Domain 1 Flashcards
IAM
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. It enables you to manage users and their permissions within your AWS account.
IAM Decision Policy Logic (3)
Default Deny: By default, all requests are denied. This principle implies that no action is allowed unless explicitly granted.
Explicit Allow: If a policy explicitly allows a request, the request is permitted. IAM evaluates all applicable policies, including identity-based policies, resource-based policies, and any applicable service control policies (SCPs).
Explicit Deny: If any policy explicitly denies a request, the request is denied, regardless of any explicit allows. Explicit denies take precedence over any allows.
4 IAM Policy Types
Identity-Based Policies: These are attached to users, groups, or roles and define what actions those identities can perform on specified resources.
Resource-Based Policies: These are attached directly to resources (e.g., S3 buckets) and specify who can access those resources and what actions they can perform.
Service Control Policies (SCPs): Used in AWS Organizations to manage permissions across multiple AWS accounts.
Permissions Boundaries: Specify the maximum permissions that a user or role can have.
AWS SSO
AWS Single Sign-On (AWS SSO) is a cloud-based service that simplifies the management of SSO access to AWS accounts and business applications.
STS
AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or federated users.
Control Tower
AWS Control Tower is a service that provides an easy way to set up and govern a secure, multi-account AWS environment based on best practices.
Cognito
Amazon Cognito is a service provided by AWS that simplifies user authentication for web and mobile applications.
With federated identities, Cognito allows you to authorize users from different identity providers
Guard Duty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious or unauthorized behavior.
Macie
Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.
Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
AWS WAF
AWS WAF (Web Application Firewall) is a cloud-based security service that helps protect web applications from common web exploits and attacks that could affect application availability, compromise security, or consume excessive resources.
Secrets Manager
AWS Secrets Manager is a managed service that helps you securely store, manage, and retrieve sensitive information, such as database credentials, API keys, and other secrets.
KMS
AWS Key Management Service (KMS) is a managed service that enables you to create and control cryptographic keys used to secure your data across AWS services and applications.
Certificate Manager
AWS Certificate Manager (ACM) is a service that simplifies the process of provisioning, managing, and deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
Storage Services (name 7 keys services)
S3
EBS
EFS
FSx
Glacier and S3 Glacier Deep Archive
Storage Gateway
Backup
S3 outposts
Encryption Key Services (name 6)
KMS - Creating and controlling cryptographic keys
HSM - Dedicated hardware security modules. Good for higher level of compliance.
Certificate Manager - Manages SSL/TLS certificates for encrypting data in transit, although it doesn’t directly manage encryption keys like KMS or CloudHSM.
Encryption at Rest - Many AWS services integrate with KMS to offer encryption at rest, where data is automatically encrypted using keys managed by KMS.
Envelope Encryption - A method used in AWS where data is encrypted using a data encryption key (DEK), and the DEK itself is encrypted using a key encryption key (KEK) stored in KMS.
This method allows for efficient encryption and decryption of large amounts of data, minimizing the need to interact with KMS directly for every encryption or decryption operation.
Client Side Encryption - In some scenarios, encryption can be handled by the application itself before data is sent to AWS, using encryption keys that you manage.
AWS provides tools such as the AWS Encryption SDK to assist with client-side encryption.
Key Rotation
AWS key rotation is a process that involves periodically updating cryptographic keys to enhance security and reduce the risk of unauthorized access to encrypted data.
KMS - Rotated automatic every year
Manual rotation - Option as well
Certificate Renewals
AWS Certificate Manager (ACM) simplifies the management of SSL/TLS certificates by automating the renewal process for certificates issued by ACM.
Sometimes manual is needed
VPC
Amazon Virtual Private Cloud (VPC) is a service that allows you to provision a logically isolated section of the AWS cloud where you can launch and manage AWS resources in a virtual network that you define.
Security Groups
AWS Security Groups are virtual firewalls that control inbound and outbound traffic for resources within an Amazon Virtual Private Cloud (VPC). They provide an essential layer of security for your AWS resources, such as Amazon EC2 instances.
ACL
Network Access Control Lists (ACLs) are a security layer that acts as a firewall for controlling traffic in and out of one or more subnets within a Virtual Private Cloud (VPC). They complement security groups by providing additional network security at the subnet level.
NAT Gateway
An AWS NAT (Network Address Translation) Gateway is a managed service that enables instances in a private subnet to connect to the internet or other AWS services, while preventing the internet from initiating connections with those instances.
Route Table
An AWS Route Table is an essential component of a Virtual Private Cloud (VPC) that determines how network traffic is directed within your VPC. Each route table contains a set of rules, called routes, that specify the destinations that your network traffic can reach and the paths it should take.
CIDR
CIDR, or Classless Inter-Domain Routing, is a method for allocating IP addresses and routing Internet Protocol (IP) packets. CIDR replaces the old system of IP address classification, which divided IP addresses into classes (A, B, C, etc.).
