Security & Compliance Flashcards
In a shared responsibility Model AWS is responsible for
protecting and securing their infrastructure
In a shared responsibility Model you are responsible for how the services are implemented and
managing your application’s data
What are AWS responsibilities regarding EC2 instances (2)
- Patching the host operating system
- Security of the physical server
What are AWS responsibilities regarding Lamda (2)
- Operating system
- Software dependencies
With Lambda the Customer is responsible for (2)
- Storage of sensitive data
- IAM for permissions
With EC2 the Customer is responsible for (3)
- Patching the guest operating system
- Security controls
- Installed applications
The 5 pillars of the Well-Architected Framework describe design principles and best practices for running workloads in the cloud. They are;
C.O.R.P.S.
- Cost OptimIzation
- Operational Excellence
- Reliability
- Performance Efficiency
- Security
Operational Excellence involves Creating applications that support production workloads 3 key takeaways are:
- Script
- Plan
- Deploy
- Script Operations as Code
- Plan for failure
- Deploy Smaller reversible changes
Performance Efficiency involves the effective use of computing resources to meet
system and business needs while removing bottlenecks
Security focuses on putting mechanisms in place that protect your systems and data you can do this by (3)
- Track
- Encrypt
- Encrypt Data in transit and at rest
- Track who did what and when
- Automate Security Tasks
Reliability Design systems that work consistently and recover quickly (3)
- Scale
- Reduce
- Test
- Scale horizontally for resilience
- Reduce Idle resources
- Test Recovery Procedures
Cost OptimIzation has three main takeaways (3)
- Use consumption-based
- Implement cloud
- Measure
pricing
financial management
overall efficiency
Use Cases for Operational Excellence: You can use AWS CodeCommit for version control to enable
tracking of code changes
Use Cases for Performance Efficiency: You can use AWS Lambda to
run code with zero administration.
Use Cases for Security: You can use CloudTrail to configure central logging of
all actions performed in your account
Use Cases for Reliability: You can use Multi-AZ deployments for enhanced availability and reliability of
RDS databases.
Use Cases for Cost OptimIzation: You can use S3 Intelligent-Tiering to automatically move your data
between access tiers based on your usage patterns.
In AWS Users are entities you create in IAM to represent
the person or application needing access to your AWS resources.
A group is a collection of IAM users that helps you apply common
access controls to all group members.
In AWS Roles can be assumed by
any user or service that needs them.
AWS Policies help you manage permissions for IAM users, groups, and roles by creating a policy document in
JSON format and attaching it.
Real-world use cases for IAM: Using Roles help you avoid sharing long-term credentials
like access keys
IAM credential report: Lists all users and status of passwords, access keys, and MFA device. This is best used for
auditing and compliance
Do not confuse security groups for EC2 with IAM groups. EC2 security groups
act as firewalls, while IAM groups are collections of users.
What can only the root user do? (3)
- Modify your support plan
- Modify email address
- Close your account
What changes can AWS Config help you identify within EC2?
Network
Software
OS/system-level updates, and more.
GuardDuty identifies malicious or unauthorized activities in your AWS account using
machine learning
GuardDuty identifies threats by continuously monitoring _________ activity and ________ within your AWS environment.
network, account behavior
Inspector has built-in rules to access your EC2 instances to find
vulnerabilities and report by the level of severity.
Artifact is a central repository for
compliance reports from third-party auditors who have audited AWS
Artifact Use Case? (2)
- Service Organization Controls (SOC) reports
- Payment Card Industry (PCI) reports
Cognito controls access to mobile and web applications by assisting with user ______________ & ____________
Sign-up and sign-in
Provides authentication and authorization
Cognito- Use Case: allows your users to sign in to your application through
social media accounts like Facebook and Google
Key Management Service (3)
- Generate, Store, and Control Keys
- Enable MFA for privileged users.
- Implement strong password policies.
Are examples of which Service best practices?
IAM best practices
Cloud HSM allows you to meet corporate, and regulatory compliance requirements for data security by using
dedicated hardware for security in the cloud.
CloudHSM is a Hardware Security Module (HSM) used to
Generate and manage your own encryption keys
When using CloudHSM AWS does not have access
to your encryption keys
Secrets Manager Allows you to manage and retrieve
secrets (passwords or keys).
Secrets Manager integrates with which three services?
RDS
Redshift
DocumentDB
Amazon Inspector helps to improve the security and compliance of applications by
running automated security assessments.
Amazon Inspector is a service that checks applications for
security vulnerabilities and deviations from security best practices.
From within AWS Artifact you can review,
accept, and manage agreements with AWS.
With AWS Roles you can assume a role to perform a task in a single session and access is assigned
using policies.
- Create individual users instead of using root.
- Use roles for Amazon EC2 instances.
IAM Best Practices
Using Roles helps you protect your instances from
unauthorized access.
GuardDuty works by looking for threats on your account that are associated with
common techniques used by attackers.