AWS Security Flashcards by Mfana Conco

What is the Shared Responsibility Model?

In the public cloud, there is a shared security responsibility between you and AWS.

AWS’s responsibility: Security of the Cloud
Your Responsibility: Security in the Cloud

How well did you know this?

Not at all

Perfectly

What is AWS’s responsibility “Security Of The Cloud”?

AWS is responsible for protecting and securing their infrastructure.

AWS Global Infrastructure: AWS is responsible for its global infrastructure elements: Regions, edge locations, and Availability Zones.
Building Security: AWS controls access to its data centers where your data resides.
Networking Components:AWS maintains networking components: generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.
Software: AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.

How well did you know this?

Not at all

Perfectly

What is Your responsibility “Security In The Cloud”?

You are responsible for how the services are implemented and managing your application data.

Application Data: You are responsible for managing your application data, which includes encryption options.
Security Configuration: You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.
Patching: You are responsible for the guest operating system (OS), which includes updates and security patches.
Identity and Access Management:You are responsible for application security and identity and access management.
Network Traffic: You are responsible for network traffic protection, which includes security group firewall configuration.
Installed Software: You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.

How well did you know this?

Not at all

Perfectly

What is EC2 Shared Responsibility Model?

AWS:

EC2 service
Patching the host operating system
Security of the physical server

ME/YOU:

Installed applications
Patching the guest operating system
Security controls

How well did you know this?

Not at all

Perfectly

What is Lambda Shared Responsibility Model?

AWS:

Lambda service
Upgrading Lambda languages
Lambda endpoints
Operating system
Underlying infrastructure
Software dependencies

ME/YOU:

Security of code
Stogare of sensitive data
IAM for permissions

How well did you know this?

Not at all

Perfectly

What is the Well-Architected Framework?

The 5 pillars of the Well-Architected Framework describe design principles and best practices for running workloads in the cloud.

Operational Excellence
Security
Reliability
Perfomance Efficiency
Cost Optimization

How well did you know this?

Not at all

Perfectly

What does the Operation Excellence entail(Well-Architected Framework)?

This pillar focus on creating application that effectively support production workloads.

Plan for and anticipate failure
Deploy smaller, reversible changes
Script operations as code
Learn from failure and refine

How well did you know this?

Not at all

Perfectly

What does the Security entail(Well-Architected Framework)?

This pillar focuses on putting mechanism in place that help protect your systems and data.

Automate security tasks
Encrypt data in transit and at rest
Assign only the least privileges required
Track who did what and when
Ensure security at all application layers

How well did you know this?

Not at all

Perfectly

What does the Reliability entail(Well-Architected Framework)?

This pillar focuses on designing systems that work consistently and recover quickly.

Recover from failure automatically
Scale horizontally for resilience
Reduce idle resources
Manage change through automation
Test recovery procedures

How well did you know this?

Not at all

Perfectly

What does the Performance Efficiency entail(Well-Architected Framework)?

This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.

Use serverless architectures first
Use Multi-region deployments
Delegate tasks to a cloud vendor
Experiment with virtual resources

How well did you know this?

Not at all

Perfectly

What does the Cost Optimization entail(Well-Architected Framework)?

This pillar focuses on delivering optimum and resilient solutions at the least cost to the user.

Utilize consumption based pricing
Measure overall efficiency
Implement Cloud Financial management
Pay only for resources your application requires

How well did you know this?

Not at all

Perfectly

What is Operation Excellence real world usecase?

You can use AWS CodeCommit for version control to enable tracking of code changes and to version-control CloudFormation templates of your infrastructure.

How well did you know this?

Not at all

Perfectly

What is Security real world usecase?

You can configure central logging of all actions performed in your account using CloudTrail.

How well did you know this?

Not at all

Perfectly

What is Reliability real world usecase?

You can use Multi-AZ deployments for enhanced availability and reliability of RDS databases.

How well did you know this?

Not at all

Perfectly

What is “Performance Efficiency” real world usecase?

You can use AWS Lambda to run code with zero administration.

How well did you know this?

Not at all

Perfectly

What is “Cost Optimization” real world usecase?

You can use S3 Intelligent-Tiering to automatically move your data between access tiers based on your usage patterns.

How well did you know this?

Not at all

Perfectly

What is Amazon IAM?

IAM allows you to control access to your AWS services and resources.

Helps you secure your cloud resources
You define who has access
You define what they can do
A free global service

How well did you know this?

Not at all

Perfectly

Identities vs. Access ?

Identities: Who can access your resources

Root user
Individual users
Groups
Roles

Access: What resources they can access

Policies
AWS managed policies
Customer managed policies
Permissions boundaries

How well did you know this?

Not at all

Perfectly

Authentication (“Who”) vs. Authorization (“What”)

Authentication is where you present your identity (username) and provide verification (password).
Authorization determines which services and resources the authenticated identity has access to.

How well did you know this?

Not at all

Perfectly

Types of Users?

Root User: The root user is created when you first open your AWS account.
- Close your account settings, includes (email address, account name etc..)
- Modify your support plan
- Cancel your AWS Support plan
- Restore IAM user permissions
- View certain tax invoices.
- Register as a seller in the Reserved Instance Marketplace.
- Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete.
Users: Individual users are created in IAM and are used for everyday tasks.
- Perform administrative tasks
- Launch EC2 Instances
- Access application code
- Configure databases
Applications:You’ll create a user in IAM so you can generate access keys for an application running on-premises that needs access to your cloud resources.

How well did you know this?

Not at all

Perfectly

What is the principle of least privilege?

The principle of least privilege involves giving a user the minimum access required to get the job done.

Developer: Developers are responsible for building applications
Project Manager: Project managers are responsible for managing the budget

What is an IAM real world usecase?

The AWS Command Line Interface (CLI) allows you to access resources in your AWS account through a terminal or command window. Access keys are needed when using the CLI and can be generated using IAM.

Create access keys for an IAM user that needs access to the AWS CLI.

What is an IAM Group?

A group is a collection of IAM users that helps you apply common access controls to all group members.

Administrators: administrators perform administrative task susch as creating new users.
Developers: developers use compute and database services to build applications.
Analysts: analysts run budget and usage reports.

NB: Do not confuse security groups for EC2 with IAM groups. EC2 security groups act as firewalls, while IAM groups are collections of users.

What is an IAM Role?

Roles define access permissions and are temporarily assumed by an IAM user or service.

You assume a role to perform a task in a single session
Assumed by any user or service that needs it.
Access is assigned using policies
You grant users in one AWS account access to resources in another AWS account.

What is **IAM Role** real world usecase?

You can **attach a role** to an instance that provides privileges (e.g., uploading files to S3) to applications running on the instance. **Roles help you avoid sharing long-term credentials** like access keys and protect your instances from unauthorized access.

What is an **IAM Policy**?

You **manage** **permissions** for **IAM users**, **groups**, and **roles** by **creating** a **policy** document in **JSON format** and attaching it.

Allow full access to S3 Policy example?

What is an **IAM Credential Report?**

The **IAM credential report** **lists** all **users** in your **account** and the **status** of their various **credentials**. * **Lists** all users and status of **passwords**, **access keys**, and **MFA devices** * Used for auditing and compliance

What are the **IAM Best Practices**?

* Enable MFA for privileged users. * Implement strong password policies. * You should **require IAM users** to **change** their **passwords** after a **specified** period of **time**, prevent users from reusing previous passwords, and rotate security credentials regularly. * Create individual users instead of using root. * Use roles for Amazon EC2 instances. * You should **use roles** for **applications** that run on **EC2 instances** **instead of** **long-term** credentials like **access keys**. * Use user groups to assign permissions to IAM users * Grant least privilege * Validate your policies

What Is a **Firewall**?

**Firewalls** prevent **unauthorized** **access** to your **networks** by inspecting incoming and outgoing traffic against security rules you've defined.

What is **Web Application Firewall (WAF)**?

**WAF** helps protect your web applications against common web attacks. * **Protects** apps against common attack patterns * Protects against **SQL injection** * **Protects** against **cross-site scripting**

**WAF** in the Real World?

You can **deploy** a **web application** directly to an **EC2** instance and **protect** it from **cross-site scripting** attacks using WAF. You can even **deploy** **WAF** on **CloudFront** as part of your CDN solution to block malicious traffic.

What is **DDoS**?

A **DDoS** attack causes a traffic jam on a website or web application in an attempt to cause it to crash.

What **Amazon Shield**?

**Amazon Shield** is a **managed** **Distributed** Denial of Service **(DDoS)** **protection** **service**. * **Always-on** detection * Shield **Standard** is **free** * **Shield** **Advanced** is a **paid service** **Amazon Shield Advance**: * **Provides** enhanced protections and **24/7 access** to **AWS experts** for a **fee** **DDoS** protection via **Shield Advanced** is supported on several services. * CloudFront * Route53 * Elastic Load Balncing (ELB) * AWS Global Accelerator

What is **Amazon Macie**?

**Amazon Macie** helps you **discover** and **protect** **sensitive data**. * Uses **machine learning** * Evaluates **S3** envrionment * Uncovers **personally identifiable information** (**PII**)

**Amazon Macie** in the Real World?

**Amazon Macie** can be used to **find sensitive** data like **passport numbers**, **social security numbers**, and **credit card numbers on S3**.

What is **Amazon Config**?

**Amazon Config** allows you to **assess**, **audit**, and **evaluate** the **configurations** of your **resources**. * **Track** configuration **changes over time** * **Delivers** **configuration** **history** file to **S3** * **Notifications** via Simple Notification Service (**SNS**) of every configuration change

**Amazon Config** in the Real World?

**Amazon Config** allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.

What is **Amazon** **GuardDuty**?

**Amazon GuardDuty** is an **intelligent threat detection** system that **uncovers** **unauthorized** **behavior**. * Uses **machine learning** * **Built-in** **detection** for **EC2, S3, and IAM** * **Reviews** **CloudTrail**, **VPC Flow Logs**, and **DNS logs**

What is **Amazon GuardDuty** in the Real World?

**Amazon GuardDuty's** anomaly **detection** **feature** **evaluates** all API **requests** in your account and **identifies events** that are **associated** with **common techniques** used by **attackers**.

What is **Amazon Inspector**?

**Amazon Inspector** works with **EC2** **instances** to uncover and **report vulnerabilities**. * **Agent** **installed** on **EC2 instance** * Reports vulnerabilities found * **Checks** **access** from the **internet**, **remote root login**, **vulnerable** **software** **versions**, etc.

What is **Amazon Inspector** in the Real World?

**Amazon Inspector** has several **built-in rules** to access your **EC2 instances** to **find** **vulnerabilities** and report them prioritized by level of severity.

What is **Amazon Artifact**?

**Amazon Artifact** offers o**n-demand access** to **AWS security** and **compliance reports**. * Central repository for compliance reports from third-party auditors * Service Organization Controls (**SOC**) reports * Payment Card Industry (**PCI**) reports

What is **Amazon Artifact** in the Real World?

**Amazon Artifact** **provides** a central repository for **AWS' security** and c**ompliance reports** via a **self-service portal**.

Understand the difference between **data in fligh**t vs. **data at rest**?

**Data in Flight**: * Data that is moving from one location to another **Data at Rest**: * Data that is inactive or stored for later use

What is Amazon **Key Management Service (KMS)**

**KMS** allows you to generate and store encryption keys. * Key **generator** * **Store** and **control keys** * **AWS manages** encryption keys * Automatically **enabled** for certain services

What is **KMS** in the Real World?

When you **create** an **encrypted** **Amazon EBS volume**, you're able to **specify** a **KMS** **customer** master **key**.

What is **Amazon CloudHSM**?

**Amazon CloudHSM** is a **hardware security module** (HSM) used to **generate** **encryption keys**. * Dedicated hardware for security * **Generate** and **manage** your **own encryption keys** * **AWS** **does** **not** **have** **access** to your keys

What is **Amazon CloudHSM** in the Real World?

**Amazon CloudHSM** allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

What is **Amazon Secrets manager**?

**Amazon Secrets Manager** allows you to **manage** and **retrieve** **secrets** (**passwords** or **keys**). * Rotate, manage, and retrieve secrets * Encrypt secrets at rest * Integrates with services like **RDS**, **Redshift**, and **DocumentDB**

What is **Amazon Secrets Manager** in the Real World?

**Amazon Secrets Manager** allows you to retrieve **database credentials** with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.