Pillar One - Security Flashcards Preview

SA-12-The Well Architected Framework > Pillar One - Security > Flashcards

Flashcards in Pillar One - Security Deck (16):
1

Design Principles

  1. Apply security at all layers
  2. Enable traceability
  3. Automate responses to security events
  4. Focus on securing your system
  5. Automate security best practices

2

Security in the cloud consist of 4 areas:

  1. Data Protection
    1. Data classification should be in place, and segmented into sections
    2. Data segments should be divided into:
      1. Available to Public
      2. Available to All Employees
      3. Available to Certain Employees
  2. Privilege Management
    1. Least privilege model access model - people should only access what they need
  3. Infrastructure Protection
    1. Encrypt as much as possible, whether in rest or in transit
  4. Detective Controls

3

Best Practices - Data Protection

  1. AWS customers maintain full control of their data
  2. AWS makes it easier for you to encrypt data, manage keys (including regular key rotation)
  3. Detailed logging (CloudTrail) for access and changes
  4. Data storage reliability (S3 is designed for 11 nines)
  5. Versioning - protects against accidental overwrites, deletes
  6. AWS never initiates movement of data between regions (unless Customer selects a service that would)

4

Data Protection - Questions

  1. How is protected at rest?
  2. How is protected in transit?

5

Privilege Management

  1. Access control lists (ACLs)
    1. How are you limiting automating access?
  2. Role-based access controls
    1. Are you defining roles/responsibilities for access
  3. Password management (and rotation)
    1. AWS Root Credentials (with MFA)?

6

Infrastructure Protection

  1. Physical infrastructure owned by AWS
  2. Customer responsible for VPC level protections
    1. Security Groups
    2. ACLs
    3. Traffic Routing / Subnets

7

Protection Questions

 

How are you enforcing network and host-level boundary protections?

  1. Security Groups
  2. ACLs
  3. Public / Private Subnets
  4. User Access Control
  5. Bastion Hosts
  6. EC2 instance locations

8

Protection Questions

 

How are you enforcing AWS service level protection?

  1. Console Restriction
  2. Groups 
  3. MFA enabled for users
  4. Password policy

9

Protection Questions

 

How are you protecting the integrity of the operating systems on your Amazon EC2 instance?

Anti-virus for windows

10

Detective Controls - Solutions

  1. CloudTrail - log all changes - enabled in each reach (regional service)
  2. CloudWatch - for environment usage
  3. AWS Config
  4. S3
  5. Glacier

11

Key Services

  1. Data Protection - Encrypt in transit / rest with: ELB, EBS, S3, RDS
  2. Privilege Management - IAM, MFA
  3. Infrastructure Protection - VPC, Security Groups, ACLs, Restricted Ports, Private / Public subnets, etc..
  4. Detective Controls - CloudTrail, CloudWatch, AWS Config

12

Data Protection - Question Types

  1. How is protected at rest?
  2. How is protected in transit?

13

Privilege Management - Question Types

  1. How are you protecting access to and use of the AWS root account credentials?
  2. How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and APIs?
  3. How are you limiting automated access (scripts, applications, third party tools) to AWS resources?
  4. How are you managing keys and credentials?

14

Infrastructure Protection - Question Types

  1. How are you enforcing network and host level boundary protection?
  2. How are you enforcing AWS service level protection?
  3. How are you protecting the integrity of the operating systems on your EC2 instances? 

15

Detective Controls - Question Types

How are you capturing and analyzing AWS logs?

16