Security

Question 1

What is the AWS Abuse team?

Answer 1

Team to be contacted when AWS resources are being used for abusive behavior.

Question 2

What is the AWS Security team?

Answer 2

AWS team responsible for security of services offered by AWS.

Question 3

IAM Group vs Security Group

Answer 3

IAM Group is a group of users with similar permissions.

Security Group is established on EC2 instance to control network traffic.

Question 4

What is a NACL or ACL?

Answer 4

Network Access Control List – optional layer of security for VPC that acts as a firewall on subnet level.

Question 5

What are Route Tables?

Answer 5

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

Question 6

What do Security Groups do?

Answer 6

Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

Question 7

What is the AWS Shared Responsibility Model?

Answer 7

A security model that defines what you (as an AWS account holder/user) and Amazon Web Services are responsible for when it comes to security and compliance.

AWS is responsible for security of the cloud, you are responsible for security in the cloud.

Question 8

What aspects of Security and Compliance is AWS responsible for in the Shared Responsibility Model?

Answer 8

Components from the host operating system and the virtualization layer down to the physical security of the facilities in which the service operates.

Question 9

What aspects of Security and Compliance are you responsible for in the Shared Responsibility Model?

Answer 9

Guest operating system (including updates and security patches), other associated application software, as well as the configuration of the AWS provided security group firewall.

Question 10

How would the Shared Responsibility Model apply to an EC2 instance?

Answer 10

AWS is responsible for:

1. The setup and maintenance of the physical hardware located at each AWS data center
2. The physical security of the data centers (locks, keys, security guards, etc.)
3. The setup and maintenance of the host virtualization software

You are responsible for:

1. Network level security (Security groups & NACL’s)
2. OS patches and updates
3. IAM user access management
4. Client and Server side data encryption

Question 11

What are the AWS services with built-in DDOS attack protection/mitigation?

Answer 11

1. Cloudfront
2. Route 53
3. WAF (Web Application Firewall)
4. Elastic Load Balancing
5. Security groups & VPC’s

Question 12

What services are customers allowed to carry out security assessments/pen tests on with no prior approval required?

Answer 12

1. Amazon EC2 instances, NAT gateways, and ELB’s
2. RDS
3. Cloudfront
4. Aurora
5. API gateways
6. Lambda & Lambda edge functions
7. Lightsail resources
8. Elastic Beanstalk environments

Question 13

What are the currently prohibited security activities?

Answer 13

1. DNS Zone walking via Route 53 hosted zones
2. DOS, DDOS, simulated DOS, simulated DDOS
3. Port flooding
4. Protocol flooding
5. Request flooding (login request flooding, API request flooding)