Services - Security, Identity, and Compliance Flashcards
1
Q
Cognito - Characteristics
A
- It provides authentication, authorization, and user management for your web and mobile apps
- Pay only for what you use
- Can use identity pools and user pools separately or together
2
Q
Cognito - User pools
A
- They are user directories that provide sign-up and sign-in options
- Provide social sign-in with Facebook, Google, Amazon, and Apple
- Offer user directory management and user profiles
- Provide MFA, checks for compromised credentials, account takeover protection, and phone and email verification
- Can create customized workflows and user migration through AWS Lambda triggers
3
Q
Cognito - Identity pools
A
- Allow to grant users access to other AWS services. Also support anonymous users
- Users can authenticate with Cognito user pools, and social sign-in with Facebook, Google, Amazon, and Apple
- Users can authenticate with OpenID Connect (OIDC) providers, SAML identity providers, and developer authenticated identities
4
Q
Certificate Manager - Characteristics
A
- Lets you provision, manage, and deploy public and private SSL / TLS certificates. Also can import third-party certificates to manage them
- There’s no additional pay for the use of this service
- Supported by ELB, CloudFront, Elastic Beanstalk, and CloudFormation
- Some AWS services support only some algorithms and key sizes, may be different from imported certificates into ACM
5
Q
Certificate Manager - ACM Private CA
A
- It’s a service for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud, and for private use
- Can create your own CA hierarchy and issue certificates for users, computers, applications, services, and other devices
- These certificates cannot be used on the internet
6
Q
Certificate Manager - Certificate characteristics
A
- They have domain validation and validation period
- ACM manages the renewal and provisioning of ACM certificates
- Can include multiple domain names
- Can use an asterisk (*) in the domain name to protect several sites in the same domain
7
Q
Directory Service - Definition and pricing
A
- It provides multiple ways to use Microsoft Active Directory with other AWS services
- Pricing
- Standard Edition: 1 GB of storage capacity and approximately maximum 30000 directory objects
- Enterprise Edition: 17 GB of storage capacity and approximately maximum 500000 directory objects
- Additional charges for directory sharing with other accounts, and data transferred out of the domain controllers for multi-region replication
8
Q
Directory Service - AWS Directory Service for Microsoft AD
A
- When you need an AD in the AWS Cloud that supports Active Directory-aware workloads
- Also supports AWS managed applications or services like QuickSight, RDS (SQL Server, Oracle, PostgreSQL), and if you need LDAP support for Linux applications
- Can extend the schema, manage password policies, and enable secure LDAP communications through SSL / TLS. Also can enable MFA
9
Q
Directory Service - Simple AD
A
- It’s a Microsoft AD-compatible directory compatible with QuickSight, and powered by Samba 4
- Supports basic features like user accounts, group memberships, joining a Linux domain or Windows based EC2 instances, Kerberos-based SSO, and group policies
- Useful when you need a low-scale, low-cost directory with basic AD compatibility
10
Q
Directory Service - AD Connector and Cognito use cases
A
- AD Connector: a proxy service that connects compatible AWS applications (QuickSight and EC2 for Windows Server instances) to on-premises Microsoft ADs
- Cognito: when you need custom registration fields and store that metadata in your user directory. It scales to support hundreds of millions of users
11
Q
GuardDuty - Characteristics
A
- It’s a security monitoring service that analyzes and processes these data sources: VPC Flow Logs, CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs
- Uses threat intelligence feeds like lists of malicious IP addresses and domains, and ML
- Identifies unexpected and potentially unauthorized and malicious activity within a AWS environment
- Prices are based on the number of CloudTrail events, and the volume of VPC flow logs and DNS logs analyzed
12
Q
GuardDuty - Concepts
A
- Detector: a regional entity associated with findings. A unique detector is required in every region
- Data source: the origin or location of a set of data
- Finding: a potential discovered security issue. Can also see them through CloudWatch events
- Suppression rule: allows to create specific combinations of attributes. Are used to hide findings determined as false positives, and reduce the noise from low-value findings
- Trusted IP list
- Threat list: a list of malicious IP addresses
13
Q
GuardDuty - Findings types
A
- EC2 findings types: specific to EC2 resources and always have a resource type of “Instance”
- IAM findings types: specific to IAM entities and access keys and always have a resource Type of “AccessKey”
- S3 findings types: specific to S3 resources and will have a resource type of “S3Bucket” (S3 CloudTrail data events), or “AccessKey” (CloudTrail management events)
14
Q
Inspector - Characteristics
A
- It tests the network accessibility of EC2 instances and the security state of applications that run on those instances
- Produces a detailed list of security findings, organized by level of severity
- Can automate security assessments throughout the development and deployment pipelines process, or for static production systems
15
Q
Inspector - Amazon Inspector Agent
A
- It can optionally be installed on EC2 instances to have a wider monitoring of network, FS, and process activity
- Also collects a wide set of behavior and configuration data (telemetry)
- Installation steps: assign an IAM role, tag target EC2 instances, and install it
16
Q
Inspector - Concepts 1
A
- Assessment run:
- It’s the process of discovering potential security issues. Produces a list of findings
- Inspector monitors and collects data. Then, analyzes that data collected against a set of security rules packages specified in an assessment template
- Assessment target: currently only can consist of EC2 instances
- Finding: a potential security issue discovered. Contains both a description and a recommendation on how to fix it
17
Q
Inspector - Concepts 2
A
- Assessment template: a configuration used during an assessment run. Includes the following:
- Rules packages
- SNS topics to send notifications about an assessment run
- Tags assigned to findings
- Duration of the assessment
- Rule: a security check performed during an assessment run
- Rules package: a collection of rules that correspond to a security goal
18
Q
Inspector - Pricing
A
- Based on two dimensions, the number of EC2 instances, and the type(s) of rules package selected
- Can have any combination of two rules package types: host assessment rules packages and / or the network reachability rules package
- If both rules packages types are included, you will be billed separately
19
Q
KMS - Characteristics
A
- It’s creates and control the cryptographic keys used to protect your data
- A KMS key includes metadata such as the key ID, creation date, description, and key state
- Charged by each key that you create and each generated backing key when automatic rotation is enabled
- Keys are automatically rotated on an annual basis
20
Q
KMS - Key types
A
- Customer managed: created and managed by the user. Access can be controlled using IAM
- AWS managed: created and managed by AWS. Can be identified by the format AWS / Service name
- AWS-owned: aren’t visible in an AWS account. They are part of a collection of KMS keys that AWS manages for use in multiple AWS accounts
21
Q
KMS - Key characteristics
A
- Each key has exactly one key policy to determine who can use the key and how
- Data keys are symmetric keys generated by KMS, and are used to encrypt data. KMS Keys can be used to generate, encrypt and decrypt data keys
- Data key pairs are asymmetric data keys that consist of a public key and a private key. They are used for client-side encryption and decryption, or signing and verification outside of KMS, but not both
22
Q
KMS - Symmetric and Asymmetric keys
A
- Symmetric KMS keys: represent a single 256-bit secret encryption key that always is encrypted within AWS
- Asymmetric KMS keys: represent a public key and private key pair. The private key is always encrypted within AWS (it’s protected by a symmetric data key). You can use the public key inside or outside KMS
23
Q
Macie - Characteristics 1
A
- It’s a data security and data privacy service that uses ML and pattern matching to discover, monitor, and protect sensitive data in your AWS environment
- Automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data in S3 buckets
- Charged based on the number of S3 buckets evaluated for security and access control, and the quantity of data processed for sensitive data discovery
24
Q
Macie - Characteristics 2
A
- Also provides an inventory of S3 buckets, and it automatically evaluates and monitors those buckets for security and access control
- Publishes findings to EventBridge as finding events
25
Macie - Sensitive data discovery jobs
* If Macie detects sensitive data, Macie creates a sensitive data finding
* Can configure it to run only once, for on-demand, or on a periodic analysis
* Can choose various options to define the breadth and depth of the S3 buckets to analyze, the sampling depth, and custom include / exclude criteria that derive from properties of S3 objects
* Can configure to use managed data identifiers
26
Macie - Managed identifiers
* It's a combination of criteria and techniques, including ML and pattern matching to detect sensitive data
* Every one is designed to detect a specific type of sensitive data such as credit card numbers, AWS secret access keys, or passport numbers
27
Macie - Custom data identifiers
* It's a set of criteria that you define to detect sensitive data
* Consists of a regex that defines a text pattern to match and, optionally, character sequences and a proximity rule that refines the results
* Can define custom severity settings for the sensitive data findings that a custom data identifier produces, so can specify which severity to assign based on the number of occurrences
28
Macie - Types of findings
* Policy finding: a detailed report of a potential policy violation. Macie generates them as part of its monitoring activities for S3 data
* Sensitive data finding: a detailed report of sensitive data. Macie generates them by executing a sensitive data discovery job
29
Secrets Manager - Characteristics 1
* Protects secrets needed to access applications, services, and IT resources
* Rotates, manages, and retrieves database credentials, API keys, and other secrets throughout their lifecycle
* Pay based on the number of secrets stored and API calls made
* Can store sets of credentials such as connection details, user ID and password. Every set can have different versions at the same time
30
Secrets Manager - Characteristics 2
* Encrypts the protected text of a secret by using KMS keys, where every secret is associated with a KMS key
* Automatic secret rotation is defined with a custom Lambda function
* Can attach IAM permission policies to users, groups, and roles that grant or deny access to specific secrets, and restrict management of those secrets
* Can attach a resource-based policy to a secret for users who need to read or modify that secret and its versions
31
Secrets Manager - Automatic secret rotation workflow
1. Create a new version of the secret
2. Store the secret in Secrets Manager
3. Configure the protected service to use the new version
4. Verify the new version
5. Mark the new version as production ready
32
Secrets Manager - AWS services with rotation support
* Aurora, MySQL, PostgreSQL, Oracle, MariaDB, and Microsoft SQL Server on RDS
* Redshift
33
Shield - Characteristics
* It's a DDoS protection service that safeguards applications running on AWS
* Shield Advanced is charged on a monthly fee
* Data transferred out is also charged, depending on the protected AWS resource
34
Shield - Levels of protection
* Shield Standard:
- Automatically included at no extra cost
- Provides protection at layer 3 and 4 attacks
* Shield Advanced:
- Only protects specified resources either in Shield Advanced or through a Firewall Manager Shield Advanced policy
- Can contact the 24x7 Shield Response Team (SRT) for assistance during a DDoS attack
- Have access to real-time metrics and reports
- Provides protection at layer 3, 4, and in some cases at layer 7 attacks
35
Shield - Shield Advanced protected resources
* CloudFront distributions
* Route 53 hosted zones
* Global Accelerator accelerators
* ALBs and ELBs
* EC2 Elastic IP addresses
36
Single Sign-On - Characteristics 1
* It helps to manage SSO access and user permissions across all your AWS accounts in AWS Organizations
* Helps to manage access and permissions to commonly used third-party SaaS applications, AWS SSO-integrated applications, and custom applications that support Security Assertion Markup Language (SAML) 2.0
* Offered at no extra charge
37
Single Sign-On - Characteristics 2
* By using SSO console can assign which users should have one-click access to only the applications that are authorized for
* When the service is enabled, a default store is created to manage users and groups
* Also provides synchronization of users and groups from a AWS Managed Microsoft AD, or an External Identity Provider backed by SAML 2.0
38
Single Sign-On - Permission set characteristics
* A template that defines a collection of one or more IAM policies
* When SSO assign a user / group access to one or more AWS accounts, must specify a permission set to define the access that the user / group will have in the selected AWS accounts
* Then, SSO creates the corresponding SSO-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles
* Finally, SSO manages that role and allows to authorized users to assume that role
39
WAF - Characteristics
* It lets you monitor the HTTP / HTTPS requests forwarded to a CloudFront distribution, an API Gateway REST API, an ALB, or an AppSync GraphQL API
* Also lets you control access to content, based on specific conditions
* Can use pre-configured set of rules provided by AWS or AWS Marketplace Sellers to address common security issues like the OWASP Top 10 security risks
* For a CloudFront distribution, WAF is available globally. For the other services, WAF is available in only some regions
40
WAF - Pricing
* Charged for each web ACL created and each rule created. Also are charged the number of web requests processed by the web ACL
* Also additional security features enabled on a web ACL are charged, like bot control requests inspected, and captcha challenges attempts analyzed
* WAF uses Web ACL Capacity Units (WCUs) to calculate and control the resources required to process your web ACLs. WCUs for an individual rule varies according to its type and other configuration
41
WAF - Web ACLs
* Used to protect a set of AWS resources. Consist of one or more rules
* Must set a default action for the web ACL to indicate whether to allow or block the traffic
* After it's created, one or more AWS resources must be associated
42
WAF - Rules and rules groups
* A rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria
* A match is when a request meets the criteria. Can configure rules to block matching requests, allow them through, count them, or run CAPTCHA controls against them
* Can use rules individually or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups. Can also define custom rule groups
43
WAF - Web ACLs criteria to allow / block traffic
* IP address or country of origin of the request
* String or regex match in a part of the request
* Size of a particular part of the request
* Detection of malicious SQL code or scripting
* Count of web requests that don't meet the criteria above, or exceed a specified number of requests in any 5-minute period
* CAPTCHA controls against requests
