AWS Security Flashcards
What is the Shared Responsibility Model?
In the public cloud, there is a shared security responsibility between you and AWS.
- AWS’s responsibility: Security of the Cloud
- Your Responsibility: Security in the Cloud
What is AWS’s responsibility “Security Of The Cloud”?
AWS is responsible for protecting and securing their infrastructure.
- AWS Global Infrastructure: AWS is responsible for its global infrastructure elements: Regions, edge locations, and Availability Zones.
- Building Security: AWS controls access to its data centers where your data resides.
- Networking Components:AWS maintains networking components: generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.
- Software: AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.
What is Your responsibility “Security In The Cloud”?
You are responsible for how the services are implemented and managing your application data.
- Application Data: You are responsible for managing your application data, which includes encryption options.
- Security Configuration: You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.
- Patching: You are responsible for the guest operating system (OS), which includes updates and security patches.
- Identity and Access Management:You are responsible for application security and identity and access management.
- Network Traffic: You are responsible for network traffic protection, which includes security group firewall configuration.
- Installed Software: You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.
What is EC2 Shared Responsibility Model?
AWS:
- EC2 service
- Patching the host operating system
- Security of the physical server
ME/YOU:
- Installed applications
- Patching the guest operating system
- Security controls
What is Lambda Shared Responsibility Model?
AWS:
- Lambda service
- Upgrading Lambda languages
- Lambda endpoints
- Operating system
- Underlying infrastructure
- Software dependencies
ME/YOU:
- Security of code
- Stogare of sensitive data
- IAM for permissions
What is the Well-Architected Framework?
The 5 pillars of the Well-Architected Framework describe design principles and best practices for running workloads in the cloud.
- Operational Excellence
- Security
- Reliability
- Perfomance Efficiency
- Cost Optimization
What does the Operation Excellence entail(Well-Architected Framework)?
This pillar focus on creating application that effectively support production workloads.
- Plan for and anticipate failure
- Deploy smaller, reversible changes
- Script operations as code
- Learn from failure and refine
What does the Security entail(Well-Architected Framework)?
This pillar focuses on putting mechanism in place that help protect your systems and data.
- Automate security tasks
- Encrypt data in transit and at rest
- Assign only the least privileges required
- Track who did what and when
- Ensure security at all application layers
What does the Reliability entail(Well-Architected Framework)?
This pillar focuses on designing systems that work consistently and recover quickly.
- Recover from failure automatically
- Scale horizontally for resilience
- Reduce idle resources
- Manage change through automation
- Test recovery procedures
What does the Performance Efficiency entail(Well-Architected Framework)?
This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.
- Use serverless architectures first
- Use Multi-region deployments
- Delegate tasks to a cloud vendor
- Experiment with virtual resources
What does the Cost Optimization entail(Well-Architected Framework)?
This pillar focuses on delivering optimum and resilient solutions at the least cost to the user.
- Utilize consumption based pricing
- Measure overall efficiency
- Implement Cloud Financial management
- Pay only for resources your application requires
What is Operation Excellence real world usecase?
You can use AWS CodeCommit for version control to enable tracking of code changes and to version-control CloudFormation templates of your infrastructure.
What is Security real world usecase?
You can configure central logging of all actions performed in your account using CloudTrail.
What is Reliability real world usecase?
You can use Multi-AZ deployments for enhanced availability and reliability of RDS databases.
What is “Performance Efficiency” real world usecase?
You can use AWS Lambda to run code with zero administration.
What is “Cost Optimization” real world usecase?
You can use S3 Intelligent-Tiering to automatically move your data between access tiers based on your usage patterns.
What is Amazon IAM?
IAM allows you to control access to your AWS services and resources.
- Helps you secure your cloud resources
- You define who has access
- You define what they can do
- A free global service
Identities vs. Access ?
Identities: Who can access your resources
- Root user
- Individual users
- Groups
- Roles
Access: What resources they can access
- Policies
- AWS managed policies
- Customer managed policies
- Permissions boundaries
Authentication (“Who”) vs. Authorization (“What”)
- Authentication is where you present your identity (username) and provide verification (password).
- Authorization determines which services and resources the authenticated identity has access to.
Types of Users?
-
Root User: The root user is created when you first open your AWS account.
- Close your account settings, includes (email address, account name etc..)
- Modify your support plan
- Cancel your AWS Support plan
- Restore IAM user permissions
- View certain tax invoices.
- Register as a seller in the Reserved Instance Marketplace.
- Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.
-
Users: Individual users are created in IAM and are used for everyday tasks.
- Perform administrative tasks
- Launch EC2 Instances
- Access application code
- Configure databases
- Applications:You’ll create a user in IAM so you can generate access keys for an application running on-premises that needs access to your cloud resources.
What is the principle of least privilege?
The principle of least privilege involves giving a user the minimum access required to get the job done.
- Developer: Developers are responsible for building applications
- Project Manager: Project managers are responsible for managing the budget
What is an IAM real world usecase?
The AWS Command Line Interface (CLI) allows you to access resources in your AWS account through a terminal or command window. Access keys are needed when using the CLI and can be generated using IAM.
Create access keys for an IAM user that needs access to the AWS CLI.
What is an IAM Group?
A group is a collection of IAM users that helps you apply common access controls to all group members.
- Administrators: administrators perform administrative task susch as creating new users.
- Developers: developers use compute and database services to build applications.
- Analysts: analysts run budget and usage reports.
NB: Do not confuse security groups for EC2 with IAM groups. EC2 security groups act as firewalls, while IAM groups are collections of users.
What is an IAM Role?
Roles define access permissions and are temporarily assumed by an IAM user or service.
- You assume a role to perform a task in a single session
- Assumed by any user or service that needs it.
- Access is assigned using policies
- You grant users in one AWS account access to resources in another AWS account.
What is IAM Role real world usecase?
You can attach a role to an instance that provides privileges (e.g., uploading files to S3) to applications running on the instance. Roles help you avoid sharing long-term credentials like access keys and protect your instances from unauthorized access.
What is an IAM Policy?
You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.
Allow full access to S3 Policy example?
What Is a Firewall?
Firewalls prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined.
What is Web Application Firewall (WAF)?
WAF helps protect your web applications against common web attacks.
- Protects apps against common attack patterns
- Protects against SQL injection
- Protects against cross-site scripting
WAF in the Real World?
You can deploy a web application directly to an EC2 instance and protect it from cross-site scripting attacks using WAF. You can even deploy WAF on CloudFront as part of your CDN solution to block malicious traffic.
What is DDoS?
A DDoS attack causes a traffic jam on a website or web application in an attempt to cause it to crash.
What Amazon Shield?
Amazon Shield is a managed Distributed Denial of Service (DDoS) protection service.
- Always-on detection
- Shield Standard is free
- Shield Advanced is a paid service
Amazon Shield Advance:
- Provides enhanced protections and 24/7 access to AWS experts for a fee
DDoS protection via Shield Advanced is supported on several services.
- CloudFront
- Route53
- Elastic Load Balncing (ELB)
- AWS Global Accelerator
What is Amazon Macie?
Amazon Macie helps you discover and protect sensitive data.
- Uses machine learning
- Evaluates S3 envrionment
- Uncovers personally identifiable information (PII)
Amazon Macie in the Real World?
Amazon Macie can be used to find sensitive data like passport numbers, social security numbers, and credit card numbers on S3.
What is Amazon Config?
Amazon Config allows you to assess, audit, and evaluate the configurations of your resources.
- Track configuration changes over time
- Delivers configuration history file to S3
- Notifications via Simple Notification Service (SNS) of every configuration change
Amazon Config in the Real World?
Amazon Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.
What is Amazon GuardDuty?
Amazon GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.
- Uses machine learning
- Built-in detection for EC2, S3, and IAM
- Reviews CloudTrail, VPC Flow Logs, and DNS logs
What is Amazon GuardDuty in the Real World?
Amazon GuardDuty’s anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.
What is Amazon Inspector?
Amazon Inspector works with EC2 instances to uncover and report vulnerabilities.
- Agent installed on EC2 instance
- Reports vulnerabilities found
- Checks access from the internet, remote root login, vulnerable software versions, etc.
What is Amazon Inspector in the Real World?
Amazon Inspector has several built-in rules to access your EC2 instances to find vulnerabilities and report them prioritized by level of severity.
What is Amazon Artifact?
Amazon Artifact offers on-demand access to AWS security and compliance reports.
- Central repository for compliance reports from third-party auditors
- Service Organization Controls (SOC) reports
- Payment Card Industry (PCI) reports
What is Amazon Artifact in the Real World?
Amazon Artifact provides a central repository for AWS’ security and compliance reports via a self-service portal.
Understand the difference between data in flight vs. data at rest?
Data in Flight:
- Data that is moving from one location to another
Data at Rest:
- Data that is inactive or stored for later use
What is Amazon Key Management Service (KMS)
KMS allows you to generate and store encryption keys.
- Key generator
- Store and control keys
- AWS manages encryption keys
- Automatically enabled for certain services
What is KMS in the Real World?
When you create an encrypted Amazon EBS volume, you’re able to specify a KMS customer master key.
What is Amazon CloudHSM?
Amazon CloudHSM is a hardware security module (HSM) used to generate encryption keys.
- Dedicated hardware for security
- Generate and manage your own encryption keys
- AWS does not have access to your keys
What is Amazon CloudHSM in the Real World?
Amazon CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.
What is Amazon Secrets manager?
Amazon Secrets Manager allows you to manage and retrieve secrets (passwords or keys).
- Rotate, manage, and retrieve secrets
- Encrypt secrets at rest
- Integrates with services like RDS, Redshift, and DocumentDB
What is Amazon Secrets Manager in the Real World?
Amazon Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.
