Security, Compliance and Governance Flashcards
What is the shared responsibility model?
A model where you can see who is responsible for what?
What is main responsibility of AWS conform the Shared Responsibility Model?
AWS is responsible for the security ‘of’ the cloud.
- hardware
- underlaying software
What is the main responsibility of the Customer conform the Shared Responsibility Model?
As a customer you are responsible for the security in the cloud,
- data in the cloud
- network and firewall config
- Encryption of data
who is responsible for having all the EC2 instances up-to-date
You, as a customer
Who is responsible for server-side encryption?
You, as the customer
Who is responsible for security of AWS Managed Services like RDS?
AWS is. If you host your DB on an EC2 server you, as a user, is responsible. When using RDS to run your DB AWS is responsible.
the customer stays responsible for network and who has access
What is the principle of least privilege?
this states that you should only grant permissions needed to complete a task.
What are granular permissions?
specific (parts) of a service that someone had access to. To achieve this we need to have IAM in place.
What is stated in IAM Policies?
The permissions for users, user-groups, IAM role (resoures can also have a role)
What is best practice for IAM access keys?
Rotate them regularly. So the changes of a key gets ‘stolen’ is reduced.
Do IAM role-keys rotate automatically?
yes
What does IAM Access Analyzer do?
- Identify resources with external access
- Validate IAM Policies
- Generate IAM policies based on usages
What does IAM Policy Simulator do?
- Test new IAM policies before granting them to users, groups or roles
What is federated identity?
Using an external Identity provider (like Microsoft AD -> single sign on) to verify someone’s identity.
What is IAM Identity Center
The service that gives a user a (temporarily) role when they are log-in via single-sign-on method
What is Amazon Cognito?
- Create user pools and grand temporary access keys
- Leverage social or identity provider for authentication.
What does AWS Directory Service do?
- Connect our AWS eco system to an existing MS AD
- Host a managed Microsoft AD on AWS
What does AWS Security Token Service (STS) do?
provide temporary access. e.g. like read-only access for an audit.
What is Amazon Macie?
A service that searches your S3 buckets for personally identifiable information and encrypt this.
What is Key Management Service (KMS)?
provides a key for ECB or other resources like RDS?
What does AWS Certificate Manager do?
Provision, deploy, renew SSL/TLS certificates
What does Systems Manager Parameter Store do?
keeps parameters secure. for example an EC2 service needs access to an Database, you keep the login credentials save in the Systems Manager Parameter Store.
What does Secrets Manager do?
Adds an extra layer of protection on top of Systems Manager Parameter Store by automatically rotating your secrets,
True / false | new S3 buckets are always encrypted unless (encrypt is disabled)
true
What is a Network Access Control List (NACLs)?
Stateless access control in your VPC and subnets
stateless doesn’t care about in- or outgoing traffic
What do security groups do for Network access control?
provide statefull acces contol
staefull means it checks if it’s in-or out going traffic.
What does AWS network firewall do?
firewall goes further then security groups and NACLL’s .
A firewall can define complex rules to inspect traffic within your VPCs
What does AWS Web Application firewall (WAF) do?
protects you web application against the most common exploit’s.
like SQL injections, cross site scripting.
What is AWS Shield?
protects you against DDoS attacks.
What are the costs of the different AWS shield service?
Shield standard -> free
Shield advanced -> paid but with 24/7 access to a DDoS support team
What is AWS Firewall manager?
The central place where you manage:
- AWS Firewall
- AWS WAF
- AWS Shield
What is AWS Security Hub?
The hub where you see prioritized findings (security risks) Sercies that are connected are:
- Firewall manager
- Macie
- IAM Access manager
- Guard Duty
- Systems Manager
What is AWS Guard Duty do?
Tracks activity logs and scans for malicious behavior using machine learning
What does AWS Inspector do?
Inspects workload for vulnerabilities and network access.
What does Amazon Detective do?
Used for analyzing security events that already happened.
What does Amazon inspector do?
Inspects / scans workloads for software vulnerabilities and network exposure. (check lambda’s , ec2 instances etc)
What is AWS Cloud Security?
The main landing page for security information.
What is on the AWS Security blog?
The blog helps you to stay up-2-date about announcements and innovation about security.
What is on the AWS marketplace?
Here you find pre-build security solutions from 3rd party vendors.
What does AWS Organizations?
Administer multiple AWS accounts from a single point. ere you have:
- an over view of all cost
- ability to organize and limit access to resources
What is AWS control tower?
Automate account creation and the application best-practice config rules and SCP’s. It provides automated guard rails
What is AWS artifact?
Download AWS security and other compliance documents and provide them to regulators and inform them about your cloud architecture,
What does AWS audit manager do?
Automate assessments against framework designed to meet common compliance standards.
Who’s resposibility is it to demonstrate beeing compliant with (GDPR, other security rulings)?
The customer is in the end responsible, but AWS and the customer share this