Security and Compliance Flashcards
Penetration Testing
Testing the vulnerabilities of a cloud infrastructure by simulating cyberattacks. Such tests can be done without prior approval for their own AWS infrastructure for a few common AWS services.
Customers can’t conduct any security assessments of AWS infrastructure, or the AWS services themselves.
Network Stress Testing
When the tester sends a large volume of legitimate or test traffic to a specific intended target application. The test is successful if the endpoint and infrastructure handles the traffic well.
AWS Shared Responsibility Model
Customer Responsibilities
- Customer Data
- Platform, Applications, IAM
- Operating System, Network & Firewall Configuration
- Client-side data encryption & data integrity authentication
- Server-side encryption (file system and/or data)
- Networking traffic protection (encryption, integrity, identity)
- Service and Communications Protection or Zone Security
- Guest OS’s of EC2 Instances
AWS Responsibilities
- Software (Compute, Storage, Database, Networking, Patching Host OS)
- Hardware/AWS Global Infrastructure (Regions, AZ’s, Edge Locations)
Joint Responsibility
- Configuration Management
- Awareness & Training
AWS CloudHSM
A cloud-based HSM (Hardware Security Module) that lets you generate and use your encryption keys on the AWS Cloud. Can manage encryption keys using FIPS 140-2 Level 3 validated HSM’s. It’s a fully-managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high-availability, and backups.
AWS KMS (Key Management Service)
Lets you create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. Uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.
It can’t be used as a Hardware Security Module for data encryption operations in AWS Cloud.
Amazon CloudWatch Logs
You can monitor, store, and access your log files from Amazon EC2 Instances, AWS CloudTrail, Route 53, and other sources such as on-premises servers.
It lets you centralise the logs from all of your systems, applications, and AWS services that you use in a single, highly scalable service.
AWS CloudTrail
Main focus is account-specific activity and audit.
A service that allows for governance, compliance, operational auditing, and risk auditing of your AWS account. You can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
It can’t be used to centralise the server logs for Amazon EC2 Instances.
Can create a multi-region trail to track activity records in an S3 bucket and prevent them from getting rewritten automatically. A trail is applied to all AWS Regions by default.
It’s a regional service.
U2F Security Key
It’s a device that can plug into a USB port on a computer. U2F is an open authentication standard hosted by FIDO alliance. When using it, you sign in by entering your credentials and then tapping the device instead of manually entering the code.
Virtual Multi-Factor Authentication (AWS MFA) device
A software app on a phone or other device and emulates a physical device. It generates a six-digit numeric code based upon a time-syncrhonised one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique.
Hardware Multi-Factor Authentication (AWS MFA) device
A hardware device that generates a six-digit numeric code based upon a time-synchronised one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user can’t type a code from another user’s device to be authenticated.
SMS text message-based Multi-Factor Authentication (AWS MFA)
This MFA is where the IAM user settings include the phone number of the user’s SMS-compatible mobile device. When the user signs in, AWS sends a six-digit numeric code by SMS text message to the user’s mobile device. The user is required to type that code on a second webpage during sign-in.
AWS Organizations
It helps you centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. You can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. Can also simplify billing by setting up a single payment method for all of your AWS accounts. It’s available to all AWS customers free of charge.
Best practices include:
- Creating AWS accounts per department
- Restricting account privileges using Service Control Policies (SCP).
- Using tag standards to categorise AWS resources for billing purposes.
- Enable AWS CloudTrail to monitor activity on all accounts for governance, compliance, risk, and auditing purposes.
- Automating AWS account creation.
Benefits Include:
1. Volume discounts for Amazon EC2 and Amazon S3 aggregated across the member AWS Accounts.
2. Share the reserved Amazon EC2 Instances amongst the member AWS accounts.
AWS Cost Explorer
Lets you explore AWS costs and usage at both a high level and at a detailed level of analysis, and empowering you to dive deeper using several filtering dimensions. Has historical data going back up to twelve months.
Can be used to forecast costs and usage of AWS account. Can be used to find underutilized EC2 Instances.
AWS Config
Main focus is resource-specific change history, audit, and compliance.
A service that lets you assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and lets you automate the evaluation of recorded configurations against desired configurations.
It doesn’t track the infrastructure, but rather resource-specific changes, history, audits, and compliance.
User Account Best Practices
- One Physical User = One Account
Network Access Control Lists
Can allow or deny inbound or outbound traffic that operates at the subnet level. Essentially are stateless firewalls that don’t track a connection’s state.
Access Keys
Used to access AWS services through the AWS CLI, so you can interact with AWS resources programmatically.
IAM Username and Passwords
Credentials used to manage AWS services through the web-based Management Console.
API Keys
Used to authentical with API’s provided by services such as Amazon API Gateway.
SSH Keys
Used to connect and control your EC2 Instances via SSH connection.
Best Practices: Temporary Access to Resources
- Create an IAM role and have the application assume that role.
- Create an IAM role when there are outside entities that need to perform specific actions in the AWS account.
IAM Policy Simulator
It evaluates the policies that you choose and determines the effective permissions for each of the actions that you specify. It uses the same policy evaluation engine that is used during real requests to AWS services.
But the simulator differs from the live AWS environment in the following ways:
1. No real AWS service requests are made.
2. Can’t report any response to the simulated request.
3. Policy changes inside the simulator won’t affect real policies.
Can attach test policies to IAM and other AWS resources.
Amazon Detective
It lets you assess, investigate, and pinpoint the source of suspected security vulnerabilities or suspicious activity in your AWS environment.
Multi-factor Authentication (MFA)
This provides frequently generated codes as an extra layer of security. Can even be used for Amazon S3 Bucket Versioning protection.
Security Assessments
Can conduct security assessments on the following resources, assuming that you own them:
- Amazon EC2 Instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments
The following activities are prohibited:
- DNS zone walking via Amazon Route 53 Hosted Zones
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
- Port flooding
- Protocol flooding
- Request flooding (login request flooding, API request flooding)
IAM Policy
These are created to manage access in AWS and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.
Security Group
It controls the traffic that is allowed to reach and leave the resources associated with it, such as EC2 Instances.
Each VPC comes with a default security group.
Security groups accept IP address, IP address range, and security group ID as either source or destination of inbound or outbound rules.
AWS KMS
Mainly used to encrypt data at rest and in transit. It’s a key management system for controlling access to encryption keys. It’s not for storing and managing credentials or providing automated secret rotation.
OAC (Origin Access Control)
Lets CloudFront send authenticated requests to an Amazon S3 origin. Used to secure and restrict access to the content in an Amazon S3 bucket.
After the S3 and CloudFront configuration. Can only access your files through CloudFront and not directly from the S3 bucket.
AWS Certificate Manager
It handles the complexity of creating, storing, and renewing public SSL/TLS X.509
