Shared Responsibility Model Flashcards
What are 2 examples of the AWS Shared controls?
Shared Controls are controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include:
1) Configuration Management: AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
2) Patch Management: AWS is responsible for patching the underlying hosts and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
3) Awareness and Training - AWS trains AWS employees, but a customer must train their own employees.
Give examples of AWS-Managed Services where AWS is responsible for the operational maintenance burdens of running the service?
AWS is responsible for performing all the operations needed to keep these services running:
1) Amazon Elastic MapReduce (Amazon EMR) - launches clusters in minutes. You don’t need to worry about node provisioning, infrastructure setup, Hadoop configuration, or cluster tuning. Amazon EMR takes care of these tasks so you can focus on analysis.
2) Amazon DynamoDB - is serverless with no servers to provision, patch, or manage and no software to install, maintain, or operate. DynamoDB automatically scales tables up and down to adjust for capacity and maintain performance. Availability and fault tolerance are built in, eliminating the need to architect your applications for these capabilities.
3) AWS Lambda
4) Amazon RDS
5) Amazon Redshift
6) Amazon CloudFront
What statements about AWS shared responsibility model is true?
1) Responsibilities vary depending on the services used
2) Customers should be aware that their responsibilities may vary depending on the AWS services chosen.
3) For example, when using Amazon EC2, customers are responsible for applying operating system and application security patches regularly. However, such patches are applied automatically when using Amazon RDS.
What is a responsibility of AWS under the shared responsibility model?
1) Under the shared responsibility model, AWS is responsible for the hardware and software that run AWS services.
2) This includes patching the infrastructure software and configuring infrastructure devices.
3) As a customer, you are responsible for implementing best practices for data encryption, patching guest operating system and applications, identity and access management, and network & firewall configurations.
According to AWS Acceptable Use Policy, what statement is true regarding penetration testing of EC2 instances?
AWS customers are welcome to carry out security assessments and penetration tests against their AWS infrastructure without prior approval for 8 services:
1- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers.
2- Amazon RDS.
3- Amazon CloudFront.
4- Amazon Aurora.
5- Amazon API Gateways.
6- AWS Lambda and Lambda Edge functions.
7- Amazon Lightsail resources.
8- Amazon Elastic Beanstalk environments.
What should you do in order to keep the data on EBS volumes safe?
1) Creating snapshots of EBS Volumes can help ensure that you have a backup of your EBS volumes just in case any issues arise.
2) Amazon EBS encryption offers a straight-forward encryption solution for your EBS resources that doesn’t require you to build, maintain, and secure your own key management infrastructure.
3) Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage.
4) EBS Snapshots are incremental backups, which means that only the blocks on the device that have changed after your last snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data.
What are the security aspects that the AWS customer is responsible for?
1) The customer is responsible for securing their network by configuring Security Groups, Network Access control Lists (NACLs), and Routing Tables.
2) The customer is also responsible for setting a password policy on their AWS account that specifies the complexity and mandatory rotation periods for their IAM users’ passwords.
According to the AWS Shared responsibility model, what are 2 responsibilities of the customer?
1) Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in AWS data centers). The AWS customer is responsible for protecting their data either at rest or in transit for all services (including S3).
2) Patch management is a shared control between AWS and the customer. AWS is responsible for patching the underlying hosts, updating the firmware, and fixing flaws within the infrastructure, but customers are responsible for patching their guest operating system and applications.
What are customer responsibilities when using Amazon RDS under the shared responsibility model?
1) Building the relational database schema
2) Managing the database settings
Amazon RDS manages the work involved in setting up a relational database, from provisioning the infrastructure capacity you request to installing the database software. Once your database is up and running, Amazon RDS automates common administrative tasks such as performing backups and patching the software that powers your database. With optional Multi-AZ deployments, Amazon RDS also manages synchronous data replication across Availability Zones with automatic failover. Since Amazon RDS provides native database access, you interact with the relational database software as you normally would. This means you’re still responsible for managing the database settings that are specific to your application. You’ll need to build the relational schema that best fits your use case and are responsible for any performance tuning to optimize your database for your application’s workflow.
Under the Shared Responsibility Model, what controls do customers fully inherit from AWS?
AWS is responsible for physical controls and environmental controls. Customers inherit these controls from AWS.
For example: Let’s say you have built an application in AWS for customers to securely store their data. But your customers are concerned about the security of the data and ensuring compliance requirements are met. To address this, you assure your customer that “our company does not host customer data in its corporate or remote offices, but rather in AWS data centers that have been certified to meet industry security standards.” That includes physical and environmental controls to secure the data, which is the responsibility of Amazon. Companies do not have physical access to the AWS data centers, and as such, they fully inherit the physical and environmental security controls from AWS.