Security and Compliance Flashcards
Briefly outline the responsibilities stated in the shared responsibility model.
AWS - ‘of’ the cloud
Customer - ‘in’ the cloud
What is AWS WAF? What is an example of its potential actions?
Web Application Firewall.
Filters specific requests based on rules, e.g. disallow requests from specific countries or disallow requests that are too large from one user.
What are 2 benefits of using AWS Firewall Manager?
Centralised place to access and edit.
All rules are applied to new resources as they are created for all accounts.
How does a DDoS attack tend to work? What AWS service can be used to protect against DDoS attacks?
Overwhelming the targeted application servers and thus denying actual legitimate customers access.
AWS Shield and AWS Shield Advanced
What is AWS Network Firewall?
A way to protect your entire VPC at once. Much better than lots of NACLs as it is at the entire VPC level.
What can be managed in AWS Firewall Manager? (4 e.g.s)
VPC security groups, network firewall, WAF and Shield Advanced rules
What is penetration testing?
Attacking your own infrastructure to test your security.
What is data at rest and data in transit?
Data at rest is that which is sitting in storage or archive.
Data in transit is when the data is being transferred, e.g. from EFS to S3.
What types of penetration testing aren’t you allowed to do without prior approval from AWS?
Anything outside 8 services, types are performing DDoS or DoS, port flooding, protocol flooding, request flooding. (Basically attacks where you overload the network infrastructure tend not to be allowed because it could cause problems for AWS themselves).
What is Artifact?
A service that enables access to AWS compliance documentation and AWS agreements for download.
What does AWS Macie do?
Scans S3 buckets to check for sensitive data e.g. emails, names etc.
Can then connect to SNS to alert you to make sure it’s encrypted, for e.g.
What can you do in Certificate Manager? Why ACM is it useful for TLS certificates?
Lets you provision, manage and deploy SSL/TLS certificates.
Automatically renews TLS certificates.
Provides HTTPS encryption for websites.
What is the AWS Abuse team for?
Reporting AWS resources that are suspected to be used for abusive or illegal purposes (e.g. spam emailing, port scanning, DDoSing etc.)
What are the 4 types of KMS keys?
- Customer Managed Key
- AWS Managed Key
- AWS Owned Key
- Cloud HSM Keys
What are 4 key tasks that can only be done by the root user?
- Change account settings such as account name, email, password and root user keys
- Close the AWS account
- Change or cancel an AWS support plan
- Register as a seller in the Reserved Instance Marketplace
What is the difference between AWS KMS and CloudHSM?
With KMS, AWS manages the keys for us, with CloudHSM the customer manages the key themself.
What is AWS GuardDuty?
A threat discovery service to protect your AWS account using data from CloudTrail, VPC Flow Logs, DNS Logs and others using ML.
What is Config?
Kind of like version control for the configuration of your AWS services - can see the changes to configurations over time and who made them etc.
What does Detective do?
Collects data from VPC Flow Logs, CloudTrail and GuardDuty to try and help you find the root cause of flagged security risks with visualisations.
What does IAM Access Analyser do?
Analyses the accessibility of different resources and whether this is in line with your intentions.
If you have a ‘zone of trust’ that is only members of your organisation but then accidentally share an S3 bucket publicly, this is something that would be flagged by IAM Access Analyser.
How is the pricing of Secrets Manager handled?
Per secret, per month
What is one handy feature with Secrets Manager that will keep security continually high?
You can implement rules that force the rotation of secrets, e.g. update password every month
What services does Inspector perform automated security assessments on?
EC2 instances, container images and Lambda functions
