Security and Compliance Flashcards
Shared Responsibility Model
Security & Compliance responsibility is shared:
AWS - security of the cloud: cloud infrastructure, inc. hardware, software, networking and facilities.
Customer - security in the cloud: data, platforms, apps and software and its patching, and configurations (like rotating credentials, securing API calls, IAM, network traffic protection, firewall config).
Shared Responsibility Model: EC2 example
AWS:
- EC2 Service
- patching the host ops system
- security of the physical server
Customer:
- installed apps
- patching guest ops system
- security controls
Shared Responsibilities: Patching Infrastructure
AWS = patching host infrastructure
Customer = patching guest OS and apps
Shared Responsibilities: Configuration Management
AWS = configurating infrastructure devices
Customer = configuring databases and apps
Shared Responsibilities: Awareness and Training
AWS = AWS employees
Customer = their own employees
Security breach or abuse report
AWS Trust & Safety team using “Report Amazon AWS abuse”
Well-Architected Framework: 6 Pillars
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimisations
- Sustainability
WAF Pillar: Operational Excellence
Create apps that support your production workloads:
- plan for and anticipate failure
- deploy smaller, reversable changes
- script operations as code (terraform)
- learn from failure and refine
WAF Pillar: Security
Mechanisms that protect your systems and data:
- automated security tasks
- encrypted data in transit and rest
- least privileges assigned
- tracking of who/what/when
- security at all applications layers
WAF Pillar: Reliability
Design systems that work consistently and recover quickly:
- automatic failure recovery
- scale horizontally for resilience
- manage change through automation
- stop guessing capacity
- test recovery procedures
WAF Pillar: Performance Efficiency
Effective use of computing resources to meet requirements while removing bottlenecks:
- serverless architecture
- multi-region deployment
- delegate tasks to a cloud vendor
- use virtual resources
WAF Pillar: Cost Optimisation
Deliver optimum and resilient solution at the least cost:
- consumption-based pricing
- Cloud Financial Management
- measure efficiency
- pay only for what’s needed
WAF Pillar: Sustainability
Environmental impact - energy consumption and efficiency:
- sustainable goals
- maximise utilisation
- managed services
- reduce downstream impact
IAM
Identity and Access Management - allows you to control access to AWS services and resources.
who = Identities i.e. Root User, Individual User, Groups Roles (Apps can be users)
what = Access i.e. Policies (customer & AWS managed), Permissions Boundaries
Authentication vs Authorisation
Who vs What
Authentication = present identity and verify (username & password)
Authorisation = which services and resources the identity has access to
Principle of least privilege
Giving user the minimum access required to get the job done.
IAM Group
A collection of IAM users that helps apply common access controls to all group members using policies and roles.
IAM group is a collection of users vs EC2 group acts as a firewall.
Roles
Define access permissions and are temporarily assumed by an IAM users and services (e.g. Lambda-Execution Role can list contents of S3 bucket and query DynamoDB).
Policies
Manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.
It can be customer managed or AWS managed (e.g. AmazonS3FullAccess).
IAM Best Practice
- Enable MFA (multi-factor authentication) for privileged users.
- Implement strong password policies.
- Create individual users instead of using root.
- Use rules for Amazon EC2 instances instead of long-term credentials like access keys.
IAM Credential Report
Lists all users in your account and the status of their various credentials.
Firewall
Prevents unauthorised access to networks by inspecting incoming and outgoing traffic against defined security rules.
WAF
Web Application Firewall - helps to protect web apps against common web attacks such as SQL injection or cross-site scripting.
DDoS
DDoS (Distributed Denial of Service) attack causes a traffic jam on a website or web app to cause it to crash.
Shield
Managed DDoS protection service, that is free and always on. You can pay for an advanced version, where you ger 24/7 AWS experts.
Supported on CloudFront, Route 53, Elastic Load Balancing, AWS Global Accelerator.
Macie
Uses ML to evaluate S3 environment to discover and protect sensitive personal data like credit card number or passport number.
Config
Tracks configuration changes and delivers config history file to S3 to help you assess, audit and evaluate all configs.
You can set up SNS notification for every config change.
GuardDuty
Treat detection system that uses ML to uncover unauthorised behaviour. It can alert you or take predetermined automated actions.
It has a built-in detection for EC2, S3 and IAM; and actively reviews CloudTrail, VPC Flow Logs and DNS Logs.
Inspector
Works with EC2, Lambda, container images in ECR and various CI/CD tools to uncover and report vulnerabilities by level of severity.
Artifact
Central repository for on demand access to AWS security and compliance reports, inc. SOC and PCI reports.
Cognito
Helps control access to mobile and web applications by providing authentication and authorisation (user management, sign-up and sign-in e.g. sign-in with a social media account).
Data in Flight vs Data at Rest
In Flight (or in Transit) - moving from one location to another e.g. API querying a database.
At Rest - inactive data or stored for later use e.g. stored in S3.
KMS
Key Management Service - allows to generate, store and control encryption keys. Managed by AWS.
CloudHSM
Cloud Hardware Security Module - used to generate encryption keys. AWS does NOT have access to your keys.
