1
Q
What do all AWS customers benefit from?
A
- A data center and network architecture built to satisfy the requirements of the most security-sensitive customers
- Customers get a resilient infrastructure designed for high security without the capital overlay and operational overhead of a traditional data center
- You also get advanced security services which allow teams to proactively address emerging risks in real-time while paying for only what you use
2
Q
Cloud-based governance
A
- Offers a lower cost of entry, easier operations and improved agility by providing greater oversight, security control, and central automation
- You inherit the many security controls AWS operates which reduces the number of controls you need to maintain
- Your own compliance and certification programs are strengthened while lowering your costs to maintain such programs/requirements
3
Q
AWS network security services and capabilities:
A
- Built-in firewalls — allow to create private networks within AWS
- Encryption in transit
- Private/dedicated connections — connectivity options from your office or on-premise environments
- Distributed Denial of Service (DDoS) mitigations — part of your Auto Scaling or content delivery strategies
4
Q
AWS tools that enable your cloud resources to comply with organizational standards:
A
- Deployment tools
- Inventory & configuration management tools
- Template definition & management tools
5
Q
Deployment tools
A
- A type of AWS tools that enable your cloud resources to comply with organizational standards
- They maintain the creating and decommissioning of AWS resources
6
Q
Inventory & configuration management tools
A
- An AWS tool that enables your cloud resources to comply with organizational standards
- They identify AWS resources and then track and manage changes to resources over time
7
Q
Template definition & management tools
A
- An AWS tool that enables your cloud resources to comply with organizational standards
- They create standard preconfigured VM’s for Amazon EC2 instances
8
Q
Encryption features:
A
- Data encryption — available in AWS storage and database services such as Amazon EBS, Amazon S3, Amazon Redshift, etc.
- Flexible key management options — ability to choose whether you have AWS manage the encryption keys or you maintain complete control over your keys
9
Q
AWS Security facts:
A
- AWS provides API’s to integrate encryption and data protection with the services you develop or deploy in an environment
- AWS offers capabilities to define, force and manage user access policies across AWS services
- AWS offers hundreds of products that integrate with existing controls and your on-premise environment including — anti-malware, web application firewalls, and intrusion protection
10
Q
AWS services with user access policies:
A
- Identity and Access Management (IAM)
- Multi-Factor Authentication (MFA)
11
Q
Identity and Access Management (IAM)
A
- An AWS service with user access policies
- It enables you to manage access to AWS services and resources securely as it defines individual user accounts with permissions across AWS resources
12
Q
Multi-Factor Authentication (MFA)
A
- An AWS service with user access policies
- It’s a security feature for privileged accounts that augments user name and password credentials
- Includes options for hardware-based authenticators, and integration and federation with corporate directories — in order to reduce administrative overhead and improve user experience
13
Q
AWS tools and features to monitor your environment:
A
- Deep visibility into API calls — including who, what, when and where calls were made
- Log aggregation — streamlining investigations and compliance reporting
- Alert notifications — when specific events occur or thresholds are exceeded
14
Q
The Shared Responsibility Model
A
- A model that looks at your application stack as a whole and divides it into different pieces — some pieces AWS is 100% responsible for, others the customer is 100% responsible for
- Third-party audits regularly occur to go through AWS network stack and physical elements to provide you with exacting information on how it’s done
- AWS has zero visibility of the Guest OS, Application, and User Data information for customers — protected by the customer’s secret access key combinations and by your encryption methods
- Customers can take advantage of shifting management of certain IT controls to AWS — which results in a new distributed control environment
15
Q
AWS responsibility in ‘The Shared Responsibility Model’
A
- Protecting the infrastructure that all AWS services operate on
- Infrastructure is composed of — hardware, software, networking, and facilities
16
Q
Customer responsibility for EC2 instances in ‘The Shared Responsibility Model’
A
- Management of the Guest OS — including updates and security patches
- Application software and utilities installed by the customer
- Configuration of security groups
17
Q
Abstracted services
A
- Storage, database, or messaging services
- Include services such as Amazon S3 and Amazon DynamoDB
18
Q
AWS responsibility for abstracted services in ‘The Shared Responsibility Model’
A
Within these services, AWS operates the infrastructure layer, OS, and platforms
19
Q
Customer responsibility for abstracted services in ‘The Shared Responsibility Model’
A
- Managing data — including encryption options)
- Classifying assets
- Using IAM tools to apply appropriate permissions
20
Q
Hypervisor
A
- A software that creates, runs, and manages VM’s
- Protects the physical hardware, virtualizes the CPU, storage, and networking; while providing a rich set of management capabilities
Lots of specific changes have been made to this software that make it secure, scalable and so millions of concurrent customers can run on it without worry of leakage of any data - 100% managed by AWS within ‘The Shared Responsibility Model’
21
Q
API usage within IAM
A
- Everything in AWS is an API; which is critical because to execute an API, you have to AUTHENTICATE but then AUTHORIZE
- If you use policy documents attached to users and you’re not using root-level credentials, you can execute a single API that removes every policy document from all users, groups and roles
- AWS CloudTrail records every API action regardless if it’s successful or not
22
Q
How an API goes through a process:
A
- First, execute the API — also known as the ‘API execution statement’
- Then, the statement gets presented to the AWS API engine where the IAM engine looks at the credentials and validates that those are active authorization credentials
- And then, you take the policy documents associated with the operator and evaluate all documents as a single view
23
Q
Operator
A
- It’s a user, group, or role within IAM
24
Q
Within the API process, details about taking policy documents and evaluating such documents as a single view:
A
- Look to see if the action you’re doing is authorized by any of the policy documents
- These documents have either an explicit or implicit deny
- You have to at least whitelist a function for an action to happen
25
Explicit deny
- A request that results in this type of deny if the applicable policy includes a deny statement
- If policies that apply to a request include an allow and deny statement, the deny statement trumps the allow statement
- Also known as a 'blacklist' --- which permanently disallows actions from occurring regardless of the allow statements in place
26
Implicit deny
- A request that results in this type of deny when there's no applicable allow or deny statements
27
User
- It's a PERMANENT named operator that could either be human or a machine
- Credentials are permanent and stay with the named individual until there's a forced rotation
- These individuals can belong to as many groups as they'd like
28
Group
- A type of operator that's a collection of users
| - Can have as many users as they'd like
29
Role
- A type of operator that could either be human or a machine
| - Offers TEMPORARY credentials
30
Policy Documents
- They're JSON documents that attach either directly to a permanent-named user, a group of users, or a role
- Lists specific API's or wildcard group of API's that you are white-listing
31
White-listing
- The list of specific API's that you are allowing
32
Amazon Inspector
- An automated security assessment service that helps improve the security and compliance of applications deployed on AWS
- Automatically assesses applications for vulnerabilities or deviations from best practices
- After performing an assessment, it produces a detailed report with prioritized steps for remediation
33
Amazon Inspector important fine print:
"AWS does not guarantee that following the provided recommendations will resolve every potential security issue. The findings generated by Amazon Inspector depend on your choice of rules packages included in each assessment template, the presence of non-AWS components in your system, and other factors. You are responsible for the security of applications, processes, and tools that run on AWS services."
34
Amazon Inspector benefits:
- Identifies security vulnerabilities and deviations from security best practices; both before they are deployed and while they are running in a production environment --- helps improve the overall security posture of your applications deployed on AWS
- Agent-based, API-driven, and delivered as a service --- makes it easy to build right into your existing DevOps process
- Helps reduce risk of introducing security issues during development and deployment by automating security assessments of your applications and proactively identifying vulnerabilities
- AWS continuously assesses the AWS environment and updates a knowledge base of security best practices and rules --- this expertise is made available to you as a service to simplify the process of establishing and enforcing best practices
- Gives security teams and auditors visibility into security testing during application development --- streamlines process of validating and demonstrating that security and compliance standards and best practices are being followed
- Allows you to define standards and best practices for your applications and validate adherence to such standards --- simplifies enforcement of your organization's security standards and helps you proactively manage security issues before they impact your application
35
How to access Amazon Inspector:
- Amazon Inspector Console via the AWS Management Console
- AWS software development kits (SDK's)
Amazon Inspector HTTPS API
- AWS command-line tools
36
Benefits of AWS command-line tools:
- Faster and more convenient than using the AWS management console
- Useful for building scripts that perform AWS tasks
37
Getting started with Amazon Inspector
- This service starts with including a knowledge base of hundreds of rules mapped to common security and compliance standards and vulnerability definitions
- Examples include --- checking for remote root login before enabling, vulnerable software versions installed, etc.
38
AWS Shield
- A managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
- Provides always-on detection and automatic in-line mitigations that minimize application downtime and latency, so there is no need to engage AWS support for DDoS protection
39
Denial of Service (DoS) attack
- A type of attack that's a deliberate attempt to make your website or application unavailable to users
- Attackers use a variety of techniques that consume large amounts of network bandwidth or tie up other system resources, disrupting access for legitimate users
- A lone attacker uses a single source to execute this type of attack
40
Distributed Denial of Service (DDoS) attack
- A type of attack that's typically launched from a botnet of compromised computers or IoT devices
- The objective is to knock the targeted website or application offline for a period of time, disrupting availability for legitimate users
41
Challenges with mitigating DDoS attacks:
- Protection is complex to set up and involves re-architecting your applications
- There's bandwidth limitations that can occur if using an on-premise data center due to scalability issues
- Would require manual intervention for operators to initiate mitigation, and mitigation vendors and teams to re-route traffic using a distant scrubbing location
- Delays resolution and increases network latency
- Can become costly due to the size, duration and complex nature of such mitigation systems
42
AWS Shield protection options
- AWS Shield Standard
| - AWS Shield Advanced
43
AWS Shield Standard
- An AWS Shield protection option that provides automatic protection for all AWS customers at no additional charge
44
AWS Shield Standard features:
- Automatically protects any AWS resource in any AWS Region against the most common attacks
- Quickly detects DDoS attacks by providing always-on network flow monitoring that inspects incoming traffic to AWS --- combination of traffic signatures, anomaly algorithms, and other analysis techniques are employed to detect malicious traffic
- Automated mitigation techniques are built-in and applied in-line to your applications so there's no latency impact
- Provides a convenient self-serve option for minimizing application downtime so there's no need to engage AWS support for DDoS attacks
45
AWS Shield Advanced
- An AWS Shield protection option that gives you additional capacity to protect against larger attacks
46
AWS Shield Advanced features:
- Gives you 24/7 access to a DDoS response team (called the DRT), who can be engaged before, during or after an attack
- Complete visibility into DDoS attacks with near real-time notification via CloudWatch and detailed diagnostics on the management console
- Monitors application layer traffic to your Elastic IP address, Elastic Load Balancer (ELB), CloudFront or Amazon Route 53
- Detects application layers attacks by baselining traffic on your resource and identifying anomalies
47
AWS Shield benefits:
- Provides seamless integration and deployment
- Customizable protection
- Cost efficient
48
AWS Shield benefit of 'providing seamless integration and deployment'
- A benefit of AWS Shield
- Standard option --- AWS resources are automatically protected from the most frequently occurring network and transport layer DDoS attacks
- Advanced option --- can achieve a higher level of defense
49
Customizable protection
- A benefit of AWS Shield
- Advanced option --- flexibility to write customized rules to mitigate sophisticated attacks as rules can deploy instantly which allows to quickly mitigate attacks
50
Cost efficiency
- A benefit of AWS Shield
- Standard option --- an automatic network layer protection comes at no additional cost
- Advanced option --- You get 'DDoS cost protection'
51
DDoS cost portection
A feature within AWS Shield that protects your AWS bill from EC2, ELB, CloudFront, and Amazon Route 53 usage spikes as a result of a DDoS attack
52
How does AWS Shield Standard protect your resources?
- Protects your Amazon Route 53 hosted zones from infrastructure layer DDoS atacks --- a variety of techniques such as header validations and priority-based traffic shaping automatically mitigate attacks
- When using CloudFront, this protection option provides comprehensive protection against infrastructure layer attacks --- 99% of such attacks are detected and automatically mitigated in less than 1 second
53
How does AWS Shield Advanced protect your resources?
- Provides greater protection and visibility into attacks on your Amazon Route 53 infrastructure and helps the response team for extreme scenarios
- When using CloudFront, this protection option provides additional protection such as:
- Response team actively applies any mitigation's necessary for sophisticated infrastructure attacks using traffic engineering
- The always-on detection system baselines customers' steady-state application traffic and monitors for anomalies
- Using AWS WAF, you can customize any application layer mitigation
54
How do other custom applications not based on TCP; and therefore can't use CloudFront or ELB, protect their resources?
- You need to run your applications directly on internet-facing Amazon EC2 instances
- Standard option --- protects your EC2 instances from common infrastructure attacks --- techniques such as priority-based traffic shaping are automatically engaged when a well-defined DDoS attack signature is detected
- Advanced option --- enhanced detection automatically recognizes the type of AWS resource and size of EC2 instance and applies appropriate pre-defined mitigations
55
AWS Security Compliance
- The success of this program is primarily measured by customer's success
- Ability to take advantage of the compliance efforts AWS offers and achieve savings and security at scale while maintaining robust security and regulatory compliance
- AWS communicates their security and control environment information to customers
- AWS engages with external agents and independent auditors to provide customers with information regarding their policies, processes, and controls
56
Methods that AWS communicates to customers about their security and control environments:
- Obtaining industry certifications and independent third-party attestations
- Publishing about AWS security and control practices in whitepapers and website content
- Providing certificates, reports, and other documentation directly to customers under NDA's
57
AWS Compliance approach
- Risk management
- Control environment
- Information security
58
Risk management
- An approach within AWS Compliance
- Requires management to identify risks within its areas of responsibility and implement appropriate measures to address such risks
- AWS Security regularly scans for vulnerabilities and notifies appropriate parties to remediate identified vulnerabilities
- Additionally, external vulnerability threat assessments are performed regularly by independent security firms
- Scans are performed to protect the health and viability of the underlying AWS infrastructure --- not meant to replace customer vulnerability scans required to meet compliance requirements
59
Control environment
- An approach within AWS Compliance
- Includes policies, processes, and control activities to secure the delivery of AWS service offerings
- Supports the operating effectiveness of the AWS control network
- Integration of cloud-specific controls identified by top industry agencies
60
Information security
- An approach within AWS Compliance
- AWS has established a framework and policies based on guidelines from governing bodies that's designed to protect the confidentiality and availability of customer's systems and data
- Customers are required to maintain adequate governance over their entire IT control environment regardless of how such environment is deployed
61
Strong customer compliance and governance approach
- Customer reviews information available from AWS and other relevant sources to understand as much of their IT environment as possible, and documents all compliance requirements
- Then, the customer designs and implements control objectives to meet enterprise compliance requirements
- Next, the customer identifies and documents controls owned by outside parties
- Finally, the customer verifies that all control objectives are met and key controls are designed and operating effectively
AWS Certified Cloud Practitioner
flashcards
Decks in class (6)
# Cards
