Security and Compliance Flashcards by Rick Crowe

What are AWS’ Responsibilities in the shared security model?

AWS’ responsibility - Security of the Cloud - AWS is responsible for protecting and securing their infrastructure

AWS Global Infrastructure - AWS is responsible for its global infrastructure elements: Regions, edge locations, and Availability Zones

Building Security - AWS controls access to its data centers where your data resides

Networking Components - AWS maintains networking components: generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.

Software - AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.

How well did you know this?

Not at all

Perfectly

What are AWSs’ Responsibilities in the shared security model?

Your responsibility - Security in the Cloud - You are responsible for how the services are implemented and managing your application data

Application Data - You are responsible for managing your application data, which includes encryption options.

Security Configuration - You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.

Patching - You are responsible for the guest operating system (OS), which includes updates and security patches.

Identity and Access - You are responsible for application security and identity and access management.

Network Traffic - You are responsible for network traffic protection, which includes security group firewall configuration.

Installed Software - You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.

How well did you know this?

Not at all

Perfectly

EC2 Shared Responsibility Model. You vs AWS?

You
Installed applications
Patching the guest operating system
Security controls

AWS
EC2 service
Patching the host operating system
Security of the physical server

How well did you know this?

Not at all

Perfectly

Lambda Shared Responsibility Model. You vs AWS?

You
Security of code
Storage of sensitive data
IAM for permissions

AWS
Lambda service
Upgrading Lambda languages
Lambda endpoints
Operating system
Underlying infrastructure
Software dependencies

How well did you know this?

Not at all

Perfectly

What responsibilities are shared in the Shared Security Responsibilities model?

Patch Management
AWS is responsible for patching infrastructure
You are responsible for patching guest OS and applications

Configuration Management
AWS is responsible for configuring infrastructure devices
You are responsible for configuring databases and applications

Awareness and Training
AWS is responsible for training their employees
You are responsible for training your employees

How well did you know this?

Not at all

Perfectly

Where do you report abuse of services to?

AWS Trust and Safety Team
abuse@amazonaws.com

How well did you know this?

Not at all

Perfectly

What are the 6 pillars of the Well-Architected Framework?

Operational Excellence

Security

Reliability

Performance Efficiency

Cost Optimization

Sustainability

How well did you know this?

Not at all

Perfectly

What does the Operational Excellence pillar of the Well-Architected Framework focus on?

This pillar focuses on creating applications that effectively support production workloads.
a. Plan for and anticipate failure
b. Script operations as code
c. Deploy smaller, reversible changes
d. Learn from failure and refine

How well did you know this?

Not at all

Perfectly

What does the Security pillar of the Well-Architected Framework focus on?

This pillar focuses on putting mechanisms in place that help protect your systems and data.
a. Automate security tasks
b. Assign only the least privileges required
c. Encrypt data in transit and at rest
d. Track who did what and when
e. Ensure security at all application layers

How well did you know this?

Not at all

Perfectly

What does the Reliability pillar of the Well-Architected Framework focus on?

This pillar focuses on designing systems that work consistently and recover quickly.
a. Recover from failure automatically
b. Stop guessing capacity
c. Scale horizontally for resilience
d. Manage change through automation
e. Test recovery procedures

How well did you know this?

Not at all

Perfectly

What does the Performance Efficiency pillar of the Well-Architected Framework focus on?

This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.
a. Use serverless architectures first
b. Delegate tasks to a cloud vendor
c. Use multi-region deployments
d. Experiment with virtual resources

How well did you know this?

Not at all

Perfectly

What does the Cost Optimization pillar of the Well-Architected Framework focus on?

This pillar focuses on delivering optimum and resilient solutions at the least cost to the user
a. Utilize consumption-based pricing
b. Measure overall efficiency
c. Implement Cloud Financial Management
d. Pay only for resources your application requires

How well did you know this?

Not at all

Perfectly

What does the Sustainability pillar of the Well-Architected Framework focus on?

This pillar focuses on environmental impacts, especially energy consumption and efficiency.
a. Understand your impact
b. Maximize utilization Establish sustainability goals
c. Use managed services
d. Reduce downstream impact

How well did you know this?

Not at all

Perfectly

What does Identity and Access Management (IAM) provide?

Allows you to control access to your AWS services and resources

Helps you secure your cloud resources

You define who has access

You define what they can do

A free global service

How well did you know this?

Not at all

Perfectly

What are identities in AWS?

Identities are who can access your resources

Root user

Individual users

Groups

Roles

How well did you know this?

Not at all

Perfectly

What is Access in terms of AWS?

What resources your identities can access through the use of:

Policies

AWS managed policies

Customer managed policies

Permission boundaries

What is Authentication?

Authentication - is where you present your identity (username) and provide verification (password).

What is Authorization?

Authorization - determines which services and resources the authenticated identity has access to.

What are Users?

Users - entities you create in IAM to represent the person or application needing to access your AWS resources.

What can only the Root user do?

Only the Root user can do the following

Close your account

Change email address

Modify your support plan

What is the principle of least privilege?

The Principle of least privilege involves giving a user the minimum access required to get the job done.

What are Groups?

Groups - a collection of IAM users that helps you apply common access controls to all group members.

EC2 security groups act as firewalls while IAM groups are collections of users.

What are roles?

Roles - define access permissions and are temporarily assumed by an IAM user or service
* You assume a role to perform a task in a single session
* Assumed by any user or service that needs it
* Access is assigned using policies
* You grant users in one AWS account access to resources in another AWS account
* Real world
○ You can attach a role to an instance that provides privileges (e.g., uploading files to S3) to applications running on the instance. Roles help you avoid sharing long-term credentials like access keys and protect your instances from unauthorized access.

What are policies?

Policies - You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

What are some best practices for IAM?

1. Enable MFA for privileged users 2. Implement strong password policies 3. Create individual users instead of using root 4. Use roles for Amazon EC2 instances

What is the IAM Credential Report?

IAM Credential Report - lists all users in your account and the status of their various credentials * Lists all users and status of passwords, access keys, and MFA devices * Used for auditing and compliance

Application Security Services What is a WAF?

WAF - Web Application Firewall - helps protect your web applications against common web attacks. * Protects apps against common attack patterns * Protects against SQL injection * Protects against cross-site scripting

Application Security Services What is a Distributed Denial of Service (DDoS) attack?

Distributed Denial of Service (DDoS) - an attack that causes a traffic jam on a website or web application in an attempt to cause it to crash.

Application Security Services What is Shield?

a managed Distributed Denial of Service (DDoS) protection service * Always-on detection * Shield Standard is free ○ Provides free protection against common and frequently occurring attacks ○ Provides enhanced protections and 24/7 access to AWS experts for a fee * Shield Advanced is a paid service ○ DDoS protection via Shield Advanced is supported on several services § CloudFront § Route 53 § Elastic Load Balancing § AWS Global Accelerator

Application Security Services What is Macie?

Helps you discover and protect sensitive data * Uses machine learning * Evaluates S3 environment * Uncovers personally identifiable information (PII)

Additional Security Services What is Config?

Config - allows you to assess, audit, and evaluate the configurations of your resources. * Track configuration changes over time * Delivers configuration history file to S3 * Notifications via Simple Notification Service (SNS) of every configuration change * Use Case ○ Identify system-level configuration changes made to your EC2 instances. For example network, software, and OS configuration changes, system-level updates, and more.

Additional Security Services What is GuardDuty?

GuardDuty - an intelligent threat detection system that uncovers unauthorized behavior. * Uses machine learning * Built-in detection for EC2, S3, and IAM * Reviews CloudTrail, VPC flow logs, and DNS logs * Use Case ○ Detect unusual API calls in your account. GuardDuty's anomaly detection feature evaluates all API request in your account and identifies events that are associated with common techniques used by attackers.

Additional Security Services What is Inspector?

Inspector - works with EC2 instances to uncover and report vulnerabilities. * Agent installed on EC2 instance * Reports vulnerabilities found * Checks access from the Internet, remote root login, vulnerable software versions, etc. * Use Case ○ Identify unintended network access to an EC2 instance via a detailed report of security findings

Additional Security Services What is Artifact?

Artifact - offers on-demand access to AWS security and compliance reports. * Central repository for compliance reports from third-party auditors * Service Organization Control (SOC) reports * Payment Card Industry (PCI) reports * Use Case ○ You need to access AWS' certification for ISO compliance

Additional Security Services What is Cognito?

Cognito - helps you control access to mobile and web applications * Provides authentication and authorization * Helps you manage users * Assist with user sign-up and sign-in * Use Case ○ You need to add a social media sign-in to your web application

Data Encryption and Secrets Management What is KMS?

KMS - Key Management Service - allows you to generate and store encryption keys * Key generator * Store and control keys * AWS manages encryption keys * Automatically enabled for certain services

Data Encryption and Secrets Management What is CloudHSM?

CloudHSM - a hardware security module (HSM) used to generate encryption keys * Dedicated hardware for security * Generate and manage your own encryption keys * AWS does not have access to your keys

Data Encryption and Secrets Management What is Secrets Manager?

Secrets Manager - allows you to manage and retrieve secrets (passwords or keys). * Rotate, manage, and retrieve secrets * Encrypt secrets at rest * Integrates with services like RDS, Redshift, and DocumentDB