Security & Compliance Flashcards
AWS Shared Responsibility Model
AWS responsibility - Security of the Cloud
• Protecting infrastructure (hardware, software, facilities, and networking) that runs all the AWS services
• Managed services like S3, DynamoDB, RDS, etc.
Customer responsibility - Security in the Cloud
• For EC2 instance, customer is responsible for management of the guest OS (including security patches and updates), firewall & network configuration, IAM
• Encrypting application data
Shared controls:
• Patch Management, Configuration Management, Awareness & Training
Example, for RDS
AWS responsibility:
• Manage the underlying EC2 instance, disable SSH access
• Automated DB patching
• Automated OS patching
• Audit the underlying instance and disks & guarantee it functions
Your responsibility:
• Check the ports / IP / security group inbound rules in DB’s SG
• In-database user creation and permissions
• Creating a database with or without public access
• Ensure parameter groups or DB is configured to only allow SSL connections
• Database encryption setting
Example, for S3
AWS responsibility:
• Guarantee you get unlimited storage
• Guarantee you get encryption
• Ensure separation of the data between different customers
• Ensure AWS employees can’t access your data
Your responsibility:
• Bucket configuration
• Bucket policy / public setting
• IAM user and roles
• Enabling encryption
DDoS Protection on AWS
• AWS Shield Standard: protects against DDOS attack for your website and applications, for all customers at no additional costs
• AWS Shield Advanced: 24/7 premium DDoS protection
• AWS WAF: Filter specific requests based on rules
CloudFront and Route 53:
• Availability protection using global edge network
• Combined with AWS Shield, provides attack mitigation at the edge
AWS Shield
AWS Shield Standard:
• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks
and other layer 3/layer 4 attacks
AWS Shield Advanced:
• Optional DDoS mitigation service ($3,000 per month per organization)
• Protect against more sophisticated attack
• 24/7 access to AWS DDoS response team (DRP)
• Protect against higher fees during usage spikes due to DDoS
AWS WAF – Web Application Firewall
• Protects your web applications from common web exploits (Layer 7)
• Layer 7 is HTTP (vs Layer 4 is TCP)
• Deploy on Application Load Balancer, API Gateway, CloudFront
Define Web ACL (Web Access Control List):
• Rules can include IP addresses
• Protects from common attack
• geo-match (block countries)
• Rate-based rules (user cannot do more than five requests per second)
Penetration Testing on AWS Cloud
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services
Prohibited Activities:
• DNS zone walking via Amazon Route 53 Hosted Zones
• Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
• Port flooding
• Protocol flooding
• Request flooding
Data at rest vs. Data in transit
• At rest: data stored or archived on a device
• In transit (in motion): data being moved from one location to another
• For this we leverage encryption keys
AWS KMS (Key Management Service)
• AWS manages the encryption keys for us
Encryption Opt-in:
• EBS volumes: encrypt volumes
• S3 buckets: Server-side encryption of objects
• Redshift database: encryption of data
• RDS database: encryption of data
• EFS drives: encryption of data
Encryption Automatically enabled:
• CloudTrail Logs
• S3 Glacier
• Storage Gateway
CloudHSM
• AWS manages the software for encryption
• CloudHSM => AWS provisions encryption hardware
• Dedicated Hardware
• You manage your own encryption keys entirely
Types of Customer Master Keys: CMK
Customer Managed CMK:
• Create, manage and used by the customer, can enable or disable
• Possibility of rotation policy
• Possibility to bring-your-own-key
AWS managed CMK:
• Created, managed and used on the customer’s behalf by AWS
• Used by AWS services
AWS owned CMK:
• Collection of CMKs that an AWS service owns and manages to use in multiple accounts
• AWS can use those to protect resources in your account (but you can’t view the keys)
CloudHSM Keys (custom keystore):
• Keys generated from your own CloudHSM hardware device
AWS Certificate Manager (ACM)
Let’s you easily provision, manage, and deploy
SSL/TLS Certificates
• Used to provide in-flight encryption for websites (HTTPS)
• Automatic TLS certificate renewal
Integrations with (load TLS certificates on)
• Elastic Load Balancers
• CloudFront Distributions
• APIs on API Gateway
AWS Secrets Manager
• Meant for storing secrets
• Capability to force rotation of secrets every X days
• Automate generation of secrets on rotation (uses Lambda)
• Integration with Amazon RDS
• Secrets are encrypted using KMS
• Mostly meant for RDS integration
AWS Artifact
Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
• Artifact Reports: Allows you to download AWS security and compliance documents from third-party auditors (ISO, PCI, SOC)
• Artifact Agreements: Allows you to review, accept, and track the status of AWS agreements (BAA, HIPAA)
• Can be used to support internal audit or compliance
Amazon GuardDuty
• Intelligent Threat discovery to Protect AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• Input data includes: CloudTrail Event Logs, VPC Flow Logs, DNS Logs & Jubernetes Audit Logs
• Can protect against CryptoCurrency attacks
Amazon Inspector
• Automated Security Assessments
For EC2 instances
• Leveraging the AWS System Manager (SSM) agent
• Analyze against unintended network accessibility
• Analyze the running OS against known vulnerabilities
• For Containers push to Amazon ECR
• Send findings to Amazon Event Bridge
What does AWS Inspector evaluate?
• Only for EC2 instances and container infrastructure
• Continuous scanning of the infrastructure, only when needed
• Package vulnerabilities (EC2 & ECR) – database of CVE
• Network reachability (EC2)
• A risk score is associated with all vulnerabilities for prioritization
AWS Config
• Helps with auditing and recording compliance of your AWS resources
• Helps record configurations and changes over time
• AWS Config is a per-region service
• You can receive alerts (SNS notifications) for any changes
• Can be aggregated across regions and accounts
AWS Config Resource
• View compliance of a resource over time
• View configuration of a resource over time
• View CloudTrail API calls if enable
Amazon Macie
Is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
• Macie helps identify and alert you to sensitive data, such as personally
AWS Security Hub
Central security tool to manage security across several AWS accounts and
automate security checks
• Integrated dashboards showing current security and compliance status to quickly take actions
• Automatically aggregates alerts in predefined or personal findings formats from various AWS services & AWS partner tools
• Must first enable the AWS Config Service
Amazon Detective
Analyzes, investigates, and quickly identifies the root cause of security issues or suspicious activities (using ML and graphs)
• Automatically collects and processes events from VPC Flow Logs, CloudTrail, GuardDuty and create a unified view
• GuardDuty, Macie, and Security Hub are used to identify potential security issues, or findings
AWS Abuse
Report suspected AWS resources used for abusive or illegal purposes
• Abusive & prohibited behaviors are: Spam, Port scanning, DoS or DDoS attacks, Intrusion attempts, Hosting objectionable or copyrighted content & Distributing malware
Root user privileges
• Do not use the root account for everyday tasks, even administrative tasks
Actions that can be performed only by the root user:
• Change account settings
• Change or cancel your AWS Support plan
• Close your AWS account
• Register as a seller in the Reserved Instance Marketplace
• View certain tax invoices