AWS Cloud Security & Identity Flashcards
Shared Responsibility Model
AWS shared responsibility model defines what you (as an AWS account holder/user) and AWS are responsible for when it comes to security and compliance
Security and Compliance is a shared responsibility between AWS and the customer
Shared Responsibility Model:
AWS Responsibilities
responsible for “security of the cloud”
AWS is responsible for protecting the infrastructure that runs all the services offered in the AWS Cloud
infrastructure - hardware, software, networking, and facilities that run AWS Cloud services
Software - compute, storage, database, networking
Hardware/AWS Global Infrastructure - regions, AZ’s, edge locations
Shared Responsibility Model:
Customer Responsibilities
responsible for “security in the cloud”
For EC2 this includes network level security (NACLs, security groups), operating system patches and updates, IAM user access management, and client and server-side data encryption
platform, applications, identity & access management
operating system, network and firewall configuration
client-side data encryption & data integrity authentication
server-side encryption (file system and/or data)
networking traffic protection (encryption, protection, identity)
Inherited Controls
controls which a customer full inherits from AWS (Physical and Environmental)
Shared Controls
Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives
Patch Management
AWS - responsible for patching and fixing flaws within the infrastructure
Customers - responsible for patching their guest OS and applications
Configuration Management
AWS maintains the configuration of its infrastructure devices
customer is responsible for configuring their own guest operating systems, databases, and applications
Awareness & Training
AWS trains AWS employees, but a customer must train their own employees
Customer Specific
Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services
Ex. - Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments
AWS Cloud Compliance
enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud
as systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared
Compliance programs include: Certifications/attestations; laws, regulations, and privacy; alignments/frameworks
AWS Artifact
your go-to, central resource for compliance-related information that matters to you
it provides on-demand access to AWS’ security and compliance reports and select online agreements
reports available:
- Service Organization Control (SOC) reports
- Payment Card Industry (PCI) reports
- certifications from accreditation bodies across geographies
- compliance verticals that validate the implementation and operating effectiveness of AWS security controls
Agreements available:
- Business Associate Addendum (BAA)
- Nondisclosure agreement (NDA)
AWS Organizations Service Control Policies (SCP) & Tag Policies
SCPs define the AWS service actions that are available for use (for various accounts)
can restrict actions for a specific account
Tag Policies enforce rules around tagging across accounts and OUs
Amazon Inspector
automated security assessment service that helps improve the security and compliance of applications deployed on AWS
automatically assesses applications for exposures, vulnerabilities, and deviations from best practices
uses an agent installed on EC2 instances
instances must be tagged
After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
AWS Web Application Firewall (WAF)
WAF is a web application firewall
protects against common exploits that could comprise application availability, comprise security or consume excessive resources
AWS Shield
managed Distributed Denial of Service (DDoS) protection service
safeguards web application running on AWS with always-on detection and automatic inline mitigations
helps to minimize application downtime and latency
integrated with Amazon CloudFront
two tiers - standard and advanced
- standard is for everyone, automatic tier once set up;
- advanced has additional features but not free
Amazon Macie
new service that has come up on exam
fully managed data security and data privacy service
uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data on Amazon S3
Macie enables security compliance and preventive security as follows:
- identify a variety of data types, including PII, Protected Health Information (PHI), regulatory documents, API keys, and secret keys
- identify changes to policy and access control lists
- continuously monitor the security posture of Amazon S3
- Generate security findings that you can view using the Macie console, AWS Security Hub, or Amazon EventBridge
- manage multiple AWS accounts using AWS Organizations
Amazon GuardDuty
a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads
- Enable GuardDuty - monitors all your AWS accounts w/o additional security software or infrastructure to deploy or manage
- Continuously analyze - automatically analyze network and account activity at scale, providing broad, continuous monitoring of your AWS accounts
CloudTrail Logs, VPC Flow Logs, DNS Logs - Intelligently detects threats - combines managed rule-sets, threat intelligence from AWS SEcurity and 3rd party intelligence partners, anomaly detection, and ML to intelligently detect malicious or unauthorized behavior
- Take action - review detailed findings in the console, integrate into event management or workflow systems, or trigger AWS Lambda for automated remediation or prevention
Encryption in Transit vs. Encryption at Rest
Transit:
Data is protected by SSL/TLS in transit or “in-flight”
entire connection is encrypted
importing data (data in transit)
Rest:
Amazon S3 encrypts the object as it is written to the bucket
Stored data (not moving)
AWS Key Management Service (KMS)
best tool for encryption @ rest
gives you centralized control over the encryption keys used to protect your data
you can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data
integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control
used for most use-cases
AWS CloudHSM
tool for encryption @ rest
a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud
With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs
offers the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries
hardware device that is single tenant
Key Difference:
KMS vs CloudHSM
KMS - multi-tenant service (sharing amongst many customers)
CloudHSM - single tenant device; only dedicated to you
Most cases, you would probably use KMS
AWS Certificate Manager (ACM)
tool for encryption in transit
used for creating and managing public SSL/TLS certificates
you can use public certificates provided by ACM (ACM certificates) or certificates that you import into ACM
can also request private certificates from a private certificate authority (CA) created using AWS Certificate Manager Private Certificate Authority
ACM certificates can secure multiple domain names and multiple names within a domain
you can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains
AWS Secrets Manager
helps you meet your security and compliance requirements by enabling you to rotate secrets safely without the need for code deployments
Secrets Manager offers built-in integration for Amazon RD, Amazon Redshift, and Amazon DocumentDB and rotates these database credentials on your behalf automatically
you can customize Lambda functions to extend Secrets Manager rotation to other secret types, such as API keys and OAuth tokens
Penetration Testing
practice of testing one’s own application’s security for vulnerabilities by simulating an attack
you act as an “attacker”
AWS allows penetration testing. There is a limited set of resources on which penetration testing can be performed
