Security in the cloud Flashcards

1
Q

Shared responsibility model

A

While AWS manages security of the cloud, security in the cloud is responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS WAF

A

Web Application Firewall

Is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

Operate at level 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AWS Shield

A

Is a managed distributed deniel of service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is non need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Amazon Inspector

A

Is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices.

After performing assessment, it produces a detailed list of security findings priortized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via Amazon Inspector console or API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS trusted advisor

A

An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS env. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. Advisor will advise you on Cost Optimization, performance, security, fault tolerance.

  1. Core checks and recommendations (FREE)
  2. Full trusted advisor - Business and enterprise companies only
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AWS CloudTrail

A

It increases visibility into your user and resource activity by recording AWS management console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cloudwatch vs AWS Config

A
  • Cloudwatch is used for monitoring performance
  • AWS Config is used to monitor configurations of your AWS Resources.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Trusted Advisor key services

A
  • Cost optimizations
  • Performance
  • Security
  • Fault tolerance
  • Service limits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS Penetration testing

A

Simulated cyber attack against your computer system to check for exploitable vulnerabilities.

Can be tests on 8 services without prior approval
- EC2 instances, NAT gateways, ELB’s
- RDS
- CloudFront
- Aurora
- API gateway
- Lambda and Lambda edge functions
- Lightsail resources
- Elastic beanstalk environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AWS KMS

A

Works at regional basis.
1. Secure key management and encryption and decryption.
2. Manages customer master keys
3. Ideal for S3 objects, database passwords and API keys stored in system manager parameter store.
4. Encrypt and decrypt data, up to 4 KB in size.
5. Integrated with most AWS services.
6. Is on shared hardware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CloudHSM

A
  1. Dedicated hardware security module (HSM)
  2. More expensive
  3. Compliant FIPS 140-2 Level 3
  4. Single tenant, dedicated hardware, multi-AZ cluster
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Parameter Store

A
  • Component of Systems Manager (SSM)
  • Secure serverless storage for configuration and secrets.
  • Values can be stored encrypted (KMS) or plaintext
  • Set TTL to expire values such as passwords
  • No cost to use, however limit of 10000 parameters per account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Secrets Manager

A
  • Charge per secret stored and per 10000 API calls
  • Automatically rotate secrets
  • Apply the new key.password in RDS for you
  • Generate random secrets.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Amazon GuardDuty

A
  • Intelligent threat protection for accounts and workloads
  • Uses machine learning algorithms
  • One click to enable (30 day trial)
  • Input data includes
    => Cloudtrail event logs
    => VPC flow logs
    => DNS logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Control tower

A
  • The easiest way to set up and govern a new, secure, multi account AWS environment
  • Allows you to provision multiple AWS accounts in few minutes
  • Those accounts will conform to company policies
  • Used for large enterprises with multiple AWS accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Security hub

A
  • A comprehensive view of your security alerts across multiple AWS accounts

Provides a single place that aggregates, organises, and prioritises your security alerts or findings from multiple AWS services - such as GuardDuty, Inspector, Amazon Macie, IAM access analyzer and AWS Firewall manager - across multiple AWS accounts.

17
Q

Compromised IAM credentials

A
  1. Determine what resources those credentials have access to
  2. Invalidate the credentials so they can no longer be used to access your account.
  3. Consider invalidating any temporary security credentials that might have been issued using the credentials.
  4. Restore appropriate access
  5. Review access to your AWS account
18
Q

Athena

A

Interactive query service which enables you to analyse and query data located in S3 using SQL
- Serverless, nothing to provision, pay per query/ per TB scanned
- No need to setup complex Extract/Transform/Load (ETL) processes.
- Works directly with data stored in S3
- Can be used to query files stored in S3
- Generate business reposts on data stored in S3.
- Analyse AWS cost and usage reports
- Run queries on click-stream data

19
Q

Macie

A

security service which uses Machine learning and NLP to discover, classify and protect sensitive data stored in S3
- Uses AI to recognise if your S3 objects contain sensitive data such as PII
- Dashboards, reporting and alerts
- Works directly with data stored in S3
- Can also analyse cloudtrail logs
- Great for PCI-DSS and preventing ID theft

20
Q

Artifact

A

Use to retrieve compliance reports