Aws Security Specialty Flashcards
shared responsibility model
AWS and customers work together towards security objectivesAWS - security of the cloudCustomer - security in the cloud
IAM
Identity and Access ManagementControls who can access what
AWS Regions
Use to manage network latency and regulatory compliance
Availability Zones (AZ)
At least two in each regiondesigned for fault isolation, multiple ISPs and different power grids
AWS Management Console
Web access to services
Application Programming Interfaces (APIs)Command Line Interfaces (CLIs)
programmatic access to services
Infrastructure Services
compute services architect and build using tech similar to on-prem
Container Services
usually run on separate EC2 instancesAWS usually manages the OSCustomer responsible for setting up network controls and managing platform level identity and access mgmt separately from IAM
Abstracted Services
high level storage, messaging servicesAbstract the platform or mgmt layer to build and operate cloud applicationsAccess via APIsmulti-tenant platform where your data is isolated
Examples of Compute Services
Elastic Compute Cloud (EC2)Amazon Elastic Block Store (EBS)Virtual Private Cloud (VPC)Auto Scaling
Examples of Container Services
Relational Database Services (RDS)Elastic Map Reduce (EMR)Elastic Beanstalk
Examples of Abstracted Services
Simple Storage Service (S3)GlacierDynamoDBSimple Queuing Service (SQS)Simple Email Service (SES)
Opacity layer
additional protections for data at rest/in transit between the services from AWS and your OS and platformscan include encryption, integrity authentication, data signing, time stamping
EC2 key pairs
control access to specific instancesecurely bootstrap new instances spun up from AMIsindustry standard RSA key pairs, asymmetric
ec2config service
sets a new random admin password for the instance and encrypts it using the corresponding EC2 key pair's public key
shared responsibility for container services - AWS
manages the underlying infrastructure and foundation services, the OS, and application platform
shared responsibility for container services - Customer
responsible for the data and for the firewall rules for access to the container service
shared responsibility for abstract services - AWS
operates the infrastructure later, the OS and platform
shared responsibility for abstract services - Customer
accesses the endpoints to store and retrieve datamanage the data and classifying assetsconfigure ACL-type permissions using IAM
Abstract services - protecting data in transit
use platform provided HTTPS encapsulation for protection of data in transit
Abstract services - protecting data at rest
use platform provided encryption of data at rest
Trusted Advisor
one-view snapshot of your servicehelps identify common security misconfigurations, suggestions for improving performance, and underutilized resources
Trusted Advisor checks
Limit access to admin ports like 22, 3389, 23, 5500Limit access to database ports like 1433, 1434, 3306, 1521, 5432IAM is configuredMFA enabled on root account
Classifying assets
two categories:essential elements such as business information, process, activitiescomponents that support the essential elements like hardware, software, personnel, sites, partners
Steps to build ISMS in AWS
Define scope and boundariesDefine an ISMS policySelect a risk assessment methodologyIdentify risksAnalyse and evaluate risksAddress risksChoose a security frameworkGet management approvalStatement of applicability
Define scope and boundaries
which regions, AZs, instances and AWS resources are in scope
Define ISMS policy
objectives that set the direction and principles for action regarding infoseclegal, contractual, regulatory requirementsrisk management objectiveshow risk is measuredhow management approves the plan
Select risk methodology
OCTAVEISO 31000:2009ENISAIRAMNIST SP 800-30 rev 1
Identify risks
create a risk register by mapping all your assets to threats, then based on vuln assessment and impact, create a new risk matrix for each AWS environment
Analyze and evaluate risks
calculate business impact, likelihood, probability, and risk levels
Address risks
select options that could include applying security controls, accepting risks, avoiding risks, transferring risks
choose security control framework
ISO27002NIST SP 800-53COBITCSA-CCM
Get management approval
acknowledge residual risks and approval for implementing ISMS
Statement of applicability
which controls you chose and whywhich controls are in placewhich controls you plan to put in placewhich controls are excluded and why
AWS account
represents a business relationship between you and AWSused to manage resources and services
IAM users
person, service, application that needs access to resources (CLI, API, console)users can be added to groupslong term credentialsusername/password for console accessMFA, can be applied to API calls tooaccess keys used to digitally sign API calls (can have two sets)
IAM groups
collections of IAM users in one AWS accountcan provide permissions to the group
IAM role
define a set of permissions to access resourcesrole can be assumeduses temporary security credentials with expiration and auto rotated
IAM roles for EC2
EC2 instance can assume a role to retrieve information etc
Cross Account Access
allow access to your resources from an AWS account outside your organizationcreate policy in trusting account (A) to grant access to trusted account (B)
Identity Federation
use IAM roles to create identity broker that sits between corporate directory and AWSuses temp creds from STS
OS Level Access
AWS helps setup using SSH/RDP securelyuses asymmetric key pairs (EC2 key pairs), industry standard RSA key pairs
Resource Access Authorization
resource policieswho can do what with the resource
capability policies
user-based permissionswhat actions the user is allowed or denied to performcan override resource-based policies
IAM policies
can restrict access to specific source IP or during specific times/days
effective permissions
union of resource policies and capability permissions granted directly or through group membership (DENY, ALLOW, DENY)
AWS CloudHSM
hardware security module in the cloudcan support PKI, DRMmeets FIPS 140-2 Level 2customer initializes and manages cryptographic domain (a logical and physical security boundary that restricts access to keys)admin usage - manage, maintain, monitorusage - can encrypt using keyscan be cross AZs with replication
protect data at rest on S3
limit permissionsimplement encryptionconfigure integrity checksMFA delete on S3configure backups
protect data at rest on EBS
replication - volume stored as a file; two copies created in same AZbackups - snapshot of dataEncryption - EFS, bitlocker, dm-crypt and LUKS, truecrypt,
protect data at rest on RDS
use SQL cryptographic functions at the app or platform layer
protect data at rest on Glacier
server side encryptionAES-256Key is encrypted using AES-256 with a master keyencrypt data before uploading to Glacier for more protection
Protect data at rest in DynamoDB
use data encryption layer
protect data at rest in EMR
SSE-S3 - does not copy to HDFSSSE-C - encryption at each rowapp level - entire fileapp level - individual fields
Decomm Data & Media
AWS marks blocks as unallocatedAWS uses secure mechanisms to reassign the blocks elsewherewhen writing to block, it is zeroed out then overwrittenAWS follows DoD 5220.22-M or NIST SP 800-88 for destroying hardwareyou can encrypt the data at rest then delete the keys which would make the data irrecoverable
Protect data in transit
encrypt using IPSec ESP or SSL/TLS
data integrity while in transit
IPSec ESP/AH or SSL/TLS
encryption & integrity of data while in transit
IPSec with IKE with pre shared keysX.509 certificatesSSL/TLS with server certificate authentication based on CN or AN
Managing App & Admin Access to AWS Public Cloud Services
HTTP/HTTPS with server authenticationOffload HTTPS on ELB to minimize impact on web serversRDP with X.509 certificates, avoid self-signed certsSSHv2
Recommendations for securing OSs
Disable root API access keys and secret keyRestrict access to instances from limited IP ranges using SGsPassword protect the .pem fileDelete keys from the authorized_keys fileRotate credentialsRun least privilege checks using IAM user Access Advisor and Last Used Access KeysUse bastion hosts to enforce control and visibility
Securing OSs
use industry standardsmanage your patchesuse antivirus
Mitigating compromise & abuse
AWS uses internal event monitoring, external security intel against AWS network space, and internet abuse complaints to find secruity flaws.