Security / Compliance Flashcards
The Shared Responsibility Model
Shared Responsibility between you and AWS: AWS is responsible for securing the cloud, and you are responsible for securing the things you put into it.
In the shared responsibility model, AWS is responsible for:
Their global infrastructure, Building Security, Networking Components, and their Software.
In the shared responsibility model, YOU are responsible for:
Your application data, security configurations, patching, network traffic, and your application code.
5 Pillars of a Well-Architected Framework
Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization
Operational Excellence
Effectively support production workloads. EX: Using CodeCommit
Performance Efficiency
effectively using cloud resources to meet requirements while removing bottlenecks. EX: Using Lambda to respond to events
Cost Optimization
Delivering optimum solutions at the least cost EX: using S3 intelligent tiering
Identity and Access Management (IAM)
Controlling access to your AWS tools and resources. Define who has access to what, and what they can do with that access.
IAM Users
entities created to represent the person OR SERVICE that needs access. They’re created under your account, so you will be billed for anything they do!
The principle of least privileges
Only give users the bare minimum level of access required to do their job.
IAM Groups
A collection of Users with common access controls. EX: Developers, Admins, or Analysts may need access to different things
IAM Roles
define access permissions, are temporarily assumed by a User. EX: They put on their developer hat.
Access is granted using policies, and roles are great for protecting against unauthorized access, and to avoid sharing access keys
IAM Policies
JSON documents that manage permissions for whatever it is attached to: Users, Groups, and Roles
Best Practices for IAM
Enable MFA for privileged users
Create individual users instead of using root
Implement strong password policies
Use roles for EC2 instances
IAM Credential Report
Generates a list of all Users in your account, and the status of their credentials. Used for auditing and compliance.
Firewall
Prevents unauthorized access to your network by inspecting traffic against security rules that you’ve defined
Web-Application Firewall (WAF)
Used to protect against common attack patterns, such as SQL Injection and Cross-Site Scripting.
DDoS
Distributed Denial of Service - an attack that attempts to crash a web app by overloading the network traffic
AWS Shield
DDoS protection service
AWS Macie
Discover and protect sensitive data in S3, using Machine Learning
AWS Config
Allows you to assess, audit, and evaluate the configurations of your resources. Records configuration changes and tracks them over time.
AWS Guard Duty
ML based threat detection system for EC2, S3 and IAM. Reviews logs and identifies events that are associated with common attacks
AWS Inspector
Uncover and report vulnerabilities in EC2. Installed on an instance to check access from the internet, remote root log ins, and vulnerable software versions
AWS Artifact
On-demand access to AWs security and compliance reports. Includes audits from 3rd parties.
Encryption
Encodes data so that it can’t be read by unauthorized users. Uses one key to encode, and another to decode.
Data In Flight
Data that is moving from one location to another
Data At Rest
Data that is stored, or inactive (not moving)
AWS Key Management Services (KMS)
AWS managed services that generates and stores encryption keys. Auto-enabled for certain services, great for encrypting EBS volumes
CloudHSM
“Hardware Security Module” used to generate encryption keys. NOT managed by AWS. Necessary to meet requirements for dedicated security hardware.
Secrets Manager
Manage and retrieve secrets (pws or keys). Encrypts secrets at rest, and integrates with Redshift, RDS, and DocumentDB. Useful for retrieving credentials needed within application code.
