Security - Protecting AWS Credentials Flashcards
1
Q
Security - Fundamentals
A
- Security is about protecting data. CIA triad refers to Confidentiality, Integrity, and Availability
- Confidentiality: means that only authorized parties can access to data. Examples: ACLs and encryption
- Integrity: implies that data has not been improperly modified. Includes knowing if data has been modified
- Availability: means that authorized parties have access to data when they need it. Includes protecting systems that store, process, and deliver data
2
Q
Security - Considerations
A
- Employ defense in depth: protect the CIA triad of data by securing everything that touches the data, including storage, compute, and networking
- Levels of architecture to secure:
- AWS services: it’s user’s responsibility to configure them properly
- Operating systems: secure it on EC2 instances
- Applications
3
Q
Shared Responsibility Model
A
4
Q
IAM - Characteristics
A
- User / group policies, known as inline policies, are embedded to the user / group itself. They are not available to other users
- With Access Advisor can look at allowed services, and when the user accessed to every service
- There isn’t additional charges for using this service
5
Q
IAM Groups
A
- They’re collections of users and have policies attached to them
- It’s not an identity and cannot be identified as a principal in an IAM policy
- Only users and services can assume a role to take on permissions, not groups
6
Q
IAM - Credential types
A
- Root user: has full access to all AWS resources, one root user exists per account
- IAM (non-root) principal / identity: it could be a user or role
7
Q
IAM - IAM principal / identity
A
- IAM roles:
- A role can be of two types: user role or service role (for services, i.e. one that allows CloudTrail to authenticate to CloudWatch Logs)
- A role is assumed, so a user / service get temporary credentials and do what the policy attached to the role determines
- Can perform actions on AWS services and resources
- Policies determines what permissions the principal has
- Don’t have permissions by default
8
Q
IAM - Custom policies
A
- Consists of one or more permission statements, which have four mandatory elements:
- Effect: allow or deny a resource or service
- Service
- Action / operation (i.e. change password)
- Resource of service considered (i.e. ENIs, security groups, AMIs of EC2 service)
- Optional request condition (i.e. MFA, IP range, time)
9
Q
IAM - AWS managed policies
A
- Cover a variety of common scenarios. Updated regularly to include new services and actions
- The deny effect has more precedence over the allow effect