlenecks. EX: Using Lambda to respond to events

Question 7

Cost Optimization

Answer 7

Delivering optimum solutions at the least cost EX: using S3 intelligent tiering

Question 8

Identity and Access Management (IAM)

Answer 8

Controlling access to your AWS tools and resources. Define who has access to what, and what they can do with that access.

Question 9

IAM Users

Answer 9

entities created to represent the person OR SERVICE that needs access. They’re created under your account, so you will be billed for anything they do!

Question 10

The principle of least priviledge

Answer 10

Only give users the bare minimum level of access required to do their job.

Question 11

IAM Groups

Answer 11

A collection of Users with common access controls. EX: Developers, Admins, or Analysts may need access to different things

Question 12

IAM Roles

Answer 12

define access permissions, are temporarily assumed by a User. EX: They put on their developer hat.
Access is granted using policies, and roles are great for protecting against unauthorized access, and to avoid sharing access keys

Question 13

IAM Policies

Answer 13

JSON documents that manage permissions for whatever it is attached to: Users, Groups, and Roles

Question 14

Best Practices for IAM

Answer 14

Enable MFA for privileged users
Create individual users instead of using root
Implement strong PW policies
Use roles for EC2 instances

Question 15

IAM Credential Report

Answer 15

Generates a list of all Users in your account, and the status of their credentials. Used for auditing and compliance.

Question 16

Firewall

Answer 16

Prevents unauthorized access to your network by inspecting traffic against security rules that you’ve defined

Question 17

Web-Application Firewall (WAF)

Answer 17

Used to protect against common attack patterns, such as SQL Injection and Cross-Site Scripting.

Question 18

DDoS

Answer 18

Distributed Denial of Service - an attack that attempts to crash a webapp by overloading the network traffic

Question 19

AWS Shield

Answer 19

DDoS protection service

Question 20

AWS Macie

Answer 20

Discover and protect sensitive data in S3, using Machine Learning

Question 21

AWS Config

Answer 21

Allows you to assess, audit, and evaluate the configurations of your resources. Records configuration changes and tracks them over time.

Question 22

AWS Guard Duty

Answer 22

ML based threat detection system for EC2, S3 and IAM. Reviews logs and identifies events that are associated with common attacks

Question 23

AWS Inspector

Answer 23

Uncover and report vulnerabilities in EC2. Installed on an instance to check access from the internet, remote root log ins, and vulnerable software versions

Question 24

AWS Artifact

Answer 24

On-demand access to AWs security and compliance reports. Includes audits from 3rd parties.

Question 25

Encryption

Answer 25

Encodes data so that it can’t be read by unauthorized users. Uses one key to encode, and another to decode.

Question 26

Data In Flight

Answer 26

Data that is moving from one location to another

Question 27

Data At Rest

Answer 27

Data that is stored, or inactive (not moving)

Question 28

AWS Key Management Services (KMS)

Answer 28

AWS managed services that generates and stores encryption keys. Auto-enabled for certain services, great for encrypting EBS volumes

Question 29

CloudHSM

Answer 29

“Hardware Security Module” used to generate encryption keys. NOT managed by AWS. Necessary to meet requirements for dedicated security hardware.

Question 30

Secrets Manager

Answer 30

Manage and retrieve secrets (pws or keys). Encrypts secrets at rest, and integrates with Redshift, RDS, and DocumentDB. Useful for retrieving credentials needed within application code.