Security - Protecting AWS Credentials

Question 1

Security - Fundamentals

Answer 1

• Security is about protecting data. CIA triad refers to Confidentiality, Integrity, and Availability
• Confidentiality: means that only authorized parties can access to data. Examples: ACLs and encryption
• Integrity: implies that data has not been improperly modified. Includes knowing if data has been modified
• Availability: means that authorized parties have access to data when they need it. Includes protecting systems that store, process, and deliver data

Question 2

Security - Considerations

Answer 2

• Employ defense in depth: protect the CIA triad of data by securing everything that touches the data, including storage, compute, and networking
• Levels of architecture to secure:
• AWS services: it’s user’s responsibility to configure them properly
• Operating systems: secure it on EC2 instances
• Applications

Question 3

Shared Responsibility Model

Answer 3

Question 4

IAM - Characteristics

Answer 4

• User / group policies, known as inline policies, are embedded to the user / group itself. They are not available to other users
• With Access Advisor can look at allowed services, and when the user accessed to every service
• There isn’t additional charges for using this service

Question 5

IAM Groups

Answer 5

• They’re collections of users and have policies attached to them
• It’s not an identity and cannot be identified as a principal in an IAM policy
• Only users and services can assume a role to take on permissions, not groups

Question 6

IAM - Credential types

Answer 6

• Root user: has full access to all AWS resources, one root user exists per account
• IAM (non-root) principal / identity: it could be a user or role

Question 7

IAM - IAM principal / identity

Answer 7

• IAM roles:
• A role can be of two types: user role or service role (for services, i.e. one that allows CloudTrail to authenticate to CloudWatch Logs)
• A role is assumed, so a user / service get temporary credentials and do what the policy attached to the role determines
• Can perform actions on AWS services and resources
• Policies determines what permissions the principal has
• Don’t have permissions by default

Question 8

IAM - Custom policies

Answer 8

• Consists of one or more permission statements, which have four mandatory elements:
• Effect: allow or deny a resource or service
• Service
• Action / operation (i.e. change password)
• Resource of service considered (i.e. ENIs, security groups, AMIs of EC2 service)
• Optional request condition (i.e. MFA, IP range, time)

Question 9

IAM - AWS managed policies

Answer 9

• Cover a variety of common scenarios. Updated regularly to include new services and actions
• The deny effect has more precedence over the allow effect