Security and Compliance Flashcards
What are AWS’ Responsibilities in the shared security model?
AWS’ responsibility - Security of the Cloud - AWS is responsible for protecting and securing their infrastructure
AWS Global Infrastructure - AWS is responsible for its global infrastructure elements: Regions, edge locations, and Availability Zones
Building Security - AWS controls access to its data centers where your data resides
Networking Components - AWS maintains networking components: generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.
Software - AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.
What are AWSs’ Responsibilities in the shared security model?
Your responsibility - Security in the Cloud - You are responsible for how the services are implemented and managing your application data
Application Data - You are responsible for managing your application data, which includes encryption options.
Security Configuration - You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.
Patching - You are responsible for the guest operating system (OS), which includes updates and security patches.
Identity and Access - You are responsible for application security and identity and access management.
Network Traffic - You are responsible for network traffic protection, which includes security group firewall configuration.
Installed Software - You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.
EC2 Shared Responsibility Model. You vs AWS?
You
Installed applications
Patching the guest operating system
Security controls
AWS
EC2 service
Patching the host operating system
Security of the physical server
Lambda Shared Responsibility Model. You vs AWS?
You
Security of code
Storage of sensitive data
IAM for permissions
AWS
Lambda service
Upgrading Lambda languages
Lambda endpoints
Operating system
Underlying infrastructure
Software dependencies
What responsibilities are shared in the Shared Security Responsibilities model?
Patch Management
AWS is responsible for patching infrastructure
You are responsible for patching guest OS and applications
Configuration Management
AWS is responsible for configuring infrastructure devices
You are responsible for configuring databases and applications
Awareness and Training
AWS is responsible for training their employees
You are responsible for training your employees
Where do you report abuse of services to?
AWS Trust and Safety Team
abuse@amazonaws.com
What are the 6 pillars of the Well-Architected Framework?
Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Sustainability
What does the Operational Excellence pillar of the Well-Architected Framework focus on?
This pillar focuses on creating applications that effectively support production workloads.
a. Plan for and anticipate failure
b. Script operations as code
c. Deploy smaller, reversible changes
d. Learn from failure and refine
What does the Security pillar of the Well-Architected Framework focus on?
This pillar focuses on putting mechanisms in place that help protect your systems and data.
a. Automate security tasks
b. Assign only the least privileges required
c. Encrypt data in transit and at rest
d. Track who did what and when
e. Ensure security at all application layers
What does the Reliability pillar of the Well-Architected Framework focus on?
This pillar focuses on designing systems that work consistently and recover quickly.
a. Recover from failure automatically
b. Stop guessing capacity
c. Scale horizontally for resilience
d. Manage change through automation
e. Test recovery procedures
What does the Performance Efficiency pillar of the Well-Architected Framework focus on?
This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.
a. Use serverless architectures first
b. Delegate tasks to a cloud vendor
c. Use multi-region deployments
d. Experiment with virtual resources
What does the Cost Optimization pillar of the Well-Architected Framework focus on?
This pillar focuses on delivering optimum and resilient solutions at the least cost to the user
a. Utilize consumption-based pricing
b. Measure overall efficiency
c. Implement Cloud Financial Management
d. Pay only for resources your application requires
What does the Sustainability pillar of the Well-Architected Framework focus on?
This pillar focuses on environmental impacts, especially energy consumption and efficiency.
a. Understand your impact
b. Maximize utilization Establish sustainability goals
c. Use managed services
d. Reduce downstream impact
What does Identity and Access Management (IAM) provide?
Allows you to control access to your AWS services and resources
Helps you secure your cloud resources
You define who has access
You define what they can do
A free global service
What are identities in AWS?
Identities are who can access your resources
Root user
Individual users
Groups
Roles
What is Access in terms of AWS?
What resources your identities can access through the use of:
Policies
AWS managed policies
Customer managed policies
Permission boundaries
What is Authentication?
Authentication - is where you present your identity (username) and provide verification (password).
What is Authorization?
Authorization - determines which services and resources the authenticated identity has access to.
What are Users?
Users - entities you create in IAM to represent the person or application needing to access your AWS resources.
What can only the Root user do?
Only the Root user can do the following
Close your account
Change email address
Modify your support plan
What is the principle of least privilege?
The Principle of least privilege involves giving a user the minimum access required to get the job done.
What are Groups?
Groups - a collection of IAM users that helps you apply common access controls to all group members.
EC2 security groups act as firewalls while IAM groups are collections of users.
What are roles?
Roles - define access permissions and are temporarily assumed by an IAM user or service
* You assume a role to perform a task in a single session
* Assumed by any user or service that needs it
* Access is assigned using policies
* You grant users in one AWS account access to resources in another AWS account
* Real world
○ You can attach a role to an instance that provides privileges (e.g., uploading files to S3) to applications running on the instance. Roles help you avoid sharing long-term credentials like access keys and protect your instances from unauthorized access.
What are policies?
Policies - You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.
What are some best practices for IAM?
- Enable MFA for privileged users
- Implement strong password policies
- Create individual users instead of using root
- Use roles for Amazon EC2 instances
What is the IAM Credential Report?
IAM Credential Report - lists all users in your account and the status of their various credentials
* Lists all users and status of passwords, access keys, and MFA devices
* Used for auditing and compliance
Application Security Services
What is a WAF?
WAF - Web Application Firewall - helps protect your web applications against common web attacks.
* Protects apps against common attack patterns
* Protects against SQL injection
* Protects against cross-site scripting
Application Security Services
What is a Distributed Denial of Service (DDoS) attack?
Distributed Denial of Service (DDoS) - an attack that causes a traffic jam on a website or web application in an attempt to cause it to crash.
Application Security Services
What is Shield?
a managed Distributed Denial of Service (DDoS) protection service
* Always-on detection
* Shield Standard is free
○ Provides free protection against common and frequently occurring attacks
○ Provides enhanced protections and 24/7 access to AWS experts for a fee
* Shield Advanced is a paid service
○ DDoS protection via Shield Advanced is supported on several services
§ CloudFront
§ Route 53
§ Elastic Load Balancing
§ AWS Global Accelerator
Application Security Services
What is Macie?
Helps you discover and protect sensitive data
* Uses machine learning
* Evaluates S3 environment
* Uncovers personally identifiable information (PII)
Additional Security Services
What is Config?
Config - allows you to assess, audit, and evaluate the configurations of your resources.
* Track configuration changes over time
* Delivers configuration history file to S3
* Notifications via Simple Notification Service (SNS) of every configuration change
* Use Case
○ Identify system-level configuration changes made to your EC2 instances. For example network, software, and OS configuration changes, system-level updates, and more.
Additional Security Services
What is GuardDuty?
GuardDuty - an intelligent threat detection system that uncovers unauthorized behavior.
* Uses machine learning
* Built-in detection for EC2, S3, and IAM
* Reviews CloudTrail, VPC flow logs, and DNS logs
* Use Case
○ Detect unusual API calls in your account. GuardDuty’s anomaly detection feature evaluates all API request in your account and identifies events that are associated with common techniques used by attackers.
Additional Security Services
What is Inspector?
Inspector - works with EC2 instances to uncover and report vulnerabilities.
* Agent installed on EC2 instance
* Reports vulnerabilities found
* Checks access from the Internet, remote root login, vulnerable software versions, etc.
* Use Case
○ Identify unintended network access to an EC2 instance via a detailed report of security findings
Additional Security Services
What is Artifact?
Artifact - offers on-demand access to AWS security and compliance reports.
* Central repository for compliance reports from third-party auditors
* Service Organization Control (SOC) reports
* Payment Card Industry (PCI) reports
* Use Case
○ You need to access AWS’ certification for ISO compliance
Additional Security Services
What is Cognito?
Cognito - helps you control access to mobile and web applications
* Provides authentication and authorization
* Helps you manage users
* Assist with user sign-up and sign-in
* Use Case
○ You need to add a social media sign-in to your web application
Data Encryption and Secrets Management
What is KMS?
KMS - Key Management Service - allows you to generate and store encryption keys
* Key generator
* Store and control keys
* AWS manages encryption keys
* Automatically enabled for certain services
Data Encryption and Secrets Management
What is CloudHSM?
CloudHSM - a hardware security module (HSM) used to generate encryption keys
* Dedicated hardware for security
* Generate and manage your own encryption keys
* AWS does not have access to your keys
Data Encryption and Secrets Management
What is Secrets Manager?
Secrets Manager - allows you to manage and retrieve secrets (passwords or keys).
* Rotate, manage, and retrieve secrets
* Encrypt secrets at rest
* Integrates with services like RDS, Redshift, and DocumentDB
