Security & Compliance

Question 1

Shared Responsibility Model

Answer 1

• AWS: security OF the cloud
• Customer: security IN the cloud
• shared controls
• • patches, configuration mgmt, awareness, training

Question 2

AWS DDoS Protection

Answer 2

• AWS Shield Standard
• AWS Shield Advanced
• AWS WAF
• CloudFront & R53
• auto-scaling

Question 3

AWS Shield

Answer 3

• Standard
• • Free
• • helps with SYN/UDP, reflection, layer 3/4
• Advanced
• • $3k/mon per or
• • More sophisticated protection across more services
• • 24/7 response

Question 4

AWS WAF

Answer 4

• layer 7 exploits
• deploy on ALB, API Gateway, CloudFront
• Define ACLs
• • rules to protect all sort of IP/HTTP stuff
• • also SQL injection and XSS attacks
• • geo match
• • rate based rules

Question 5

AWS Network Firewall

Answer 5

protect your VPC overall

• from layer 3 to layer7 protection in and out
• to and from direct connect or site to site
• operates at VPC level

Question 6

AWS Firewall Manager

Answer 6

• manage security rules in all accounts of organization
• common set of security rules / security groups
• manage VPC security groups across multiple accounts
• also WAF rules, AWS Shield advanced, Network firewall
• Rlues applied to all new resources as created

Question 7

Penetration Testing

Answer 7

• attack your own infra to test security
• customers can do it without prior approval for…
• • ec2, NAT, ELB, RDS, CloudFront, Aurora, API gateway, Lambda, Lightsail, Elastic Beanstalk
• other activities are prohibied
• • no DNS zone walking
• • no DoS or DDoS
• • no port flooding, request flodding
• contact aws-security-simulated-event@amazon.com to coordinate with AWS

Question 8

AWS KMS

Answer 8

Key Management Service

• Encryption = KMS usually
• KMS = AWS manages the encryption keys
• Encryption opt-in
• • EBS, S3, Resdshift, RDS, EFS
• Automatic enabled
• • CloudTrail logs, S3 Glacier, Storate Gateway

Question 9

CloudHSM

Answer 9

• AWS provisions encryption hardware
• HSM = hardware security module
• dedicated unit
• you manage keys not AWS
• Tamper resistances

Question 10

Types of KMS Keys

Answer 10

• customer managed key
• • created managed used by customer
• • define rotation policy
• • bring your own key
• AWS managed key
• • created managed used by AWS for customer
• • used when encryption managed by AWS aws/s3, etc.
• AWS Owned keys
• • collection of CMKs that aws owns and manages
• CloudHSM Key

Question 11

AWS ACM

Answer 11

Amazon Certificate Manager

• SSL/TLS
• for HTTPS
• public/private certs
• free for public TLS
• integration (loads on ELBs, cloudfronts, etc.)

Question 12

AWS Secrets Manager

Answer 12

• Store secrets
• Force rotation on a schedule
• automate generation using lambda
• integration with RDS
• Encrypted with KMS
  mostly means for RDS

Question 13

AWS Artifact

Answer 13

Not really a service, but presented as one
Support compliance and audit

• portal to compliance reports and AWS agreements
• Artifact reports: ISO certs, PCI, SOC
• Artifact agreements: HIPAA, BAA, etc.

Question 14

Amazon GuardDuty

Answer 14

Threat discover using ML
* one click enable, 30 day trial
* * looks at CloudTrail event logs, management events, S3 data events
* * VPC flow logs
* * DNS logs
* * optional analysis of EKS, RDS, etc.
* Set up EventBridge rules with findings (Lambda SNS)
* can protect against crypto attack

Question 15

Amazon Inspector

Answer 15

• run automated security assesments to gen risk score
• Ec2 instances with SSM (system manager agent)
• • looks for network access and OS vulns, CVEs
• for container images pushed to ECR
• • analyzed on push
• lambda
• • analyzed when deployed
• reports into AWS security hub, and/or EventBridge

Question 16

Config

Answer 16

• audit and record the compliance of AWS services*
  not free
• helps record configurations and changes over time
• store config data in S3 (analyzed by Athena)
• Questions that can be solved…
• • is there unrestricted SSH access to security groups
• • do buckets have publish access
• • how has alb changed over time
• Per region service, can be aggregated

Question 17

Macie

Answer 17

Looks for PII

• data security and privacy using ML
• alert around PII
• notification with EventBridge (lambda, SNS, etc.)
• one click to enable on S3 bucket

Question 18

AWS Security Hub

Answer 18

• central security tools across accounts
• integrated dashboards showing security and compliance status
• Aggregates alerts from a ton of services

Config, GuardDuty, Inspector, Macie, IAM access analyzer, AWS system manager, AWS firewall manager, AWS health, AWS partner network solutions

• must enable AWS config to make it work

Question 19

Amazon Detective

Answer 19

• When Guardduty, Macie, etc. have findings,
• Detective is used for analyzing findings
• Uses ML and graphs to find root cause of security or suspicious issues
• Automatically collects and processes events from VPC flow logs, CloudTrail, GuardDuty for unified view
• Visualizations with details and context

Question 20

AWS Abuse

Answer 20

• to report suspected abusive or illegal purposes
• • SPAM
• • port scanning
• • DoS or DDoS
• • intrusion attempts
• • bad content
• • malware hosting

abuse@amazonaws.com

Question 21

Root user priviledges

Answer 21

• root user = account owner
• complete access to all resources and services
• lock the root user and the access keys and don’t use
• Change the account settings (namew, email, password
• certain tax invoices
• Close the AWS account
• Restore IAM permissions
• Change or cancel AWS support plan
• Register as seller in reserved instance marketplace
• Configure S3 bucket for MFA
• Edit or delte S3 buck policy that includes bad VPC
• Sign up for GovCloud

Question 22

IAM Access Analyzer

Answer 22

• Find out which resources are shared externally
• • S3 buckets
• • IAM Roles
• • KMS keys
• • Lambda functions and layers
• • SQS queues
• • Secrets manager secrets
• Define Zone of trust
• Anything outside is reported as a finding