Security & Compliance Flashcards
(14 cards)
1
Q
Amazon Inspector
A
- Automated security assessment for Amazon EC2 instances
- Identifies vulnerabilities, exposures, and best practice deviations
- Provides detailed security findings, prioritized by severity
- Useful for maintaining OS security and compliance
2
Q
Amazon GuardDuty
A
- Threat detection service monitoring AWS account-level access
- Analyzes AWS CloudTrail, VPC Flow Logs, and DNS Logs
- Detects malicious activity and unauthorized behavior
- Integrates with AWS Security Hub for centralized security management
3
Q
Amazon Macie
A
- Data security and privacy service
- Uses machine learning to identify and protect sensitive data (e.g., PII)
- Focuses on securing data, not assessing system vulnerabilities
- Integrates with Amazon S3 to automatically discover, classify, and protect sensitive data at scale
4
Q
AWS Shield
A
- Managed DDoS protection service for AWS applications
- Provides automatic, always-on detection and inline mitigation
- Primarily focuses on network-level security
- AWS Shield Advanced offers enhanced protection with real-time metrics and DDoS response team (DRT) support
5
Q
AWS Shield Advanced
A
- Enhanced DDoS protection for AWS resources for $3,000/mo
- Protects against network (Layer 3), transport (Layer 4), and application (Layer 7) attacks
- Offers advanced metrics, reports, and access to the DDoS Response Team (DRT)
- Covers Amazon EC2, ELB, Amazon CloudFront, Amazon Route 53, and AWS Global Accelerator
6
Q
Amazon Route 53
A
- Scalable, highly available DNS and domain name registration service
- Routes end users to applications, optimizing latency and failover
- Supports health checks and routing policies for traffic management
- Covered by AWS Shield Advanced for DDoS protection
7
Q
AWS Global Accelerator
A
- Networking service for improving application availability and performance
- Uses the AWS global network to route traffic to healthy endpoints
- Uses static IP addresses for easier traffic management
- Covered by AWS Shield Advanced for expanded DDoS protection
8
Q
Amazon API Gateway
A
- Fully managed service for creating, publishing, and monitoring APIs
- Handles RESTful, HTTP, WebSocket APIs, and Lambda integrations
- Offers throttling, request validation, and API version management
9
Q
AWS Web Application Firewall (WAF)
A
- Protects web apps by monitoring and filtering HTTP/HTTPS traffic at Layer 7 (Application Layer)
- Can allow, block, or count requests based on conditions like IPs, headers, body, and URI strings
- Deploys on CloudFront, ALB, API Gateway, and AppSync
- Mitigates common web exploits like SQL injection and XSS
10
Q
Layer 7 - Application Layer
A
- Manages communication between applications across the network
- Handles HTTP, HTTPS, SMTP, FTP, and DNS traffic
- AWS WAF operates at this layer to filter web requests
11
Q
Layer 3 - Network Layer
A
- Determines the best path for data transmission in a network
- Manages IP addressing and routing
- AWS Shield provides DDoS protection at this layer
12
Q
Layer 4 - Transport Layer
A
- Manages data transmission using TCP and UDP protocols
- Ensures reliable data transfer and error handling
- AWS Shield offers DDoS protection at this layer
13
Q
Network Access Control List (NACL)
A
- Controls inbound and outbound traffic at the subnet level in a VPC
- Stateless—each request is evaluated independently (no memory of previous traffic)
- Supports allow and deny rules, evaluated in numbered order
- Applies rules to all resources within a subnet
- Ideal for basic network-level filtering
14
Q
Security Group
A
- Acts as a virtual firewall for EC2 instances and ENIs
- Stateful—return traffic is automatically allowed
- Only supports allow rules, no deny
- Applies at the instance level
- Evaluates rules as a group, not in a specific order
