Security and Compliance

Question 1

Penetration Testing

Answer 1

Testing the vulnerabilities of a cloud infrastructure by simulating cyberattacks. Such tests can be done without prior approval for their own AWS infrastructure for a few common AWS services.

Customers can’t conduct any security assessments of AWS infrastructure, or the AWS services themselves.

Question 2

Network Stress Testing

Answer 2

When the tester sends a large volume of legitimate or test traffic to a specific intended target application. The test is successful if the endpoint and infrastructure handles the traffic well.

Question 3

AWS Shared Responsibility Model

Answer 3

Customer Responsibilities
- Customer Data
- Platform, Applications, IAM
- Operating System, Network & Firewall Configuration
- Client-side data encryption & data integrity authentication
- Server-side encryption (file system and/or data)
- Networking traffic protection (encryption, integrity, identity)
- Service and Communications Protection or Zone Security
- Guest OS’s of EC2 Instances

AWS Responsibilities
- Software (Compute, Storage, Database, Networking, Patching Host OS)
- Hardware/AWS Global Infrastructure (Regions, AZ’s, Edge Locations)

Joint Responsibility
- Configuration Management
- Awareness & Training

Question 4

AWS CloudHSM

Answer 4

A cloud-based HSM (Hardware Security Module) that lets you generate and use your encryption keys on the AWS Cloud. Can manage encryption keys using FIPS 140-2 Level 3 validated HSM’s. It’s a fully-managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high-availability, and backups.

Question 5

AWS KMS (Key Management Service)

Answer 5

Lets you create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. Uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

It can’t be used as a Hardware Security Module for data encryption operations in AWS Cloud.

Question 6

Amazon CloudWatch Logs

Answer 6

You can monitor, store, and access your log files from Amazon EC2 Instances, AWS CloudTrail, Route 53, and other sources such as on-premises servers.

It lets you centralise the logs from all of your systems, applications, and AWS services that you use in a single, highly scalable service.

Question 7

AWS CloudTrail

Answer 7

Main focus is account-specific activity and audit.

A service that allows for governance, compliance, operational auditing, and risk auditing of your AWS account. You can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

It can’t be used to centralise the server logs for Amazon EC2 Instances.

Can create a multi-region trail to track activity records in an S3 bucket and prevent them from getting rewritten automatically. A trail is applied to all AWS Regions by default.

It’s a regional service.

Question 8

U2F Security Key

Answer 8

It’s a device that can plug into a USB port on a computer. U2F is an open authentication standard hosted by FIDO alliance. When using it, you sign in by entering your credentials and then tapping the device instead of manually entering the code.

Question 9

Virtual Multi-Factor Authentication (AWS MFA) device

Answer 9

A software app on a phone or other device and emulates a physical device. It generates a six-digit numeric code based upon a time-syncrhonised one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual MFA device assigned to a user must be unique.

Question 10

Hardware Multi-Factor Authentication (AWS MFA) device

Answer 10

A hardware device that generates a six-digit numeric code based upon a time-synchronised one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each MFA device assigned to a user must be unique. A user can’t type a code from another user’s device to be authenticated.

Question 11

SMS text message-based Multi-Factor Authentication (AWS MFA)

Answer 11

This MFA is where the IAM user settings include the phone number of the user’s SMS-compatible mobile device. When the user signs in, AWS sends a six-digit numeric code by SMS text message to the user’s mobile device. The user is required to type that code on a second webpage during sign-in.

Question 12

AWS Organizations

Answer 12

It helps you centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. You can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. Can also simplify billing by setting up a single payment method for all of your AWS accounts. It’s available to all AWS customers free of charge.

Best practices include:

1. Creating AWS accounts per department
2. Restricting account privileges using Service Control Policies (SCP).
3. Using tag standards to categorise AWS resources for billing purposes.
4. Enable AWS CloudTrail to monitor activity on all accounts for governance, compliance, risk, and auditing purposes.
5. Automating AWS account creation.

Benefits Include:
1. Volume discounts for Amazon EC2 and Amazon S3 aggregated across the member AWS Accounts.
2. Share the reserved Amazon EC2 Instances amongst the member AWS accounts.

Question 13

AWS Cost Explorer

Answer 13

Lets you explore AWS costs and usage at both a high level and at a detailed level of analysis, and empowering you to dive deeper using several filtering dimensions. Has historical data going back up to twelve months.

Can be used to forecast costs and usage of AWS account. Can be used to find underutilized EC2 Instances.

Question 14

AWS Config

Answer 14

Main focus is resource-specific change history, audit, and compliance.

A service that lets you assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and lets you automate the evaluation of recorded configurations against desired configurations.

It doesn’t track the infrastructure, but rather resource-specific changes, history, audits, and compliance.

Question 15

User Account Best Practices

Answer 15

1. One Physical User = One Account

Question 16

Network Access Control Lists

Answer 16

Can allow or deny inbound or outbound traffic that operates at the subnet level. Essentially are stateless firewalls that don’t track a connection’s state.

Question 17

Access Keys

Answer 17

Used to access AWS services through the AWS CLI, so you can interact with AWS resources programmatically.

Question 18

IAM Username and Passwords

Answer 18

Credentials used to manage AWS services through the web-based Management Console.

Question 19

API Keys

Answer 19

Used to authentical with API’s provided by services such as Amazon API Gateway.

Question 20

SSH Keys

Answer 20

Used to connect and control your EC2 Instances via SSH connection.

Question 21

Best Practices: Temporary Access to Resources

Answer 21

1. Create an IAM role and have the application assume that role.
2. Create an IAM role when there are outside entities that need to perform specific actions in the AWS account.

Question 22

IAM Policy Simulator

Answer 22

It evaluates the policies that you choose and determines the effective permissions for each of the actions that you specify. It uses the same policy evaluation engine that is used during real requests to AWS services.

But the simulator differs from the live AWS environment in the following ways:
1. No real AWS service requests are made.
2. Can’t report any response to the simulated request.
3. Policy changes inside the simulator won’t affect real policies.

Can attach test policies to IAM and other AWS resources.

Question 23

Amazon Detective

Answer 23

It lets you assess, investigate, and pinpoint the source of suspected security vulnerabilities or suspicious activity in your AWS environment.

Question 24

Multi-factor Authentication (MFA)

Answer 24

This provides frequently generated codes as an extra layer of security. Can even be used for Amazon S3 Bucket Versioning protection.

Question 25

Security Assessments

Answer 25

Can conduct security assessments on the following resources, assuming that you own them:
- Amazon EC2 Instances, NAT Gateways, and Elastic Load Balancers
- Amazon RDS
- Amazon CloudFront
- Amazon Aurora
- Amazon API Gateways
- AWS Lambda and Lambda Edge functions
- Amazon Lightsail resources
- Amazon Elastic Beanstalk environments

The following activities are prohibited:
- DNS zone walking via Amazon Route 53 Hosted Zones
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
- Port flooding
- Protocol flooding
- Request flooding (login request flooding, API request flooding)

Question 26

IAM Policy

Answer 26

These are created to manage access in AWS and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

Question 27

Security Group

Answer 27

It controls the traffic that is allowed to reach and leave the resources associated with it, such as EC2 Instances.

Each VPC comes with a default security group.

Security groups accept IP address, IP address range, and security group ID as either source or destination of inbound or outbound rules.

Question 28

AWS KMS

Answer 28

Mainly used to encrypt data at rest and in transit. It’s a key management system for controlling access to encryption keys. It’s not for storing and managing credentials or providing automated secret rotation.

Question 29

OAC (Origin Access Control)

Answer 29

Lets CloudFront send authenticated requests to an Amazon S3 origin. Used to secure and restrict access to the content in an Amazon S3 bucket.

After the S3 and CloudFront configuration. Can only access your files through CloudFront and not directly from the S3 bucket.

Question 30

AWS Certificate Manager

Answer 30

It handles the complexity of creating, storing, and renewing public SSL/TLS X.509