Security Flashcards
An organization has a large number of technical employees who operate their AWS Cloud infrastructure. What does AWS provide to help organize them in teams and then assign the appropriate permissions for each team?
1) IAM Groups - is a collection of IAM users that are managed as a unit.
2) Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.
3) For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group.
What is an IAM role?
1) It’s an IAM identity that you can create in your account that has specific permissions.
2) IAM roles allow you to delegate access (for a limited time) to users or services that normally don’t have access to your organization’s AWS resources.
3) IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to interact with specific AWS resources.
What is an IAM user?
1) An IAM user is an entity that you create in AWS to represent the person or application that uses it to directly interact with AWS.
2) A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.
3) A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI.
4) When you create an IAM user, you grant it permissions by making it a member of a group that has appropriate permission policies attached (recommended), or by directly attaching policies to the user.
What are similarities and differences between IAM role and IAM user?
1) Similarity: An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.
2) Difference: However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone (or any service, application, …etc) who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
What must an IAM user provide to interact with AWS services using the AWS Command Line Interface (CLI)?
Access Keys, consist of an access key ID and secret access key, which are used to sign programmatic requests to AWS using the CLI or the SDK.
What is the AWS feature that provides an additional level of security above the default authentication mechanism of usernames and passwords?
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of using just your user name and password to authenticate.
A company has moved to AWS recently. What AWS services would help them ensure that the right security settings are put in place?
1) Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. . To help get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.
2) AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization; security; fault tolerance; performance; and service limits. Like your customized cloud security expert, AWS Trusted Advisor analyzes your AWS environment and provides security recommendations to protect your AWS environment. The service improves the security of your applications by closing gaps, examining permissions, and enabling various AWS security features.
Hundreds of thousands of DDoS attacks are recorded every month worldwide. What does AWS provide to protect from these attacks?
1) AWS provides flexible infrastructure and services that help customers implement strong DDoS mitigations and create highly available application architectures that follow AWS Best Practices for DDoS Resiliency.
2) These include services such as Amazon Route 53, Amazon CloudFront, Elastic Load Balancing, and AWS WAF to control and absorb traffic, and deflect unwanted requests.
3) These services integrate with AWS Shield, a managed DDoS protection service that provides always-on detection and automatic inline mitigations to safeguard web applications running on AWS.
What AWS services allow customers to manage their agreements with AWS?
1) AWS Artifact is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and AWS agreements. You can use AWS Artifact Agreements to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA).
2) You can also use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.
What AWS security features is associated with an EC2 instance and functions to filter incoming traffic requests?
Security Groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.
What is NACL?
A network access control list (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Note: NACLs act at the subnet level, but security groups act at the instance level.
What is equivalent to a user name and password and is used to authenticate your programmatic access to AWS services and APIs?
Access keys consist of two parts: an access key ID and a secret access key. You use access keys to sign programmatic requests that you make to AWS if you use AWS CLI commands (using the SDKs) or using AWS API operations. Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests.
What is one of the benefits of AWS security?
Security scales with your AWS Cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe.
