Security and Compliance Flashcards
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information securit management system within the contect of teh organization’s overall business risks.
sure thing
the federal risk and authorization management program, or fedramp is a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
yuppers
HIPPA is the federal health insurance portability and accountability act of 1996. the primary goal of the law is to make it easier for people to keep health insurance, protct the confidentiality and security of healthcare information and help the healcare industry control administrative costs.
yes
framework for improving critical infrastructure cybersecurity
“…a set of industry standards and best practices to help organizations manage cybersecurity risks.”
The payment card industry daat security standard PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.
PCI DSS v3.2
Build and maintain a secure network and systems
requirement1 : install and maintain a firewall config to protect cardholder data
requirement 2: do not use vendor supplied defaults for system password and other security parameters.
requierment 3: protect stored cardholder data
requierment 4: encrypt transmission of cardhoder data across open, public networks
requirement 5: protect all systems against malwayre and regularly upate anti virus software or programs
requirement 6: develop and maintain secure systems and applications
requirement 7: restrict accesst to cardholder data by business need to know
requirement 8: identify and authenticate access to ssytem components
requirement 9: restrict physical access to cardholder data
requirement 10: track and monitor alla ccess to network resources and cardholder data
requirement 11: regularly test security systems and processes
requirement 12: maintain a policy that adresses information security for all personnel.
you dont really need to know this
SAS70 - statement on auditing standards no 70
soc1 - service organization controls - accounting standards
FISMA - federal info sec modernization act
FIPS 140-2 is a US gvmt computer security satndard used to approve cryptographic modules. rated from level 1 ot level 4, with 4 being th highest security. Cloud HSM meeets the level 3 standard.
a ___ attack acan be achieved by multiple mechanisms, such as large packet floods, by using a combination of reflection and amplification techniques, or by using large botnets.
DDoS
_____ attacks can include things such as NTP, SSDP, DNS, CHargen, SNMP attacks, etc. and is where an attacker may send a third prty server (such as an NTP server) a request using a spoofed IP address. That server will then respond to that request with a greater payload than initial request (usually within the region of 28x54 times larger than the request) to the spoofed IP address.
THis means that if the attacker sends a packet with a spoofed IP address of 64 bytes, teh NTP server would respond with up to 3,456 bytes of traffic. Attackers can coordinate this and use multiple NTP servers a second to send legitimate NTP traffic to the target.
Amplification/Reflection
_____
free service that protects all aws customers on elastic load balancing (ELB), amazon CF and route53
- protects against SYN/UDP Floods, reflection attacks and other layer 3/layer4 attacks
- advanced provides enhanced protections for your apps running on elb, CF and route53 against larger and more sophisticated attack. $3000 per month.
Shield
aws ___ ___ provides
- always on, flow based monitoring of network traffic and active app monitoring ro provide near real time notifications of DDoS attacks.
- DDoS response team (DRT) 24x7 to manage and mitigate app layer DDoS attacks.
- Protects your AWS bill against higher fees due to elastic load balancing, CF and route53 usage spike during a DDoS attack.
- $3000/month
Shield advanced
what services can you use to mitigate DDoS attack?
CF
route53
elb’s
wafs
autoscaling
cw
T or F
you can purchase security products from 3rd party vendors on the MP
T
T or F
You can not enable MFA using the command line or by using the console
False, you can use both CLI and command line to enable MFA
Can you enforce the use of MFA with teh CLI by using the ____ token service
STS
You can report on who is using MFA on a per user basis using ____ _____
credential reports
____ grants users limited and temporary access to AWS resources
STS (security token service)
STS
____ - uses securty assertion markup language (SAML)
- grants temp access based off users AD creds
- does not need to be a user in IAM
- single sign on allows users to log in to aws console without assigning IAM creds
______ _____ - Use facebook/amazon/google/or other OpenID providers to login.
____ ___ ____ - let’s users from one aws account access resources in another
Federation
federation with mobile apps
cross account access
STS key terms:
_____ combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as AD, Facebook, etc)
______ _____ -a service that allows you to take an identity from point A an join it (federate it) to point B
_____ _____ - Services like AD, FB, Google, etc.
____ - a user of a service lik Facebook, etc.
Federation
Identity Broker
Identity Store
Identities
____ is a web app firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CF or an app loadbalancer or to API GW. it lets you control access to your content.
WAF
WAF -
YOu can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for teh request to be allowed, and then the app load balancer or CF will either allow this content to be received or to give a HTTP ____ status code.
403
At itsmost basic level, AWS WAF allows 3 different behaviors
- allow ___requests except the one you specify
- block ___ requests except the ones you specify
- count the requests that ___ the properties you specify
all
all
match
WAF integrates with what services?
APP load balancers
CloudFront
API GW
AWF does not integrate with:
classic load balancers
network load balancers
A ____ or virtual machine monitor is computer software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.
hypervisor
Ec2 currently runs on Xen hypervisors. Xen can have guest operating systems runnign as either _____ or using ___ ___ ___
Paravirtualization
Hardware Virtual Machine
____ guests are fully virtualized. The VMs on top of the hypervisors are not aware that they are sharing processing time with other VMs.
___ is a lighter form of virtualization and it used ot be quicker.
HVM
PV
Tips
CHoose HVM over PV where possible
- PV is isolated by layers, Guest OS sits on layer 1, Apps on layer 3
- only AWS admins have access to hypervisors
- aws staff do not have access to EC2, that is your responsibility as a customer
- all storage memory and RAM memory is scrubbed before its delivered to you.
yes
_____ _____ are ec2 instances that run in a VPC on hardware thats dedicated to a single customer. You dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts.
dedicated instances
___ ____ may share hardware with other instances from the same AWS acount that are not dedicated instances
dedicated instances
pay for dedicated instances on demand, save up to ___% by purchasing reserved instances, or save up to ___% by purchasing spot instances.
70, 90
___ ____ gives you additional visibility and control over how instances are palced on a physical server, and you can consistently deploy your instances to the same physical server over time. As a result, dedicated hosts enable you to use your existing server bound software licenses and address corporate compliance and regulatory requirements.
dedicated hosts
dedicated instances are charged by the instance, dedicated hosts are charged by the host.
True
if you have specific regulatory requirements or licensing conditions, choose dedicated hosts.
T
dedicated ____ give you much better visibility into things like sockets, cores, and host id.
hosts
SSM agent needs to be installed on all of your managed instances
T or F
T
SSM works with on prem and in cloud
T
COnfidential info such as passwords, database connection strings, and license codes can be stored in ____ ___ ___
SSM parameter store
SSM you can store in plain text or encrypt the data
T
in SSM you can reference values by using their names
T
T or F
you can access S3 objects using pre-sgned URLS
T
Presigned URLs are typically done with SDk, but can also be done using CLI
T
presigned URLs exist for a certain length of time in seconds. default is ___ hour
you can change this using “–expires-in” followed by the number of seconds.
1
YOu can have aws config rules with s3 -
no public read access
no pubic write access
remember this
____ is an autoamted security assessment service that helps improve the security ad compliance of apps deployed on aws. ____ automatically assesses apps for vulnerabilities or deviations from best practices. after performing an assessment, ___ produces a detailed list fo security findings by lvel of severity. these findings can b reviewed directly or as part of detailed assessment reports which are available via the amazon _____ console or API
inspector
___ ____ is an online resource to help you reduce cost, increase performance, adn improve security by optimizing your aws environment.
it will advise you on cost optimization, preformance, security, fault tolerance
it does core checks and recommendations
Trusted advisor
what service can you use to check service limits?
trusted advisor
KMs is symmetric keys only
T
CloudHSM is both symmetric and asymmetric keys
T
____ files are used to validate the integrity of log files
digest
cloudtrail log file integrity validation:
sha-256 hashing
sha-256 with RSA for digital signing
t
