Security - Well-Architected Framework

Question 1

4 areas of “security in the cloud” and related Key AWS Services

Answer 1

Data protection : ELB,EBS,S3, RDS;
Privilege management : IAM, MFA;
Infrastructure protect : VPC;
Detective control : CloudTrail; CloudWatch; Config;

Question 2

Best Practise - Data protection

Answer 2

• customer keep full control of their data;
• data encryption and key management (regular key rotation)
• Detailed logging: files access and change
• data storage: durability and resiliency eg. S3
• Versioning: data lifecycle management process
• Data retained in the region until the customer transfer it to another region.

Questions (How):
encryption data at rest and in transit

Question 3

Privilege Management

Answer 3

*Access Contol Lists;
*Role-based access controls;
*Password management (Password rotation policies);
Questions (How):
*AWS root account credentials management
*roles and responsibility definition to control access of AWS Management Console and APIs.
*Limitation of automated access to AWS resources;
*Key and credential management;

Question 4

Infrastructure Protection

Answer 4

• protection of the data centers: RFID controls, security guard, lockable cabinets, CCTV etc
  Questions (How):
  *network and host-level boundary protection;
  *AWS service level protection;
  *Integrity of the EC2 instances etc.

Question 5

Detective Controls

Answer 5

*AWS Service related to this pillar:
CloudTrail; CloudWatch; Config; S3; Glacier
Questions (HOW) :
capturing and analyzing AWS logs

Question 6

Furthermore

Answer 6

whitepaper