Security & Compliance Flashcards
(38 cards)
What principle should be applied to AWS users, application users, and other clouds and data centers connected to AWS?
The principle of least privilege.
What is the shared responsibility model in AWS?
The customer is responsible for security in the cloud, while AWS is responsible for security of the cloud.
What are the core tenets of security in the Well-Architected Framework?
Identity and access management, data stewardship and encryption, network security, application security compliance, and security management.
Who is responsible for access management in AWS?
The customer is responsible for access management in their AWS cloud.
What are customers responsible for in terms of operating systems and networking within their AWS account?
Customers are responsible for ensuring secure connections to VPC resources, keeping EC2 instances’ operating systems and security patches up to date, and provisioning firewalls to secure their network.
What is the principle of least privilege?
It is the practice of giving the minimum permissions necessary to complete a task.
How can customers offload some security responsibilities using managed services?
For instance, customers are responsible for security OS patches and encryption on EC2, but on RDS, these are built-in features.
Who is responsible for encryption on AWS?
The customer is responsible for client-side encryption, encryption in transit, and encryption at rest.
What can IAM policies be applied to?
IAM policies can be applied to users, user groups, and IAM roles, which can then be applied to resources or applications.
What is encryption in transit and what AWS service helps with it?
Encryption in transit revolves around HTTPS, and AWS Certificate Manager helps with obtaining TLS certificates.
What is IAM Identity Center used for?
IAM Identity Center is used to give users access to AWS resources by leveraging existing single sign-on directories.
How is S3 encrypted by default?
S3 is encrypted by default using SSE S3 managed keys.
What is Macie used for in AWS?
Macie is used to scan S3 buckets for sensitive information.
How are EBS volumes and RDS instances encrypted?
They are encrypted by KMS (Key Management Service).
What must you do to encrypt an existing RDS instance?
You must create a copy of the existing RDS instance to enable encryption.
- Then you restore the snapshot, modify connections, load balancers.
- Test if the RDS is working as supposed to.
What are Parameter Store and Secrets Manager used for?
They are used to securely store parameters like login credentials or environment variables, with Secrets Manager also able to automatically rotate those secrets.
What does AWS WAF protect against?
is a web application firewall service provided by Amazon Web Services. It helps protect web applications from common web-based attacks and provides additional security layers to your applications running on AWS infrastructure.
What does AWS Shield protect against?
AWS Shield protects against DDoS attacks (Distributed Denial of Service).
What does AWS Firewall Manager do?
AWS Firewall Manager manages AWS WAF, AWS Shield, and other security settings across multiple accounts.
What is AWS Security Hub?
AWS Security Hub provides a single-pane view to prioritize and take action on security findings from multiple AWS services.
Who are the four horsemen of security confusion?
Trusted Advisor, Amazon GuardDuty, Amazon Detective, and Amazon Inspector.
What does AWS Trusted Advisor do?
AWS Trusted Advisor provides best practice advice.
What does Amazon GuardDuty do?
Amazon GuardDuty alerts you if it detects active threats.
What does Amazon Detective help with?
Amazon Detective helps investigate security events that have already happened.
