Module 6 Flashcards
(19 cards)
Shared Responsibility Model
Security responsibilities are split between AWS and Customer:
(This is all contingent on the product specifically used, but generally the below list is true)
AWS: Global infrastructure, compute, storage, DB, networking, regions/edge locations/availability zones
Customer: Platform, applications, identity and access mgmt. OS, network and firewall config, client-side encryption, server side encryption, networking.
IAM User
An IAM user is an identity that you create in AWS. It represents the person or application that interacts with AWS services and resources. It consists of a name and credentials.
By default, when you create a new IAM user in AWS, it has no permissions associated with it.
IAM Group
An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
IAM Role
An IAM role is an identity that you can assume to gain temporary access to permissions.
Before an IAM user, application, or service can assume an IAM role, they must be granted permissions to switch to the role. When someone assumes an IAM role, they abandon all previous permissions that they had under a previous role and assume the permissions of the new role.
IAM Policy
An IAM policy is a document that allows or denies permissions to AWS services and resources.
Controlled via JSON files.
AWS Root user best practices
Has superadmin users.
- Turn on MFA
- Don’t use for every day tasks.
- Use root user to create first IAM users - which is granted permissions to create other users.
- ONLY use root user for environment-wide admin tasks (changing AWS Support plan for example)
AWS Organizations
Suppose that your company has multiple AWS accounts. You can use AWS Organizations(opens in a new tab) to consolidate and manage multiple AWS accounts within a central location.
When you create an organization, AWS Organizations automatically creates a root, which is the parent container for all the accounts in your organization.
Service Control Policies
In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs)(opens in a new tab). SCPs enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
Organizational units
In AWS Organizations, you can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements.
OU vs IAM Group
OU is a collection of accounts
IAM Group is a collection of users
Account vs IAM User
An AWS account is a container that holds all your AWS resources and users, while an IAM user is a specific identity within that account with limited permissions
AWS Artifact
AWS Artifact(opens in a new tab) is a service that provides on-demand access to AWS security and compliance reports and select online agreements. AWS Artifact consists of two main sections: AWS Artifact Agreements and AWS Artifact Reports.
AWS Artifact Agreements.
Suppose that your company needs to sign an agreement with AWS regarding your use of certain types of information throughout AWS services. You can do this through AWS Artifact Agreements.
AWS Artifact Reports.
Next, suppose that a member of your company’s development team is building an application and needs more information about their responsibility for complying with certain regulatory standards. You can advise them to access this information in AWS Artifact Reports.
AWS Artifact Reports provide compliance reports from third-party auditors. These auditors have tested and verified that AWS is compliant with a variety of global, regional, and industry-specific security standards and regulations. AWS Artifact Reports remains up to date with the latest reports released. You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.
Types of Artifact Reports
AWS Artifact provides access to AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports
The Customer Compliance Center
The Customer Compliance Center(opens in a new tab) contains resources to help you learn more about AWS compliance.
You can also access compliance whitepapers and documentation on topics such as:
AWS answers to key compliance questions
An overview of AWS risk and compliance
An auditing security checklist
AWS Shield
AWS Shield is a service that protects applications against DDoS attacks. AWS Shield provides two levels of protection: Standard and Advanced.
AWS Shield Standard
AWS Shield Standard automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks.
