Security & Compliance Flashcards
AWS shared responsibility Model
Protecting infrastructure ( hardware, software, facilities, and networking) that runs all the AWS services Managed service like S3, DynamoDB, RDS, etc
- According to the Shared Responsibility Model, who is responsible for protecting hardware?
Customer Responsibility - security in the cloud
For EC2 instance, customer is responsible for management of the guest OS ( including Security patches and updates), firewall & network configuration, IAM
Encrypting application data
- According to the Shared Responsibility Model, who is responsible for firewall and network configuration for EC2 Instances?
Shared controls
Patch management, configuration management, awareness & Training
What is a DDOS* Attack?:Distributed Denial of service
Attacker lunch multiple master server > the server lunch bots > the bot sends a request to our application server.
Application server is not build to handle many application server it will not not work anymore > user can not access it
Aws shield standard:
- protects against DDOS attack for your website and applications, for all customers at no additional costs.
- activities by default for every customer
- free
- Which AWS service’s ONLY role is to safeguard running applications from DDoS attacks?
AWS shield Advanced:
24/7 premium DDos protection
AWS WAF
- firewall to filter incoming requests based on rules
- filter specific request based on rules .
- layer 7 is HTTP (vs layer 4 is TCP)
- deploy on Application load balancer, API gateway, Cloudfront
A company would like to protect its web applications from common web exploits that may affect availability, compromise security, or consume excessive resources. Which AWS service should they use?
KMS
- Encryption keys managed by AWS
- do not have access to the key Aws manage the key for us. We define who can access the key.
- Which of the following services is managed by AWS and is used to manage encryption keys?
-
CloudHSM
Hardware encryption, we manage encryption keys.
- AWS provisions encryption hardware
CloudHSM keys(custom keystore):
- Keys generated from your own cloudhSM hardware device
- Cryptographic operations are performed with the ClodHSM cluther.
Type customer mask key: CMK
- Create, manage and used by the customer, can enable or disable
- Possibility of rotation policy ( new key generated every year, old key preserved)
- Possibility to bring-your-own-key
AWS managed CMK
- create , managed and used on the customers behalf by was
- Used by AWS service (aws/s3, asw/ebs, aws/redshift)
Aws owned CMK
- Collection of CMKs that an AWs service owns and manages to use in multiple accounts
- Aws can use those to protect resources in the account (but you cannot view the keys)
GuardDuty
Find Malicious behavior with VPC, DNS, and Cloudtrail logs
- Intelligent threat discovery to protect AWS account
- Which service is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
AWS Certificate Managed
- provision, manage, and deploy SSL?TLS certificates
- A company would like to secure network communications using SSL & TLS certificates. Which AWS service can it use?
Artifact
Get access to compliance report such as PCI, ISO, etc
- Artifact Reports- Allows you to download AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry(PCI), and System and Organization Control (SOC) reports
- Artifcat Agreements- Allows you to review, accept, and track the status of AWS agreements such as the Business Associcated Addendum (BAA) or the Health Insurance Portability and Accountablity Act (HIPAA) for an individual account or in your organization
Where can you find on-demand access to AWS compliance documentation and AWS agreements?