Security in the cloud

Question 1

Shared responsibility model

Answer 1

While AWS manages security of the cloud, security in the cloud is responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.

Question 2

AWS WAF

Answer 2

Web Application Firewall

Is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

Operate at level 7

Question 3

AWS Shield

Answer 3

Is a managed distributed deniel of service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is non need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

Question 4

Amazon Inspector

Answer 4

Is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices.

After performing assessment, it produces a detailed list of security findings priortized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via Amazon Inspector console or API.

Question 5

AWS trusted advisor

Answer 5

An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS env. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. Advisor will advise you on Cost Optimization, performance, security, fault tolerance.

1. Core checks and recommendations (FREE)
2. Full trusted advisor - Business and enterprise companies only

Question 6

AWS CloudTrail

Answer 6

It increases visibility into your user and resource activity by recording AWS management console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

Question 7

Cloudwatch vs AWS Config

Answer 7

• Cloudwatch is used for monitoring performance

- AWS Config is used to monitor configurations of your AWS Resources.

Question 8

Trusted Advisor key services

Answer 8

• Cost optimizations
• Performance
• Security
• Fault tolerance
• Service limits

Question 9

AWS Penetration testing

Answer 9

Simulated cyber attack against your computer system to check for exploitable vulnerabilities.

Can be tests on 8 services without prior approval

• EC2 instances, NAT gateways, ELB’s
• RDS
• CloudFront
• Aurora
• API gateway
• Lambda and Lambda edge functions
• Lightsail resources
• Elastic beanstalk environments

Question 10

AWS KMS

Answer 10

Works at regional basis.

1. Secure key management and encryption and decryption.
2. Manages customer master keys
3. Ideal for S3 objects, database passwords and API keys stored in system manager parameter store.
4. Encrypt and decrypt data, up to 4 KB in size.
5. Integrated with most AWS services.
6. Is on shared hardware.

Question 11

CloudHSM

Answer 11

1. Dedicated hardware security module (HSM)
2. More expensive
3. Compliant FIPS 140-2 Level 3
4. Single tenant, dedicated hardware, multi-AZ cluster

Question 12

Parameter Store

Answer 12

• Component of Systems Manager (SSM)
• Secure serverless storage for configuration and secrets.
• Values can be stored encrypted (KMS) or plaintext
• Set TTL to expire values such as passwords
• No cost to use, however limit of 10000 parameters per account.

Question 13

Secrets Manager

Answer 13

• Charge per secret stored and per 10000 API calls
• Automatically rotate secrets
• Apply the new key.password in RDS for you
• Generate random secrets.

Question 14

Amazon GuardDuty

Answer 14

• Intelligent threat protection for accounts and workloads
• Uses machine learning algorithms
• One click to enable (30 day trial)
• Input data includes
  => Cloudtrail event logs
  => VPC flow logs
  => DNS logs

Question 15

AWS Control tower

Answer 15

• The easiest way to set up and govern a new, secure, multi account AWS environment
• Allows you to provision multiple AWS accounts in few minutes
• Those accounts will conform to company policies
• Used for large enterprises with multiple AWS accounts

Question 16

AWS Security hub

Answer 16

• A comprehensive view of your security alerts across multiple AWS accounts

Provides a single place that aggregates, organises, and prioritises your security alerts or findings from multiple AWS services - such as GuardDuty, Inspector, Amazon Macie, IAM access analyzer and AWS Firewall manager - across multiple AWS accounts.

Question 17

Compromised IAM credentials

Answer 17

1. Determine what resources those credentials have access to
2. Invalidate the credentials so they can no longer be used to access your account.
3. Consider invalidating any temporary security credentials that might have been issued using the credentials.
4. Restore appropriate access
5. Review access to your AWS account

Question 18

Athena

Answer 18

Interactive query service which enables you to analyse and query data located in S3 using SQL

• Serverless, nothing to provision, pay per query/ per TB scanned
• No need to setup complex Extract/Transform/Load (ETL) processes.
• Works directly with data stored in S3
• Can be used to query files stored in S3
• Generate business reposts on data stored in S3.
• Analyse AWS cost and usage reports
• Run queries on click-stream data

Question 19

Macie

Answer 19

security service which uses Machine learning and NLP to discover, classify and protect sensitive data stored in S3

• Uses AI to recognise if your S3 objects contain sensitive data such as PII
• Dashboards, reporting and alerts
• Works directly with data stored in S3
• Can also analyse cloudtrail logs
• Great for PCI-DSS and preventing ID theft

Question 20

Artifact

Answer 20

Use to retrieve compliance reports