Security and Compliance Flashcards
What is AWS Shield Standard
Protects against DDOS attack for your website and apps for all customers at no additional costs
What is AWS Shield Advanced
24/7 premium DDoS protection
What is AWS WAF
Filter specific requests based on rules
Protects your web apps from common web exploits (Layer 7)
When it comes to penetration Testing on your AWS Cloud what can you not do
DNS zone walking via AWS Route 53 Hosted zones DOS , DDOS, attacks Port flooding Protocol flooding Request flooding
What type of services can do pentests on
EC2 RDS CLoudFront Aurora API gateways Lambda and edge Lightsail Elastic Beanstalk
What does it mean when data is at rest
Data is stored or archived on a device
What does it mean when data is in transit
data being moved from one location to another
What is AWS KMS
Key Management Service
AWS manages the encryption keys for us
What is Cloud HSM
AWS provides encryption to us by a HSM - Hardware Security Module
You manage your own encryption
What is AWS Certificate Manager (ACM)
Lets you easily provision, manage, and deploy SSL/TLS Certificates
Used to provide in-flight encryption for websites (HTTPS)
Supports both public and private TLS certificates
Free of charge for public TLS certificates
Automatic TLS certificate renewal
Intergrations with (Load TLS certificates on)
-Elastic Load balancers
CloudFront Distros
APIs on API Gateway
What is Secrets Manager
Meant for storing secrets Force rotation of secrets every X days Automate generation of secrets on rotation (uses Lambda) Intergration with Amazon RDS Secrets are encrypted using KMS Mostly meant for RDS intergration
What is AWS Artifact
Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
What is AWS Gaurd Duty
Intelligent Threat discovery to protect AWS account
Uses Machine Learning algorithms, anomaly detection
30 day free trial
What is the input data of AWS gaurd duty
CloudTrail Logs: unusual API calls, unauthorized deployments
VPC Flow Logs: unusual internal traffic, unusal IP address
DNS Logs: comprised EC2 instances sending encoded data within DNS queries
What is AWS Inspector
Provides Automated Security Assessments for EC2 instances
Analyze the running OS against known vulnerabilities
Analyze against unintended network accessibility
AWS Inspector Agent must be installed on OS in EC2 instances
What is AWS Config
Helps with auditing and recording compliance of your AWS resources
record config and changes over time
What kind of questions can be solved with AWS Config
Is there unrestricted SSH access to my security group?
Do my buckets have any public access?
How has my ALB config changed over time
What is AWS Macie
A fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
Helps identify and alert you to sensitve data, such as personally identifiable info (PII)
What is AWS Security Hub
Central security tool to manage security across several AWS accounts and automate security checks
What is AWS Detective
analyze, investigates, and quickly identifies the root cause of security issues or sus activities from VPC Flow Logs, CloudTrail, GaurdDuty and create a unified view
What is AWS Abuse
Report suspected AWS resources used for abusive or illegal purposes
What things can only the root user do
Change account settings Close Your AWS account Restore IAM user permissions Change or cancel your AWS Support plan Register as a seller in the reserved instance Marketplace Config a S3 bucket to enable MFA
