Security and Governance

Question 1

Shared Responsibility Model

Answer 1

managed by AWS
Compute - ec2 instances
Storage - S3, EBS
Networking - VPC, Routing

Regions -
Availability Zones

## managed by Clients
o/s config
firewall
applications
client side encryption
server side encryption
authentication and access control

Question 2

IAM User

Answer 2

• never use root account to do anything, create other iam user with admin role
• delete root user keys
• assign policies to groups not users
• customize sign-in link rather than have something random
• use MFA

Question 3

IAM Role

Answer 3

• instead of using an IAM user credentials on an EC2 instance to interact with AWS use just assign an IAM Role to that EC2 instance. Then define all the required permissions in the role.
• when you create an IAM role it will create two policies
  1. permissions
  2. trust policy - defines which service (i.e. ec2, IAM user) can assume this role

Question 4

S3 Bucket Policy

Answer 4

## open policy
{
  Version: "",
  Statement: [
   {
      Effect: "Allow",
      Ection: "s3:*",
      Resource: "*"
   }
 ]
}

## restrictive policy
{
  version: "",
  Statement: [
   {
      Effect: "Allow",
      Action: [
       "s3:ListBucket", "s3:ListObject"
      ],
      Resource: [
          "arn:aws:s3:::",
          "arn:aws:s3:::/*"
       ]
   }
 ]
}

Question 5

Securing EC2 access

Answer 5

• do not allow 0.0.0.0/0 port 22 access
• put all EC2 containers in private subnet
• put bastion host in public subnet
• allow client ip access to port 22 on bastion host
• allow bastion host SG access to internal SG port 22

Question 6

AWS Cost Estimation and Compliance Tools

Answer 6

• Trusted Advisor

- Cloudcheckr

Question 7

Cross Account Access

Answer 7

enable sharing of roles between two AWS accounts

Question 8

S3 Encryption

Answer 8

need to encrypt data in transit and at rest

In transit - all endpoints have TLS enabled
At Rest
1. client side encryption
- client needs to encrypt the object before its send to S3 and then decrypt it

2. server side encryption
   - SSE-S3 - keys provided by S3
   - SSE-KMS - keys provide by KMS
   - SSE-C - client need to provide the keys

Question 9

EBS volume encryption

Answer 9

• when you create the volume you have the option to encrypt the volume
• you can also choose to encrypt the root volume - but or that you need to create an encrypted AMI and use that to create the instance

Question 10

RDS Encryption

Answer 10

• just need to select encryption option when creating the database
• aws will create a new key called aws/rds and use it to encrypt the data at rest

Question 11

Access Control

Answer 11

• Cloudtrail
• MFA
• Password policies
• IAM Roles/ Policies / Permissions
• Trusted Advisor
• Bucket Policies / ACL

Question 12

Securing IT Resources

Answer 12

• isolate servers at hardware level i.e. dedicated instances instead of hypervisor level
• security groups
• Network ACL
• VPC
• VPN

Question 13

Logging

Answer 13

• vpn flow logs
• S3 logs
• cloudtrail - primary logging tool

Question 14

Monitoring

Answer 14

Cloudwatch alarms
ec2 instance status
amazon SNS