Security, Identity & Compliance Flashcards
Where can you apply SCPs
At the OU or Account level
Which roles are not affected by SCPs
Service-linked roles because they enable other AWS services to integrate with AWS Organizations
What are the default permissions on Organization OUs
Does not allow anything by default. SCP must have an explicity Allow from the root to each OU.
In which order does IAM policies are evaluated
- SCP
- Resource-based policies
- Identity-based policies
- IAM permissions boundaries
- Session policies
How can you restrict specific tags on resources
Using the aws:TagKeys on IAM policies condition. Or using SCP condition aws:RequestTag/key
AWS Organizations - Tag Policies
Ensure consistent tags defineing keys and their allowed values
What are AI Services opt-out policies
Is an Organization policy to avoid you content to be stored or used by AWS AI Services
AWS IAM identity Center
One login for all:
1. AWS accounts in Organizations
2. Business Cloud Applications
3. SAML2.0 enabled applications
4. EC2 Windows Instances
IAM Identity Center Permission Set
Grant access to a user or group in a list of target AWS accounts or OUs within your Organization. Creates corresponding IAM roles in each account and attaches the policies specified
AWS IAM Identity Center
Attribute-Based Access Control
Fine grained permissions based on users attributes. Define permissions once, then modify access by changing the attributes.
AWS Config Aggregators
Collects configuration data from multple accounts:
1. Individual accounts aggregator
2. Organization aggregator
AWS Config rules for global services
Should be created in a sigle region to avoid duplicate copies and save costs.
Auto-enable feature in Security Hub
Automatically enable Security Hub in all existing and future Organization accounts, and designating a central account as the administrator
AWS Firewall Manager
Common Security Group Policy
You can centrally configure and manage SGs across all your accounts in Organizations, while still allowing developers to deploy specific SG rules
They are mapped to specific tags
AWS Firewall Manager perrequisites
- Use AWS Organizations
- Designate one ccount as the administrator
- Enable AWS Config for all the accounts
AWS Control Tower
Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices
AWS Control Tower
Account Factory
Create pre-approved baselines and configurations to automate account provisioning
AWS Control Tower
Guardrails
Detect and remediate policy violations:
1. Preventive - SCPs
2. Detective - AWS Config
Resource Access Manager
Sharing VPC Subnets
Allow to have all resources launched in the same subnet
1. Cannot view, modify or delete resources in other accounts
2. Can communicate between resources in the same VPC
3. Security Groups from other accounts can be references
Resource Access Manager
Managed Prefix List
A set of one or more CIDR blocks that you can reference in SGs and Route Tables.
Resource Access Manager
Route53 Outbound Resolver
Scale forwarding rules of your DNS in multiple accounts and VPCs
CloudTrail
Insights
Detect Unusual Activity. Analyzes normal management to create a baseline and then continuosly analyzes write events to detect patterns.
Integrate IAM Access Analyzer findings into Security Hub
Can be directly integrated by enabling the integration setting in IAM Access Analyzer. Ensures that finding are automatically pushed to Security Hub.
Amazon Detective
Analyze, investigate and quickly identify the root cause of potential security issues or suspicious activity in a region.
Parameter Store
Parameters Policies
Allow to assign a TTL to a parameter to force updating or deleting sensitive data such as passwords
RDS
Transparent Data Encryption
Available for Oracle and SQL Server. Automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
Server Name Indication
Solves the problem of loading multiple SSL certificates onto one web server (to serve multiple websites). Only works for ALB, NLB and CloudFront.
Amazon Detective
Role session analysis
Provide visibility to role usage, cross-account role assumption, and any role chaining activities performed across multiple accounts.
Add accounts to AWS Organizations
- Invite existing AWS accounts to join your organization from the management account
- Creating a member account in an organization with AWS Organizations
Where does ACM loads SSL certificates?
- Load Balancers
- CloudFront distributions
- APIs on API Gateways
Cloud HSM
SSL Offloading
- The server sends certificate.
- The client generates a premaster secret and encrypts it with the server’s public key
- To decrypt the client’s premaster secret, the server sends it to the HSM. The HSM uses the private key and then it sends the premaster secret to the server.
- For the rest of the session, all messages sent between the client and the server are encrypted with derivatives of the master secret.
S3 pre-signed URLs
Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT
IAM Access Information
IAM provides last accessed information to help you identify unused permissions so that you can remove them.
IAM
Create SAML Identity Provider
- Get the SAML metadata document from your IdP.
- Add a provider and assign an IAM role to give external user identities permissions to access AWS resources in your account.
- You must tell the IdP about AWS as a service provider. This is called relying party trust between your IdP and AWS.
- Configure SAML assertions for the authentication response
S3 Access Points
Create unique access control policies for each access point to easily control access to shared datasets. Any access point can be restricted to a VPC.
S3 Multi Region Access Point
Provide a global endpoint for routing S3 request traffic between regions. Consider factors like network congestion and the location of the request to dynamically route your requests to the closest copy of your data.
S3 Object Lambda
Add code to S3 GET, LIST, and HEAD requests to modify and process data as it is returned to an application. Reduces the need to create and store derivative copies of your data or to run proxies.
Amazon Cognito Identity Pools
Provide temporary AWS credentials for users who are guests and for users who have been authenticated and received a token.
Amazon Cognito User Pools
User directory for web and mobile app authentication and authorization.
An Amazon Cognito user pool and identity pool used together
- Your app user signs in through a user pool and receives OAuth 2.0 tokens.
- Your app exchanges a user pool token with an identity pool for temporary AWS credentials.
- Your app assigns the credentials session to your user
IAM
OIDC Federation
Exchange a JWT for temporary security credentials in AWS that map to an IAM role with permissions to use specific resources in your AWS account.
Which rules can be managed with AWS Firewall Manager?
- WAF Rules
- Shield Advanced
- Security Groups
- Network Firewall
- Route53 resolver DNS Firewall
Amazon Inspector
Where you can run automated security assessments?
- EC2 instances with SSM
- Container Images on ECR
- Lambda Functions
AWS Config Rules
Audit and record compliance of resources. Does not prevent actions from happening.
* Remediation can be through AWS SSM automations
Amazon GuardDuty
Intelligent Threat Discovery from CloudTrail Events Logs, VPC Flow Logs and DNS Logs
IAM Conditions Examples
- aws:SourceIp: Restrict the client IP
- aws:RequestedRegion
- ec2:ResourceTags: Restrict based on tags
- aws:MultiFactorAuthPresent
- aws:PrincipalOrgID: Limit to member accounts of an organization
AWS Security Hub
Central security tool to manage security across several AWS accounts and automate security checks
Sources for Security Hub
- Macie
- GuardDuty
- Inspector
- Config
- Firewall Manager
- IAM Access Analyzer
- Systems Manager
- Health
View last accesed information for Organizations
In the IAM Console on the Organizations management account access reports of the organization activity
