Security and Compliance Flashcards
Security and Compliance
Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management
Shared Responsibility
The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.
DDoS
Free and enabled for all customers against DDoS attack
Provides Layer 3 and 4 attacks and reflection attacks
AWS Shield Standard
Paid and 24/7 DDoS protection and support
AWS Shield Advanced
Filter requests based on rules and placed on Layer 7 like Application Load Balancer, API Gateway and CloudFront.
Protection against web exploits
Define Web ACL - filter based on IP addresses, HTTP header, body and URI strings, geo matching, rate based rules
Protects against SQL Injection and Cross Site Scripting (XSS)
AWS WAF(Web Application Firewall)
Provide protection at Edge location when used along with Shield Architecture
Route 53 is protected by shield and routes the requests to CloudFront. CloudFront is also protected by shield and it caches the content on edge location
Use AWS WAF at CloudFront to filter the requests based on rules
Use Load Balancer on public subnet to scale the load at network level
Then behind load balancer user EC2 instances with ASG
CloudFront and Route 53
Protect VPC overall from Layer 3 to 7.This operates at VPC level unlike Web ACL that operates at subnet level
AWS Network Firewall
Simulated DDoS attacks, Port, Protocol and Request Flooding is not allowed
Penetration Testing
the AWS encryption service and keys are managed by AWS. What is it called?
KMS
AWS only provisions encryption hardware and encryption keys are managed by customer
CloudHSM(Hardware security module)
Customer Master Keys
1. Customer managed CMK
2. AWS managed CMK
3. AWS owned CMK
4. Cloud HSM keys(found under custom key store)
For CloudTrail and Glacier S3 encryption is enabled by default
CMK
Service for SSL/TLS certificates
ACM(AWS Certificate Manager)
Store and Rotate passwords (Rotation using custom Lambda function)Integrated with Amazon RDSEncrypted using KMS
Secrets Manager
Portal that provides AWS compliance and AWS agreement documents
AWS Artifacts
Threat Detective Service
Detects anomalies in AWS account
Input is from CloudTrail logs, VPC flow logs, DNS logs, S3 logs, EBS logs, Lambda network activity, RDS and Aurora login logs, EKS audit logs and output can be sent to EventBridge to generate SNS or Lambda function
Amazon GuardDuty
Run automated security assessments only on running EC2 instances, Lambda functions and Container images
ECR Check for OS, S/w vulnerabilities and network reachability
EC2 Reports its findings into AWS Security Hub and Amazon Event Bridge
Amazon Inspector
Helps auditing and recording compliance of the AWS resources
It records the configurations and their changes over time
AWS Config
Fully managed data security and data privacy service uses ML
Alert agains PII
AWS Macie
Dashboard to manage security across several AWS accounts and automate security checksAggregates alerts from Config, Guard Duty, Inspector, Macie, iAM Access Analyzer, Systems Manager, Firewall, Health, Partnet Network Solutions
AWS Security Hub
To analyze the root cause of security issues using ML and graphs
Amazon Detective
Report suspected AWS resources used for abuse or illegal purpose
AWS Abuse
Change the account settings, such as the account name, the email address, the root user password and root user access keys
View certain tax invoices
Close your account
Restore IAM user permissions
Change or cancel your AWS Support plan
Register as a seller in the Reserved Instance Marketplace
To configure an Amazon S3 bucket to enable MFA
To edit or delete an S3 bucket policy that is getting an invalid VPC ID or VPC endpoint ID
To sign up for GovCloud as well.
Root User Priviledges
Track API calls made by users within the account
CloudTrail
To identify which resources are shared externally outside your zone of trust
iAM Access Analyzer
