Security And Compliance Flashcards
Client is responsible for the security in the cloud for:
Installed applications
Patching the guest operating system
Security controls
according to the shared responsibility model, AWS is responsible for
EC2 service
Patching the host operating system
Security of the physical server
For the Lambda security model, the client is responsible for:
Security of code
Storage of sensitive data
IAM permissions
For the Lambda security model, AWS is responsible for:
Lambda service
Upgrading Lambda languages
Operating system
Underlying infrastructure
Software dependencies
The 6 pillars of the Well Architected Framework
Operational excellence
Security
Reliability
Performance efficiency
Cost optimization
Sustainability
Principle of least privilege 
Give a user the minimum access required to get the job done
What is a collection of IAM users that helps you apply common access controls to all group members:
A Group. Used to group users that perform a similar task.
EC2 security groups act as ________, while IAM groups are a collection of ______.
Firewalls, users
_____ define access permission and are temporarily assumed by an IAM user or services.
Roles
Whenever a user assumes a role, they have access to the resource according to what is stated in the policy.
______ manage permissions for IAM groups, users, and roles by creating a _____ document in JSON format and attaching it.
Policies, policy
IAM best practices
MFA for privileged users
Strong password policies
Create individual users instead of using the root for everything
Use roles for EC2 instances instead of long-term credentials like access keys
IAM Credential Report
Lists all users in your account and the status of their credentials. Lists password status, access keys, MFA devices. Used for auditing and compliance.
______ prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined.
Firewalls.
Web Application Firewall (WAF)
Helps protect your web apps against common web attacks, including:
SQL injection
Cross-site scripting
_____ cause traffic jams on websites or web apps to cause them to get overwhelmed and crash.
Distributed Denial of Service ( DDoS) attacks
___ is a managed DDoS protection service
Shield.
There’s shield standard and advanced. Standard is free, and advanced supports several services.
_____ uses ML to discover and protect sensitive data.
Macie.
Evaluates S3 environment
Services supported by Shield
CloudFront
Elastic load balancer
Route 53
Global Accelerator
____ allows you to assess, audit, and evaluate the configurations of your resources.
Config.
Tracks changes to various resources over time
Notifications via SNS of every config change
An intelligent threat detection system that uncovers unauthorized or malicious activities in your AWS account.
GuardDuty
Uses ML to detect patterns
Built in detection for EC2, S3, IAM.
Detect unusual API calls in your account
Works with EC2 instances to uncover and report vulnerabilities.
Inspector
An agent installed in EC2 instances. Works with EC2 only.
Offers on demand access to security AND compliance reports.
Artifact
Central repository for reports from third party auditors.
Service Organization Control (SOC) reports.
Payment Card Industry (PCI) reports.
Provides authentication and authorization to mobile and web applications, helps manage users, and controls access to mobile and web apps.
Cognito
A(n) __________ “scrambles” data before sending it to someone. The person receiving the data will need a ___________ to unscramble the data and read it.
Encryption key, decryption key
Allows you to generate and store encryption keys.
Key Management Service (KMS)
AWS manages the encryption keys.
Example: create encrypted EBS volumes
CloudHSM
A hardware security module (HSM) used to generate encryption keys.
You manage your own keys, not AWS.
Dedicated hardware for security
Allows you to manage and retrieve secrets.
Secrets Manager.
Encrypt secrets at rest.
Integrates with services.
Example: retrieve database credentials by calling the secrets manager API instead of hard coding it in plain text. 
