Services - Security, Identity, and Compliance Flashcards
1
Q
Cognito - Characteristics
A
- It provides authentication, authorization, and user management for your web and mobile apps
- Pay only for what you use
- Can use identity pools and user pools separately or together
2
Q
Cognito - User pools
A
- They are user directories that provide sign-up and sign-in options
- Provide social sign-in with Facebook, Google, Amazon, and Apple
- Offer user directory management and user profiles
- Provide MFA, checks for compromised credentials, account takeover protection, and phone and email verification
- Can create customized workflows and user migration through AWS Lambda triggers
3
Q
Cognito - Identity pools
A
- Allow to grant users access to other AWS services. Also support anonymous users
- Users can authenticate with Cognito user pools, and social sign-in with Facebook, Google, Amazon, and Apple
- Users can authenticate with OpenID Connect (OIDC) providers, SAML identity providers, and developer authenticated identities
4
Q
Certificate Manager - Characteristics
A
- Lets you provision, manage, and deploy public and private SSL / TLS certificates. Also can import third-party certificates to manage them
- There’s no additional pay for the use of this service
- Supported by ELB, CloudFront, Elastic Beanstalk, and CloudFormation
- Some AWS services support only some algorithms and key sizes, may be different from imported certificates into ACM
5
Q
Certificate Manager - ACM Private CA
A
- It’s a service for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud, and for private use
- Can create your own CA hierarchy and issue certificates for users, computers, applications, services, and other devices
- These certificates cannot be used on the internet
6
Q
Certificate Manager - Certificate characteristics
A
- They have domain validation and validation period
- ACM manages the renewal and provisioning of ACM certificates
- Can include multiple domain names
- Can use an asterisk (*) in the domain name to protect several sites in the same domain
7
Q
Directory Service - Definition and pricing
A
- It provides multiple ways to use Microsoft Active Directory with other AWS services
- Pricing
- Standard Edition: 1 GB of storage capacity and approximately maximum 30000 directory objects
- Enterprise Edition: 17 GB of storage capacity and approximately maximum 500000 directory objects
- Additional charges for directory sharing with other accounts, and data transferred out of the domain controllers for multi-region replication
8
Q
Directory Service - AWS Directory Service for Microsoft AD
A
- When you need an AD in the AWS Cloud that supports Active Directory-aware workloads
- Also supports AWS managed applications or services like QuickSight, RDS (SQL Server, Oracle, PostgreSQL), and if you need LDAP support for Linux applications
- Can extend the schema, manage password policies, and enable secure LDAP communications through SSL / TLS. Also can enable MFA
9
Q
Directory Service - Simple AD
A
- It’s a Microsoft AD-compatible directory compatible with QuickSight, and powered by Samba 4
- Supports basic features like user accounts, group memberships, joining a Linux domain or Windows based EC2 instances, Kerberos-based SSO, and group policies
- Useful when you need a low-scale, low-cost directory with basic AD compatibility
10
Q
Directory Service - AD Connector and Cognito use cases
A
- AD Connector: a proxy service that connects compatible AWS applications (QuickSight and EC2 for Windows Server instances) to on-premises Microsoft ADs
- Cognito: when you need custom registration fields and store that metadata in your user directory. It scales to support hundreds of millions of users
11
Q
GuardDuty - Characteristics
A
- It’s a security monitoring service that analyzes and processes these data sources: VPC Flow Logs, CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs
- Uses threat intelligence feeds like lists of malicious IP addresses and domains, and ML
- Identifies unexpected and potentially unauthorized and malicious activity within a AWS environment
- Prices are based on the number of CloudTrail events, and the volume of VPC flow logs and DNS logs analyzed
12
Q
GuardDuty - Concepts
A
- Detector: a regional entity associated with findings. A unique detector is required in every region
- Data source: the origin or location of a set of data
- Finding: a potential discovered security issue. Can also see them through CloudWatch events
- Suppression rule: allows to create specific combinations of attributes. Are used to hide findings determined as false positives, and reduce the noise from low-value findings
- Trusted IP list
- Threat list: a list of malicious IP addresses
13
Q
GuardDuty - Findings types
A
- EC2 findings types: specific to EC2 resources and always have a resource type of “Instance”
- IAM findings types: specific to IAM entities and access keys and always have a resource Type of “AccessKey”
- S3 findings types: specific to S3 resources and will have a resource type of “S3Bucket” (S3 CloudTrail data events), or “AccessKey” (CloudTrail management events)
14
Q
Inspector - Characteristics
A
- It tests the network accessibility of EC2 instances and the security state of applications that run on those instances
- Produces a detailed list of security findings, organized by level of severity
- Can automate security assessments throughout the development and deployment pipelines process, or for static production systems
15
Q
Inspector - Amazon Inspector Agent
A
- It can optionally be installed on EC2 instances to have a wider monitoring of network, FS, and process activity
- Also collects a wide set of behavior and configuration data (telemetry)
- Installation steps: assign an IAM role, tag target EC2 instances, and install it
16
Q
Inspector - Concepts 1
A
- Assessment run:
- It’s the process of discovering potential security issues. Produces a list of findings
- Inspector monitors and collects data. Then, analyzes that data collected against a set of security rules packages specified in an assessment template
- Assessment target: currently only can consist of EC2 instances
- Finding: a potential security issue discovered. Contains both a description and a recommendation on how to fix it
17
Q
Inspector - Concepts 2
A
- Assessment template: a configuration used during an assessment run. Includes the following:
- Rules packages
- SNS topics to send notifications about an assessment run
- Tags assigned to findings
- Duration of the assessment
- Rule: a security check performed during an assessment run
- Rules package: a collection of rules that correspond to a security goal