Security and Compliance

Question 1

Shared Responsibility

Answer 1

Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management

Question 2

DDoS

Answer 2

Denial of service attack - The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.

Question 3

AWS Shield Standard

Answer 3

Free and enabled for all customers against DDoS attack
Provides Layer 3 and 4 attacks and reflection attacks

Question 4

AWS Shield Advanced

Answer 4

Paid and 24/7 DDoS protection and support

Question 5

AWS WAF(Web Application Firewall)

Answer 5

Filter requests based on rules and placed on Layer 7 like Application Load Balancer, API Gateway and CloudFront.
Protection against web exploits
Define Web ACL - filter based on IP addresses, HTTP header, body and URI strings, geo matching, rate based rules
Protects against SQL Injection and Cross Site Scripting (XSS)

Question 6

CloudFront and Route 53

Answer 6

Provide protection at Edge location when used along with Shield

Architecture:
Route 53 is protected by shield and routes the requests to CloudFront.

CloudFront is also protected by shield and it caches the content on edge location

Use AWS WAF at CloudFront to filter the requests based on rules

Use Load Balancer on public subnet to scale the load at network level

Then behind load balancer use EC2 instances with ASG

Question 7

AWS Network Firewall

Answer 7

Protect VPC overall from Layer 3 to 7.
This operates at VPC level unlike Web ACL that operates at subnet level

Question 8

Penetration Testing

Answer 8

Simulated DDoS attacks, Port, Protocol and Request Flooding is not allowed

Question 9

KMS

Answer 9

Key Management Service is the AWS encryption service and keys are managed by AWS

Question 10

CloudHSM(Hardware security module)

Answer 10

AWS only provisions encryption hardware and encryption keys are managed by customer

Question 11

CMK

Answer 11

Customer Master Keys
1. Customer managed CMK
2. AWS managed CMK
3. AWS owned CMK
4. Cloud HSM keys(found under custom key store)
For CloudTrail and Glacier S3 encryption is enabled by default

Question 12

ACM(AWS Certificate Manager)

Answer 12

Service for SSL/TLS certificates

Question 13

Secrets Manager

Answer 13

Store and Rotate passwords (Rotation using custom Lambda function)
Integrated with Amazon RDS
Encrypted using KMS

Question 14

AWS Artifacts

Answer 14

Portal that provides AWS compliance and AWS agreement documents

Question 15

Amazon GuardDuty

Answer 15

Threat Detective Service
Detects anomalies in AWS account
Input is from CloudTrail logs, VPC flow logs, DNS logs, S3 logs, EBS logs, Lambda network activity, RDS and Aurora login logs, EKS audit logs and output can be sent to EventBridge to generate SNS or Lambda function

Question 16

Amazon Inspector

Answer 16

Run automated security assessments only on running EC2 instances, Lambda functions and Container images on ECR

Check for OS, S/w vulnerabilities and network reachability on EC2
Reports its findings into AWS Security Hub and Amazon Event Bridge

Question 17

AWS Config

Answer 17

Helps auditing and recording compliance of the AWS resources
It records the configurations and their changes over time

Question 18

AWS Macie

Answer 18

Fully managed data security and data privacy service uses ML
Alert agains PII

Question 19

AWS Security Hub

Answer 19

Dashboard to manage security across several AWS accounts and automate security checks
Aggregates alerts from Config, Guard Duty, Inspector, Macie, iAM Access Analyzer, Systems Manager, Firewall, Health, Partnet Network Solutions

Question 20

Amazon Detective

Answer 20

To analyze the root cause of security issues using ML and graphs

Question 21

AWS Abuse

Answer 21

Report suspected AWS resources used for abuse or illegal purpose

Question 22

Root User Priviledges

Answer 22

Change the account settings, such as the account name, the email address, the root user password and root user access keys,
View certain tax invoices
Close your account
Restore IAM user permissions
Change or cancel your AWS Support plan
Register as a seller in the Reserved Instance Marketplace
To configure an Amazon S3 bucket to enable MFA
To edit or delete an S3 bucket policy that is getting an invalid VPC ID or VPC endpoint ID
To sign up for GovCloud as well.

Question 23

CloudTrail

Answer 23

Track API calls made by users within the account

Question 24

iAM Access Analyzer

Answer 24

To identify which resources are shared externally outside your zone of trust