Security and Compliance Flashcards
AWS responsibilities in shared responsibility model
AWS Global Infrastructure - regions, edge locations, availability zones
Building Security - controlling data center access
Networking Components - maintaining generators, uninterruptible power supply (UPS) systems, computer room air conditing (CRAC) units, fire suppression systems, etc.
Software - managed services and patching of HOST operating systems
My responsibilities in shared responsibility model
Application Data - manging and encrypting data
Security Configurations - securing account/APIs, rotating credentials, restricting internet access from VPCs
Patching - responsible for guest OS
IAM
Network Traffic - security group firewall configurations
Installed Software - application code patching and scans
How to report abuse of AWS resources
Contact the AWS Trust and Safety team
The 6 pillars of the Well-Architected Framework
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
- Sustainability
What is WAF (framework)
The Well-Architected Framework describes the design principles and best practices for running workloads in the cloud
WAF: Operational Excellence
Focus on creating applications that effectively support production workloads
- Plan for and anticipate failures
- Script operations as code
- Deploy smaller, reversible changes
- Learn from failure and refine
WAF: Security
Focus on putting mechanisms in place that protect your systems and data
- Automate security tasks
- Encrypt data in transit and at rest
- Assign only the least privileges required
- Track who did what and when
- Ensure security at all application layers
WAF: Reliability
Focus on designing systems that work consistently and recover quickly
- Recover from failure automatically
- Scale horizontally for resilience
- Reduce idle resources
- Manage change through automation
- Test recovery procedures
WAF: Performance Efficiency
Focus on the effective use of computing resources to meet system and business requirements while removing bottlenecks
- Use serverless architectures first
- Use multi-region deployments
- Delegate tasks to a cloud vendor
- Experiment with virtual resources
WAF: Cost Optimization
Focus on delivering optimum and resilient solutions at the least cost to the user
- Utilize consumption-based pricing
- Measure overall efficiency
- Implement Cloud Financial Management
- Pay only for resources your application requires
WAF: Sustainability
Focus on environmental impacts, especially energy consumption and efficiency
- Understand your impact
- Maximize utilization
- Establish sustainability goals
- Use managed services
- Reduce downstream impact
Identity and Access Management (IAM)
IAM allows you to control access to your AWS services and resources
- Helps you secure your cloud resources
- You define who has access
- You define what they can do
- A free global service
The principle of least privilege
Giving a user the minimum access required to get the job done
How to create access keys for users that need access to the AWS CLI
IAM
IAM Credential Report
Lists all users in your account and the status of their various credentials
What is WAF (security)
Web Application Firewall - Helps to protect your web applications against common web attacks.
- protects against SQL injection
- protects against cross-site scripting
- protects against common attack patterns
What service protects against SQL injection and cross site scripting attacks?
WAF - Web Application Firewall
Shield
Managed DDOS protection service
- always on
- standard is free
- advanced is a paid service
Macie
Helps you discover and protect sensitive data
-machine learning
-evaluates S3 environments
-uncovers personally identifiable information (PII)
Shield works with which services
- CloudFront
- Route 53
- Elastic Load Balancing
- AWS Global Accelerator
Config
Allows you to assess, audit, and evaluate the configurations of your resources
- track configuration changes over time
- delivers configuration history to S3
- notification via SNS of configuration changes
GuardDuty
An intelligent threat detection system that uncovers unauthorized behavior
- machine learning
- built in detection for EC2, S3, IAM
- reviews cloudtrail, vpc flow logs, and DNS logs
Inspector
works with EC2 instances to uncover and report vulnerabilities
- Agent installed on EC2 instance
- Reports vulnerabilities
- Checks access from internet, remote root login, vulnerable software versions, etc.
Artifact
Offers on-demand access to AWS security and compliance reports
- central repository for compliance reports from third-party auditors
- service organization controls (SOC) reports
- payment card industry (PCI) reports
Cognito
helps you control access to mobile and web applications
- provides authentication and authorization
- helps you manage users
- assists with user sign-up and sign-in
Key Management Services (KMS)
Allows you to generate and store encryption keys
CloudHSM
Hardware Security Module (HSM) used to generate encryption keys
- dedicated hardware for security
- AWS does not have access to your keys
- Generate and manage your own encryption keys
This service allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud
CloudHSM
Secrets Manager
allows you to manage and retrieve secrets (passwords or keys)
- rotate, manage, and retrieve secrets
- integrates with services like RDS, Redshift, and DocumentDB
- Encrypt at rest
This service allows you to retrieve database credentials with a call to its API, removing the need to hardcode sensitive information in plain text within your application code
Secrets Manager API
