Security and Compliance Flashcards
(37 cards)
1
Q
AWS Security in the Cloud
A
- Global network of data centers built with security in mind
- Safeguards to protect customer privacy
- Dozens of compliance programs to help meet industry compliance requirements
- High security standards without need for your own data centers
- Scale your business quickly
2
Q
Security and Compliance Domain
A
- AWS shared responsibility model
- AWS Cloud security, governance, and compliance concepts
- AWS access management capabilities
- Identify components and resources for security
3
Q
Shared Responsibility Model
A
- Security of cloud computing infrastructures and data is a shared responsibility
- AWS: security of the cloud (data centers, hardware, software, networking)
- Customer: security in the cloud (customer data, encryption, identity and access management, firewalls)
4
Q
Cloud Security Well-Architected Framework
A
- Identity and access management: principle of least privilege
- Enable traceability
- Security at all layers and automated security for scaling and cost-optimization
- Data should be protected at-rest and in transit
- Eliminate direct access and manual processing of data
- Intervene, investigate, and respond incidents
5
Q
AWS Cloud Security Services
A
- Amazon Inspector
- AWS Shield
- Amazon GuardDuty
6
Q
AWS Compliance Programs
A
- Compliance certifications
- Security standards
7
Q
Self-Service Audit Artifact Retrieval Service
A
- AWS Artifact
8
Q
Governance
A
- The process of creating and enforcing decisions within an organization
9
Q
Principle of Least Privilege
A
- Only provide the least amount of access needed for an entity to do its job, and no more
- Use IAM to provide access to resources to both users and other AWS services
10
Q
Identities in AWS (WHO)
A
- Human identity
- Workload: a collection of resources and code that provides business value
- Federated identity: single sign-on (SSO), AWS IAM Identity Center
11
Q
Controlling Access to AWS
A
- Roles
- Policies: define what an identity or resource can do
- Permissions: define whether an action is allowed or denied
12
Q
Traffic Control
A
- Security groups: control traffic that is allowed to reach and leave AWS resources
- Network access control lists (NACLs): deny specific inbound and outbound traffic at subnet level
13
Q
Security Groups
A
- Protect at instance level
- Stateful: traffic allowed in is allowed out (“remembers”
- No explicit deny
- All inbound traffic blocked and outbound traffic allowed by default
14
Q
NACLs
A
- Protect at subnet level
- Stateless: in and out traffic needs to be defined separately (“forgets”)
- Explicit deny
- All inbound and outbound traffic allowed by default
15
Q
Identity Access Management (IAM)
A
- Manage access to services and resources in the AWS Cloud
- Manage users and groups
- Can provide access to users or other AWS services
- Permissions are global; any access setting will be true across all regions
- Follow principle of least privilegeM
16
Q
IAM: Manage Users
A
- Create users in IAM and assign them security credentials
- Users can have very precise permission sets
- Users can access AWS through AWS Management Console
- Programmatic access to data and resources
17
Q
IAM: Manage IAM Roles
A
- Create roles to manage permissions and what these roles can do
- An entity assumes a role to obtain temporary security credentials to make API calls to your resources
- Used to provide a user from another AWS account with access to your AWS account
18
Q
IAM: Manage Federated Users
A
- Enable identity federation: allow existing identities in your enterprise to access AWS without having to create an IAM user for each identity
- Can use any identity management solution that uses SAML 2.0 or one of the AWS federation samples
19
Q
Benefits of IAM
A
- Enhanced security
- Granular control
- Ability to provide temporary credentials
- Flexible security credential management
- Federated access
- Seamless integration across AWS services
20
Q
Security Credentials
A
- Password policy: password requirements and rotation of passwords
- Temporary access keys to make programmatic calls to AWS
21
Q
Multi-factor Authentication (MFA)
A
- Two-factor authentication (2FA)
- User presents at least two pieces of evidence that verify they should access the said account
22
Q
AWS Secrets Manager
A
- Saves all of your “secrets”
- Secrets: passwords, credentials, tokens, access keys
- Integrates with key AWS services
23
Q
AWS Systems Manager
A
- Centralized control tower to manage AWS resources in multi-cloud and hybrid environments
- Visualize and operate on multiple AWS services from one place
- Create logical groups of resources and select a resource group to view metrics and take action
- Helps IT admins make sure infrastructure is running smoothly and alerts them when resources are not meeting internal compliance policies
24
Q
AWS Web Application Firewall (WAF)
A
- Protects web apps running on the AWS Cloud from common web exploits compromising security, availability, or resources
25
Distributed Denial-of-Service (DDOS) Attack
- An attempt to make a machine or network unavailable
- Most often by making excessive repeated requests to the website using thousands of unique IP addresses
26
AWS Shield: Standard
- Free and automatically enabled
- Protects against a majority of DDoS attacks
- Comprehensive availability protection against all known infrastructure attacks when used with CloudFront and Route 53
27
AWS Shield: Advanced
- Integrates with AWS WAF
- Provides higher-level protections, network and transport layer protections, and automated traffic monitoring
- Financial protection against DDoS-related spikes in charges for EC2, elastic load balancers, CloudFront, and Route 53
- Available on all CloudFront and Route 53 edge locations
28
Amazon Inspector
- Automated security assessment service for applications
- Assesses for exposure, vulnerabilities, and deviations from best practices
- Generates detailed vulnerability reports and reports validating tests were performed
- Define custom standards and best practices or use AWS standards
29
AWS Trusted Advisor
- Guides provisioning of resources to follow AWS best practices
- Scans infrastructure and provides action recommendations to meet best practices
- Based on cost optimization, performance, security, fault tolerance, and service limits
30
Seven Core AWS Trusted Advisor Checks
- S3 bucket permissions
- Security groups
- IAM use
- MFA on root account
- Elastic Block Store (EBS) public snapshots
- Relational Database Service (RDS) public snapshots
- Service limits
31
Full AWS Trusted Advisor Checks
- Weekly update notifications
- Automated actions in response to alerts using CloudWatch
- Programmatic access to scan results via AWS support API
32
Amazon GuardDuty
- 24/7 threat detection service to AWS Cloud
- Monitors for malicious activity and unauthorized behavior
- Analyzes events to send actionable alerts via CloudWatch
- Uses machine-learning, anomaly detection, and integrated threat intelligence to identify potential threats
33
AWS Artifact
- On-demand self-service portal to download AWS security and compliance documents and independent software vendor (ISV) compliance reports
- Review, accept, and track status of AWS agreements specific to your organization's industry
34
Amazon CloudWatch
- Monitors application performance
- Set alarms and automated actions to activate at predetermined thresholds to mitigate potential issues
35
AWS CloudTrail
- Generates audit trails of every action taken by a user, role, or AWS service in your account
36
AWS Audit Manager
- Automates evidence collection to generate audit-ready reports to prove system compliance for audits
37
AWS Config
- Provides detailed views of AWS resource configurations in your AWS account
