Security in the cloud Flashcards
Shared responsibility model
While AWS manages security of the cloud, security in the cloud is responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.
AWS WAF
Web Application Firewall
Is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Operate at level 7
AWS Shield
Is a managed distributed deniel of service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is non need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
Amazon Inspector
Is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices.
After performing assessment, it produces a detailed list of security findings priortized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via Amazon Inspector console or API.
AWS trusted advisor
An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS env. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. Advisor will advise you on Cost Optimization, performance, security, fault tolerance.
- Core checks and recommendations (FREE)
- Full trusted advisor - Business and enterprise companies only
AWS CloudTrail
It increases visibility into your user and resource activity by recording AWS management console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
Cloudwatch vs AWS Config
- Cloudwatch is used for monitoring performance
- AWS Config is used to monitor configurations of your AWS Resources.
Trusted Advisor key services
- Cost optimizations
- Performance
- Security
- Fault tolerance
- Service limits
AWS Penetration testing
Simulated cyber attack against your computer system to check for exploitable vulnerabilities.
Can be tests on 8 services without prior approval
- EC2 instances, NAT gateways, ELB’s
- RDS
- CloudFront
- Aurora
- API gateway
- Lambda and Lambda edge functions
- Lightsail resources
- Elastic beanstalk environments
AWS KMS
Works at regional basis.
1. Secure key management and encryption and decryption.
2. Manages customer master keys
3. Ideal for S3 objects, database passwords and API keys stored in system manager parameter store.
4. Encrypt and decrypt data, up to 4 KB in size.
5. Integrated with most AWS services.
6. Is on shared hardware.
CloudHSM
- Dedicated hardware security module (HSM)
- More expensive
- Compliant FIPS 140-2 Level 3
- Single tenant, dedicated hardware, multi-AZ cluster
Parameter Store
- Component of Systems Manager (SSM)
- Secure serverless storage for configuration and secrets.
- Values can be stored encrypted (KMS) or plaintext
- Set TTL to expire values such as passwords
- No cost to use, however limit of 10000 parameters per account.
Secrets Manager
- Charge per secret stored and per 10000 API calls
- Automatically rotate secrets
- Apply the new key.password in RDS for you
- Generate random secrets.
Amazon GuardDuty
- Intelligent threat protection for accounts and workloads
- Uses machine learning algorithms
- One click to enable (30 day trial)
- Input data includes
=> Cloudtrail event logs
=> VPC flow logs
=> DNS logs
AWS Control tower
- The easiest way to set up and govern a new, secure, multi account AWS environment
- Allows you to provision multiple AWS accounts in few minutes
- Those accounts will conform to company policies
- Used for large enterprises with multiple AWS accounts