Security - Protecting AWS Credentials Flashcards

1
Q

Security - Fundamentals

A
  • Security is about protecting data. CIA triad refers to Confidentiality, Integrity, and Availability
  • Confidentiality: means that only authorized parties can access to data. Examples: ACLs and encryption
  • Integrity: implies that data has not been improperly modified. Includes knowing if data has been modified
  • Availability: means that authorized parties have access to data when they need it. Includes protecting systems that store, process, and deliver data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security - Considerations

A
  • Employ defense in depth: protect the CIA triad of data by securing everything that touches the data, including storage, compute, and networking
  • Levels of architecture to secure:
  • AWS services: it’s user’s responsibility to configure them properly
  • Operating systems: secure it on EC2 instances
  • Applications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Shared Responsibility Model

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IAM - Characteristics

A
  • User / group policies, known as inline policies, are embedded to the user / group itself. They are not available to other users
  • With Access Advisor can look at allowed services, and when the user accessed to every service
  • There isn’t additional charges for using this service
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IAM Groups

A
  • They’re collections of users and have policies attached to them
  • It’s not an identity and cannot be identified as a principal in an IAM policy
  • Only users and services can assume a role to take on permissions, not groups
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IAM - Credential types

A
  • Root user: has full access to all AWS resources, one root user exists per account
  • IAM (non-root) principal / identity: it could be a user or role
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IAM - IAM principal / identity

A
  • IAM roles:
  • A role can be of two types: user role or service role (for services, i.e. one that allows CloudTrail to authenticate to CloudWatch Logs)
  • A role is assumed, so a user / service get temporary credentials and do what the policy attached to the role determines
  • Can perform actions on AWS services and resources
  • Policies determines what permissions the principal has
  • Don’t have permissions by default
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IAM - Custom policies

A
  • Consists of one or more permission statements, which have four mandatory elements:
  • Effect: allow or deny a resource or service
  • Service
  • Action / operation (i.e. change password)
  • Resource of service considered (i.e. ENIs, security groups, AMIs of EC2 service)
  • Optional request condition (i.e. MFA, IP range, time)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

IAM - AWS managed policies

A
  • Cover a variety of common scenarios. Updated regularly to include new services and actions
  • The deny effect has more precedence over the allow effect
How well did you know this?
1
Not at all
2
3
4
5
Perfectly