Security

Question 1

Shared responsibility model

Answer 1

Customer responsibility: Security in the cloud
AWS responsibility: Security of the cloud

Question 2

AWS Identity and Access Management (IAM)

Answer 2

Manages access to AWS services and resources
Configure access based on your needs

Question 3

AWS account root user

Answer 3

accessed by signing in with email address and pw you used to create AWS account
This has complete access to all services and resources in the account
Use the root user to create your IAM user and then give it permissions to create other users

Question 4

IAM user

Answer 4

an identity you create in AWS, consists of a name and credentials
By default it has no permissions, you must grant the user permissions
Recommended to create individual IAM users for each person who needs to access AWS
This provides security by allowing each user to have a unique set of security credentials

Question 5

IAM policies

Answer 5

A document that allows or denies permissions to AWS services and resources
Enables you to customize users level of access to resources
Follow the security principle of least privilege when granting permissions

Question 6

IAM groups

Answer 6

Collection of IAM users
When you assign a policy to a group, all users in that group are granted permissions specified by the policy

Question 7

IAM roles

Answer 7

Identity you can assume to gain temporary access to permissions
When someone assumes an IAM role, they abandon all previous permissions they had under a previous role and assume permissions of the new role

Question 8

AWS Organizations

Answer 8

Consolidates and manages multiple AWS accounts within a central location

Question 9

Service control policies

Answer 9

Centrally control permissions for the accounts in your org

An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles

You can apply SCPs to the organization root, an individual member account, or an organizational unit

Question 10

AWS Artifact

Answer 10

provides on-demand access to AWS security and compliance reports

Question 11

AWS Artifact Agreements

Answer 11

You can review, accept, and manage agreements for an individual account and for all your accounts in AWS organizations
Different types of agreements are offered to address the needs of customers who are subject to specific regulations
Ie HIPAA

Question 12

AWS Artifact Reports

Answer 12

Provides compliance reports from third party auditors
Auditors have tested and verified that AWS is compliant with a variety of global, regional, and industry-specific standards and regulations
You can provide these audit artifacts to your auditor as evidence of AWS security controls

Question 13

Customer Compliance Center

Answer 13

Contains resources to help you learn more about AWS compliance
Access compliance whitepapers and documentation

Question 14

Distributed denial of service attack

Answer 14

Attack on your enterprise infrastructure
Shuts down your app’s ability to function so that it can’t operate
Bad actor overwhelms capacity to deny anyone your services
Attack leverages other machines around the internet

Question 15

UDP Flood

Answer 15

Bad actor sends a request to an API such as weather data and gives a fake return address, system gets bogged down trying to sort through
Solution: security groups - only allow in proper request traffic

Question 16

HTTP Level Attacks

Answer 16

Look like users requesting data but it’s a bunch of bots

Question 17

Slowloris Attack

Answer 17

Attacker pretends to have a slow connection
Servers are waiting for customer to finish request and can’t move on to next thread
Solution: elastic load balancer - handles the http traffic request first, so it waits until the entire message is complete before sending it over to the front end web server

Question 18

AWS Shield

Answer 18

Specialized defense tools
Has machine learning capabilities, can recognize new threats as they evolve
Standard:
Automatically protects all aws customers at no cost
Protects from most common frequent types of ddos attacks
Advanced:
Paid service provides detailed attack diagnostics, ability to detect and mitigate sophisticated ddos attacks
Integrates with other services

Question 19

Encryption at rest

Answer 19

When data is idle/stored
Enabled on all DynamoDB table data
Integrates with AWS Key Management Service (KMS)

Question 20

Encryption in transit

Answer 20

When data is traveling between service and client
Secure sockets layer (SSL) connections to encrypt data
Use service certificates to validate and authorize a client

Question 21

AWS Key Management Service (KMS)

Answer 21

Enables you to perform encryption operations through the use of
Cryptographic keys: a random string of digits used for encrypting and decrypting data
Create, manage and use cryptographic keys through KMS
You choose the specific levels of access control you need for your keys
You can temporarily disable keys so that they’re no longer in use

Question 22

AWS WAF

Answer 22

Web application firewall that lets you monitor network requests that come into your web applications
Works with Amazon CloudFront and an application load balancer
Blocks or allows traffic by using a web access control list to protect your resources

Question 23

Amazon Inspector

Answer 23

Runs an automated security assessment against your infrastructure
Checks on deviations of security best practices, exposure of EC2 instances, vulnerabilties, etc
Run the service or retrieve findings through an API

Question 24

Amazon GuardDuty

Answer 24

Analyzes continuous streams of metadata generated from your account, and network activity found on events and logs
Uses integrated threat intelligence such as known malicious Ips, anomaly detection, and machine learning
Runs independently from other AWS services, so it won’t affect performance

Question 25

AWS WAF

Answer 25

web application firewall filters traffic for signatures of bad actors