Aws Security Specialty Flashcards
5 testing domains
1. Incident Response2. Logging and Monitoring3. Infrastructure Security4. Identity and Access Management5. Data Protection
CIA
aka Triad1. confidentiality 2. integrity3. availability
AAA
Authentication - Identity access managementAuthorization - PoliciesAccounting - CloudTrail (audit trail in AWS)
non-repudiation
to repudiate something is to deny (Can't deny- things like cloudtrailm IAM, cloudwatch, and MFA)
Confidentiality
Used to keep data confidential (In AWS you would use Identity access management, Multifactor authentication, bucket policies, security groups, encryption )
Availability
Auto-scaling, Multi-Availability Zones, Multiple regions, route 53 with health checks
integrity
certificate managers, Identity access management, bucket policies
Physical and Environmental Security
1. Fire Detection and Suppression2. Power3. Climate and Temperature4. Management5. Storage Device Decommissioning
Business Continuity Management
1. Availability2. Incident response3. Company-wide Executive Review4. Communication
Network Security
1. Secure network architecture2. Secure access points3. Transmission protection4. Amazon corporate segregation5. Fault tolerance design6. Network Monitoring and Protection
AWS Access
1. Account Review2. Background Checks3. Credential Policy
Secure Design Principles
1. Change Management2. Software3. Infrastructure
AWS Compliance Program
ISO 27001PCI DSSHIPAA
Shared responsibility model
While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they chose to implement to protect their own content, platform, applications, systems and networks, no differently than they would in an on-site datacenter.
AWS Security Responsibilities
1. Global Infrastructure2. Hardware, software, networking, and facilities3. Managed services (S3, dynamo DB)
Customer Security Responsibilities
1. Infrastructure as a service2. including updates3. configuration of the AWS provided firewall (VPC rules, Security groups, network ACLs)
infrastructure services
This category includes compute services, such as Amazon EC2, EBS, Auto Scaling, and Amazon VPC. With these services you can architect and build cloud infrastucture using technologies similar to and largely compatible with on premise solutions. You control the operating system, and you configure and operate any identity management system that provides access to the user layer of the virtualization stack.
EC2 (Customer Responsibilities)
Amazon Machine Images (AMIs)Operating SystemsApplicationsData transitData at restData storesCredentialsPolicies and configuration
Container services (Customer responsibilities)
Container Services: Services in this category typically run on separate Amazon EC2 or other infrastructure instances, but sometimes you don't manage the operating system or the platform layer. AWS provides a managed service for these application "containers". You are responsible for setting up an managing network controls, such as firewall rules, and for managing platform-level identity and access management separately from IAM. Examples of container services include RDS, EMR & elastic beanstalk.
Abstract Services
This category includes high-level storage, database, and messaging services, such as S3, DynamoDB, SQS, SES. These services abstract the platform or management layer on which you can build and operate cloud applications. You access the endpoints of these abstracted services using AWS APIs, and AWS manages the underlying services service components or the operating system on which they reside.
infrastracture
EC2, EBS, VPC
container
RDS, EMR, Elastic Beanstalk
Abstracted
S3, Glacier, DynamoDB, SQS, SES
AWS config
Provides an inventory of your AWS resources and a history of configuration changes to these resources. You can use AWS config to define that evaluate these configurations for compliance. (allow you to discover assets in AWS)
AWS CloudTrail
AWS CloudTrail provides visibility into user activity by recording API calls made on your account. AWS CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. AWS CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.
AWS CloudHSM
Dedicated hardware FIPS 140-2 Compliance
Cloud controls
Visibility AudibilityControllabilityAgilityAutomationScale
What service would you use to check CPU utilization of your EC2 instances?
Cloud Watch (Amazon CloudWatch is a monitoring and management service which collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers. Further information: https://aws.amazon.com/cloudwatch/)
When using AWS, which of the following are a customer responsibility in terms of Security and Compliance? (List 2)
Configuring IAM , Applying security updates and patching the Operating System running on EC2 instances (Security and Compliance are a shared responsibility. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances. Further information: https://aws.amazon.com/compliance/shared-responsibility-model/)
For which of the following are you responsible for ensuring the Operating System is configured securely?
EC2 (If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. Further information: https://aws.amazon.com/compliance/shared-responsibility-model/)
What is the name of the service that can be used to provide an audit trail of all the API activity taking place in your AWS account?
CloudTrail (CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. Further information: https://aws.amazon.com/cloudtrail/)
Which AWS services can be used to enable customers to quickly adapt to the changing needs of their business? (Name 2)
CloudFormation, Elastic Beanstalk (AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. Further information: https://aws.amazon.com/elasticbeanstalk/https://aws.amazon.com/cloudformation/)
Name one thing that is NOT the responsibility of AWS in terms of Security and Compliance?
Configuration of the Operating System running on EC2 instances (Security and Compliance are a shared responsibility. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. If a customer deploys an Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances. Further information: https://aws.amazon.com/compliance/shared-responsibility-model/)
Name two services that can be used to automate technical tasks, avoid mistakes caused by human error and ensure that processes in your organization are repeatable?
OpsWorks, CodeDeploy (AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers. Further information: https://aws.amazon.com/opsworks/https://aws.amazon.com/codedeploy/)
users
end users (think people)
groups
a collection of users under one set of permissions
Roles
You create roles and can then assign them to AWS resources.
Policies
a document that defines on (or more) permissions.
Things to do when resetting root users
1. Create a new user password and strong password policy.2. Delete previous 2 factor authentication and recreate.3. check is the user has an access key and secret key. If so delete these immediately]4. Check other user accounts. Verify they are legitimate and if not, delete these.
IAM policies
1. IAM policies specify what you are allowed to do with any AWS resource. 2. They are global and apply to all areas of AWS. 3.You attach IAM policies to IAM users, groups, or roles. These users groups and roles are then subject to the permission that you define in the policy. In other words, IAM policies define what a principal can fo in you environment.
IAW Policies (types of policies)
1. AWS Managed Policies2. Customer Managed Policies3. Inline Policies
AWS Managed Policies
1. An AWS managed policy is a standalone policy that is created and administered by AWS.2. 100,00's or even millions of AWS accounts use these policies. They are the same applied across multiple accounts.
Customer Managed Policies
Standalone policies that you administer in your own AWS account, which we refer to as customer managed policies. You can then attach the policies to multiple principal entities in your AWS account. When you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy.
Inline Policies
Inline policies are useful you want to maintain a strict one-to-one relationship between a policy