Module 3: Securing access

Question 1

AWS shared responsibility model

Answer 1

Security of the cloud => AWS
Security in the Cloud => Customer

Question 2

Design principles of the security pillar

Answer 2

1) Implement a strong identity foundation
2) Protect data in transit and at rest
3) Apply security at all layers
4) Keep people away from data
5) Maintain traceability
6) Prepare for security events
7) Automate security best practices

Question 3

How to implement identity foundation

Answer 3

Use policies to grant or deny access to AWS resources.
Use the principle of least priviledge.

Question 4

How can you implement encryption?

Answer 4

By using Transport Layer Security (TLS)

Question 4

How to protect data in transit and at rest?

Answer 4

Use encryption using TLS

Question 5

Authentication (Who)?

Answer 5

Important to identify who is accessing. The who can be a person or an application

Question 5

How do you protect data at rest

Answer 5

Through client side encryption which encrypts data before it is sent or server side encryption that encrypts data after it is sent but before it is stored

Question 5

Authorization

Answer 5

Do we allow or do we deny the request once we know who

Question 6

What is IAM

Answer 6

Identity and Access Management

Question 7

What do you do with Identity and Access Management (IAM)

Answer 7

configure access, grant credentials to user and groups. Distribute it accross services.
Integration with Microsoft active directory and other identity providers.
Support MFA

Question 8

IAM Resource

Answer 8

Is the user group policy or identity provider object stored in IAM

Question 9

IAM entity

Answer 9

The object used for authentification. They include user and roles

Question 10

IAM identity

Answer 10

An identity identifies user and groups or role. You can attach policies to identities

Question 11

IAM principal

Answer 11

Person or application using the account to authenticat and make requests. (The who behind it (app or user))

Question 12

IAM user

Answer 12

entity you create that represent the person or application interacting with AWS services

Question 13

IAM Group

Answer 13

Collection of users. Use groups to grant same set of permissions to multiple users

Question 14

IAM Role

Answer 14

Similar to user but short term credentials for the duration of the session

Question 15

IAM Policy

Answer 15

Document explicitely listing permissions

Question 16

Credentials needed for signing into the AWS management console

Answer 16

Username and password

Question 17

Credentials needed to run commands in the Command Line Interface (CLI)

Answer 17

AWS access Key

Question 18

Credentials needed to make programmatic calls to AWS

Answer 18

AWS Access Key

Question 19

What is an AWS Access Key?

Answer 19

Combination of access key ID and a secret access key

Question 20

Best practice for security

Answer 20

1) Least priviledge
2) Enable MFA
3) Require human users to acces AWS with temporary credentials
4) Rotate access key for use care requiring lng term credentials
5) Use strong, Complex passwords
6) Secure local credentials
7) Use AWS Organizations
8) Enable Cloud trails
9) Protect the root user

Question 21

Least priviledge

Answer 21

Grant the strictly minimal permissions to perform tasks

Question 22

Enable MFA

Answer 22

Just do it. A lot of types exist

Question 23

Human access with temporary credentials

Answer 23

Do this through entity assigning roles to the accounts

Question 24

Rotate access key

Answer 24

For programmatic access so that they change regularly

Question 25

Strong passwords

Answer 25

Duh. Password manager...

Question 26

Secure credentials

Answer 26

Password manager again

Question 27

Use organization

Answer 27

To consolidate billing, and access control

Question 28

Enable Cloudtrail

Answer 28

Create logs to record the access to the ressources

Question 29

Protect the root user

Answer 29

Limit the use of the root user as much as possible it has complete access to everything

Question 30

How to protect the root user

Answer 30

Do not use it. Create an admin user with permissions to most task

Question 31

How to set up an admin user

Answer 31

Log in as root and set up MFA for it Create admin and add MFA download the key Log out of the root user Log in to the admin user Create your user accounts

Question 32

Use case for roles

Answer 32

Assign role to another AWS accounts needing ressources on yours. Assign roles to user outside of your company Assign role to a mobile app because it is not good to have credentials in there Assign role to an app running on an EC2 because you don't want to store the credentials there either

Question 33

2 types of policies

Answer 33

identity based policies Ressources based policies

Question 34

Identity based policies

Answer 34

Attached to IAM User. What ressources can access the user

Question 35

Resource based

Answer 35

Attached to an AWS resource. What user can access the ressource

Question 36

Format of a policy

Answer 36

JSON

Question 37

Process to allow access

Answer 37

Is there explicit denial policy?=> If not then goes to check is there an explicit allow => If yes then allow.Otherwise denies all.

Question 38

IAM policy document structure

Answer 38

Version Statement Effect Principal Action Resource Condition

Question 39

Policy version

Answer 39

Version of the policy language you want to use

Question 40

Policy Statement

Answer 40

Defining what is allowed or denied based on conditions

Question 41

Policy effect

Answer 41

Allow or deny

Question 42

Policy Principal

Answer 42

Account, user or role concerned by the policy

Question 43

Policy Action

Answer 43

Action allowed ."s3:GetObject" for example

Question 44

Policy Resource

Answer 44

Resources that the policy action applies to

Question 45

Policy Condition

Answer 45

Set of rules that must be met for the rule to apply