Security and Compliance

Question 1

Shared Responsibility Model

Answer 1

Security & Compliance responsibility is shared:

AWS - security of the cloud: cloud infrastructure, inc. hardware, software, networking and facilities.

Customer - security in the cloud: data, platforms, apps and software and its patching, and configurations (like rotating credentials, securing API calls, IAM, network traffic protection, firewall config).

Question 2

Shared Responsibility Model: EC2 example

Answer 2

AWS:
- EC2 Service
- patching the host ops system
- security of the physical server

Customer:
- installed apps
- patching guest ops system
- security controls

Question 3

Shared Responsibilities: Patching Infrastructure

Answer 3

AWS = patching host infrastructure
Customer = patching guest OS and apps

Question 4

Shared Responsibilities: Configuration Management

Answer 4

AWS = configurating infrastructure devices
Customer = configuring databases and apps

Question 5

Shared Responsibilities: Awareness and Training

Answer 5

AWS = AWS employees
Customer = their own employees

Question 6

Security breach or abuse report

Answer 6

AWS Trust & Safety team using “Report Amazon AWS abuse”

Question 7

Well-Architected Framework: 6 Pillars

Answer 7

1. Operational Excellence
2. Security
3. Reliability
4. Performance Efficiency
5. Cost Optimisations
6. Sustainability

Question 8

WAF Pillar: Operational Excellence

Answer 8

Create apps that support your production workloads:
- plan for and anticipate failure
- deploy smaller, reversable changes
- script operations as code (terraform)
- learn from failure and refine

Question 9

WAF Pillar: Security

Answer 9

Mechanisms that protect your systems and data:
- automated security tasks
- encrypted data in transit and rest
- least privileges assigned
- tracking of who/what/when
- security at all applications layers

Question 10

WAF Pillar: Reliability

Answer 10

Design systems that work consistently and recover quickly:
- automatic failure recovery
- scale horizontally for resilience
- manage change through automation
- stop guessing capacity
- test recovery procedures

Question 11

WAF Pillar: Performance Efficiency

Answer 11

Effective use of computing resources to meet requirements while removing bottlenecks:
- serverless architecture
- multi-region deployment
- delegate tasks to a cloud vendor
- use virtual resources

Question 12

WAF Pillar: Cost Optimisation

Answer 12

Deliver optimum and resilient solution at the least cost:
- consumption-based pricing
- Cloud Financial Management
- measure efficiency
- pay only for what’s needed

Question 13

WAF Pillar: Sustainability

Answer 13

Environmental impact - energy consumption and efficiency:
- sustainable goals
- maximise utilisation
- managed services
- reduce downstream impact

Question 14

IAM

Answer 14

Identity and Access Management - allows you to control access to AWS services and resources.

who = Identities i.e. Root User, Individual User, Groups Roles (Apps can be users)
what = Access i.e. Policies (customer & AWS managed), Permissions Boundaries

Question 15

Authentication vs Authorisation

Answer 15

Who vs What
Authentication = present identity and verify (username & password)
Authorisation = which services and resources the identity has access to

Question 16

Principle of least privilege

Answer 16

Giving user the minimum access required to get the job done.

Question 17

IAM Group

Answer 17

A collection of IAM users that helps apply common access controls to all group members using policies and roles.

IAM group is a collection of users vs EC2 group acts as a firewall.

Question 18

Roles

Answer 18

Define access permissions and are temporarily assumed by an IAM users and services (e.g. Lambda-Execution Role can list contents of S3 bucket and query DynamoDB).

Question 19

Policies

Answer 19

Manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

It can be customer managed or AWS managed (e.g. AmazonS3FullAccess).

Question 20

IAM Best Practice

Answer 20

1. Enable MFA (multi-factor authentication) for privileged users.
2. Implement strong password policies.
3. Create individual users instead of using root.
4. Use rules for Amazon EC2 instances instead of long-term credentials like access keys.

Question 21

IAM Credential Report

Answer 21

Lists all users in your account and the status of their various credentials.

Question 22

Firewall

Answer 22

Prevents unauthorised access to networks by inspecting incoming and outgoing traffic against defined security rules.

Question 23

WAF

Answer 23

Web Application Firewall - helps to protect web apps against common web attacks such as SQL injection or cross-site scripting.

Question 24

DDoS

Answer 24

DDoS (Distributed Denial of Service) attack causes a traffic jam on a website or web app to cause it to crash.

Question 25

Shield

Answer 25

Managed DDoS protection service, that is free and always on. You can pay for an advanced version, where you ger 24/7 AWS experts.

Supported on CloudFront, Route 53, Elastic Load Balancing, AWS Global Accelerator.

Question 26

Macie

Answer 26

Uses ML to evaluate S3 environment to discover and protect sensitive personal data like credit card number or passport number.

Question 27

Config

Answer 27

Tracks configuration changes and delivers config history file to S3 to help you assess, audit and evaluate all configs.

You can set up SNS notification for every config change.

Question 28

GuardDuty

Answer 28

Treat detection system that uses ML to uncover unauthorised behaviour. It can alert you or take predetermined automated actions.

It has a built-in detection for EC2, S3 and IAM; and actively reviews CloudTrail, VPC Flow Logs and DNS Logs.

Question 29

Inspector

Answer 29

Works with EC2, Lambda, container images in ECR and various CI/CD tools to uncover and report vulnerabilities by level of severity.

Question 30

Artifact

Answer 30

Central repository for on demand access to AWS security and compliance reports, inc. SOC and PCI reports.

Question 31

Cognito

Answer 31

Helps control access to mobile and web applications by providing authentication and authorisation (user management, sign-up and sign-in e.g. sign-in with a social media account).

Question 32

Data in Flight vs Data at Rest

Answer 32

In Flight (or in Transit) - moving from one location to another e.g. API querying a database.

At Rest - inactive data or stored for later use e.g. stored in S3.

Question 33

KMS

Answer 33

Key Management Service - allows to generate, store and control encryption keys. Managed by AWS.

Question 34

CloudHSM

Answer 34

Cloud Hardware Security Module - used to generate encryption keys. AWS does NOT have access to your keys.