1
Q
Four principles of a strong Identity foundation
A
- implement least privilege
- enforce separation of duties
- centralize identity management
- aim to eliminate long-term static credentails
2
Q
Design principles which instituting traceability
A
- monitor, alert and audit changes in real time
- integrate log and metric collection with systems to automatically take action
3
Q
Define the principle of security in depth
A
- apply security at all layers, for example: edge of network, VPC (Virtual Private Cloud), load balancing, every instance of compute, OS, application and code
4
Q
Design practices that facilitate automating security best practices
A
- create secure architectures that are defined and maintained as code to improve your ability to securely scale
5
Q
Design principles for protecting data
A
- classify data into sensitivity levels and use encryption, tokenization, masking and access controls where appropriate
6
Q
Design Principle: Keep people away from data
A
- use tools to reduce the need for direct access or manual processing of data
7
Q
Steps to prepare for security events
A
- create incident management and investigation processes.
- run response simulations and use tools to automate the detection, investigation and recovery
8
Q
Five areas of cloud security
A
- Identity and access management
- Detection
- Infrastructure protection
- Data protection
- Incident response
9
Q
Workload security best practices
A
- use a threat model to identify and prioritize risks
- identify control objectives based on risks identified from the threat model
- keep up to date with security threats and recommendations
- evaluate and implement new security services and features
- automate testing of security controls in your CI/CD pipeline.
10
Q
AWS Accounts
A
- in AWS accounts are a hard boundary for resources.
- AWS recommends you organize accounts by workload and not your orgs reporting structure
- account level separation is recommended for isolating production from dev and test or isolating different sensitivity levels like PCI or HIPAA
11
Q
AWS Organizations
A
- allows centralized management of accounts.
- provides automated AWS account creation and management
- allows you to set controls and configure services across your accounts, for example: enabling AWS CloudTrail across your org for centralized logging
- can group accounts into OUs
12
Q
Service Control Policy (SCP)
A
- used to apply permissions guardrails at the org, OU or account level which apply to all AWS Identity and Access Management (IAM) users and; roles
- for example: you can apply an SCP that restricts users from launching resources in cert Regions
- uses the IAM policy language to enable controls that all IAM principles (users and; roles) adhere to
13
Q
AWS Control Tower
A
- offers a simplified, automated way to setup and; govern multiple accounts and apply guardrails
- provides a dashboard for visibility
14
Q
Identity Management: Types
A
- human identities: admins, devs, operators, and; consumers of your applications
- machine identities: your applications, tools and; components running in AWS and external parties or machines outside of AWS that need access to your AWS environment
15
Q
Identity Management: Federation
A
- AWS IAM supports federation with SAML 2.0 based providers for federation with individual accounts
- AWS SSO - allows federation to multiple accounts
16
Q
AWS SSO
A
- allows your identity provider to be your source of truth and identities can be synchronized with the System for Cross-domain Identity Management (SCIM) v2.0 protocol
- integrates with AWS Organizations, which allows you to configure an identity manager once and then grant access to existing and; new accounts.
17
Q
AWS Directory Service
A
- allows connecting to your SAML 2.0 external identity provider or Microsoft Active Directory
- allows authentication to the AWS Management console, command line or AWS mobile app
18
Q
Amazon Cognito
A
- manages end-users or consumers of your workloads
- provides authentication, authorization and; user management for web and; mobile apps
- users can sign in directly or with Amazon, Apple, Facebook or Google accounts
19
Q
IAM Best Practices
A
- leverage user groups and attributes
- manage access by assigning permission sets
- enforce min password requirements and; MFA
- use temporary credentials, for example: for workforce identities use AWS SSO, for machine identities use IAM roles instead of IAM users with long term access keys
20
Q
IAM management access best practices
A
- for human identities access to the AWS management console, require SSO
- for human identities access to the AWS CLI, enforce CLI v2 that supports AWS SSO, which supports the CLI automatically retrieving the AWS credential on the user’s behalf
- for SDK, users should use use AWS STS (security token service) to assume roles to retrieve temporary credentials
21
Q
IAM consumer access best practices
A
- use Amazon Cognito identity pools
- assign a set of temporary, limited privileged credentials
- permissions for each user are controlled through IAM roles
- define rules to choose the role for each user based on claims in the user’s ID token
- define a default role for authenticated users
- define a separate limited IAM role for guests who are not authenticated
22
Q
IAM roles for Amazon EC2
A
- attach an IAM role to your EC2 instance to enable applications running on EC2 to use temporary security credentials that AWS creates, distributes and; rotates automatically.
23
Q
AWS Systems Manager
A
- provides a more secure method of accessing EC2 instances using keys or passwords by utilizing a pre-installed agent
24
Q
Permissions best practices
A
- define guardrails for your organization, separating workloads using accounts and manage accounts using AWS Organizations
- restrict the access to identities in your org by defining SCPs
- if necessary, define exceptions to your guardrails
25
IAM Access Analyzer
- identifies all access paths to a resource from outside of its account
- continuously reviews resource polices and reports findings of public and cross-account access
26
Least privilege access
- ensures identities are only permitted to perform the most minimal set of functions necessary to fulfill a specific task
- use policies to explicitly grant permissions attached to IAM or resource entities
27
Scaling permissions management while adhering to least privilege access
- permissions boundaries: allow setting the maximum permissions an administrator can set. Allows delegating ability to create and manage permissions to developers, but limits the permissions they can grant, preventing them from escalating their privileges.
- Attribute based access control (ABAC): enbles granting permissions based on attributes (tags). Facilities creating re-usable policies. For example: creating an IAM policy that grants developers access to AWS resources that match the developer's project tags. As the devs add resources with the project tags, they inherit the access to them.
28
Public and cross account access
- granting cross-account access should be intentional, you can grant direct cross-account access or by allowing an identity to assume an IAM role in another account
- granting public access to a resource should be used sparingly
29
Public and cross account access
- granting cross-account access should be intentional, you can grant direct cross-account access or by allowing an identity to assume an IAM role in another account
- granting public access to a resource should be used sparingly, public access allows anyone to access the resource
30
AWS Resource Access Manager (AWS RAM)
- enables you to easily share AWS resources with your AWS org or OU
- access to shared resources is automatically granted or revoked as accounts are moved in and; out of the Org or OU with which they are shared.
31
Reduce permissions continuously
- AWS provides analysis capabilities to identify unused access
- you can review last access timestamps to identify unused users and roles
- you can review service and; action accessed information to identify the specific actions your application requires and restrict access to only those.
32
Emergency access
- establish a process that allows emergency access to your workload
- this could include an emergency cross-account role or a specific process for administrators to follow to validate and; approve an emergency request
33
Detection: Configure logging
- establish a base set of detection mechanisms at the account level, which are aimed at recording and detecting a wide range of actions on all resources in your account.
- this allows you to build out a comprehensive detection capability that could include automated remediation and partner integrations
34
Detection: logging - AWS CloudTrail
- provides event history including actions taken through the AWS Management Console, SDKs, command line tools and other AWS services
35
Detection: logging - AWS Config
- monitors and records your AWS resource configurations and allows automated remediation
36
Detection: logging - Amazon GuardDuty
- threat detection service that monitors for malicious activity
- provides aggregation, deduplication and analysis for log records ingested from VPC DNS service, CloudTrail and VPC Flow Logs.
37
Detection: logging - AWS Security Hub
- dashboard that aggregates security alerts from AWS services and 3rd party products to give a comprehensive view of alerts and compliance status
- can ingest, aggregate, and analyze output from GuardDuty, AWS Config, Amazon Inspector, Macie, AWS Firewall Manager, third-party security products, and if built accordingly, your own code.
- often used by customers as a preprocessor to forward logs to an on-premises SIEM
38
Detection: logging - VPC Flow Logs
- capture IP traffic between interfaces to help map connectivity history and trigger automated actions
39
Detection: logging - Amazon CloudWatch
- agent based service that collects logs from operating systems and applications and uploads the logs to CloudWatch for real time analysis using Insights
40
Detection: logging sensitive data
- logs can contain sensitive data, for example some application data has found its way into the CloudWatch logs or when cross-region logging is configured and there are legislative considerations about shipping the data across boarders.
- one approach is to use Lambda functions to trigger and redact the log data before forwarding to a centralized location. Unredacted logs can be retained for a predetermined period of time at which point an S3 lifecycle rule can delete them
- you can also choose to WORM the logs with S3 Object Lock
41
Investigate: implement actionable security events
- for each detection mechanism, there should be a runbook on what actions to take to remediate the event
42
Investigate: Amazon EventBridge
- allows automating events of interest into a workflow
43
Protecting Networks
- create network layers using subnets
- if a workload has no need for internet access, place it in a subnet with no route to the internet
- examine connectivity requirements of each of your networks components
- deploy defense in depth with security groups (stateful inspection firewall), network ACLs, subnets and route tables
- control access to the internet by routing to a NAT gateway attached to your VPC or through another VPC
- when an instance, RDS database or other service is launched within a VPC, it has it's own security group per network interface, this firewall is outside the OS layer and can be used to define rules and relationships for that service
- EC2 instances shouldn't be directly accessible from the internet without a load balancer or CloudFront
- subnets can have their own network ACLs, which act as a stateless firewall.
- you should configure inbound and outbound network ACLs to narrow the scope of traffic allowed between layers
44
Protecting Networks: AWS Transit Gateway
- acts as a hub that controls how traffic is routed among all the connected networks, including VPCs, AWS accounts and on-premises networks
- traffic between AWS VPCs and AWS Transit Gateway remains on the AWS private network
- AWS Transit Gateway inter-region peering also encrypts inter-region traffic
45
Protecting Networks: AWS Web Application Firewall (WAF)
- lets you monitor and block HTTP(s) requests that match rules you configure
- the matching requests are forwarded to an Amazon API Gateway, Amazon CloudFront or Application Load Balancer
- AWS WAF Security Automations solution automatically blocks requests originating from IP addresses associated with known threat actors
46
Protecting Networks: AWS Firewall Manager
- allows you to centrally configure and manage firewall rules across your accounts, applications and AWS Organizations
- manages AWS WAP, AWS Shield Advanced protections and VPC security groups
- enables rapid response to attacks using AWS Shield Advanced
47
Protecting Networks: AWS Shield Standard and Advanced
- a managed DDoS protection service
- Standard defends against most common, frequently occurring network and transport layer DDoS attacks
- Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF
48
Protecting Compute: Amazon Inspector
- automated security assessment service that helps improve the security and compliance of applications deployed on AWS
- checks for unintended network accessibility of EC2 instances
- checks for vulnerabilities on EC2 instances
- offers regularly updated pre-defined rules mapped to common security best practices and vulnerability definitions.
- runs on production instances or in a build pipline
49
Protecting Compute
- frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure using third party tools for static code analysis
- use third-party dependency checking tools to determine whether libraries are up to date and free of CVEs
- use Fuzzing methods to find bugs by injecting malformed data into input fields
50
Protecting Compute: EC2 Image Builder
- used to maintain server images (AMIs) with automated patching, AWS provided security policy enforcement and other customizations
51
Protecting Compute: ECR Image Scanning
- used in your build pipeline and on a regular basis against your image repository to look for CVEs in your containers
52
Protecting Compute: reduce attack surface
- harden OSes, minimize components, libraries and externally consumable services
- develop a threat model to identify entry points
53
Protecting Compute: AWS Systems Manager
- automates the management, maintenance and deployment tasks for EC2 instances
- eliminates the need for bastion host access to instances
54
Protecting Compute: AWS CloudFormation
- can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly
55
Protecting Compute: Implement managed services
- Implement services that manage resources, such as Amazon RDS, AWS Lambda, and Amazon ECS, to reduce your security maintenance tasks as part of the shared responsibility model.
56
Data Classification
- provides a way to categorize data based on criticality and sensitivity in order to determine appropriate protection and retention controls
57
Data Classification types
- examples: public, private, sensitive (PCI, PII, HIPA), intellectual property, legally privileged
58
Data protection controls
- using resource tags, separate AWS accounts, IAM polices, SCPs, AWS KMS, and AWS CloudHSM can help you define and implement policies for data classification and encryption
59
AWS CloudHSM
- a cloud-based hardware security module (HSM) that enables you to generate and use and manage your own encryption keys on the AWS Cloud.
60
Data lifecycle management strategy
- should be based on sensitivity level, legal and organization requirements
- aspects should include the data retention duration, data destruction processes, data access management, data transformation and data sharing
- should reduce direct human access to the data, for example only allow access to the data via an application or provide dashboards and alerts to give visibility into the data
61
Amazon Macie
- automatically discovers, classifies and protects sensitive data
- provides dashboards for visibility into how the data is being used
62
Protecting Data at Rest: Tokenization
- process that defines a token to represent a sensitive piece of information
- the token must be meaningless on its own and must not be derived from the data it is tokeninzing
63
Protecting Data at Rest: Encryption and Masking
- encryption makes a piece of data unreadable without the secret key
- you can enforce encryption by setting polices on AWS services like S3 buckets or EC2 instances
- you can validate your encrypted storage resources using AWS Config Rules or AWS Security Hub
- masking allows part of a piece of data to be redacted to the point where the remaining data is not considered sensitive. For example, the last four digits of a CC number can be retained
64
AWS KMS
- managed encryption keys and integrates with many AWS services
- provides durable, secure and redundant storage for your master keys
- policies can be used to define key administrators and key users
- logs key use into AWS CloudTrail
65
Amazon S3 Glacier Vault Lock
- allows you to set polices that lock further changes, like WORM polices or data retention polcies
66
S3 Object Lock
- allows you to set WORM policies on S3 buckets for a fixed amount of time (retention period) or indefinitely (legal hold)
- object lock works in versioned buckets and applies to individual object versions
67
Amazon Certificate Manager (ACM)
- provides easy provisioning, management and deployment of public and private TLS certs
- integrates with many AWS resources
- can be used to deploy a private root CA which can issue certs to EC2 instances and containers
68
Enforcing encryption in transit
- AWS services provide HTTPS endpoints for their APIs
- HTTP can be audited and blocked in a VPC using security groups
- Amazon Cloud Front or Application Load Balancers can redirect traffic to HTTPS
69
AWS Virtual Private Network (VPN)
- establishes secure connections between on-premises networks, remote offices, client devices and the AWS global network
- comprised of AWS Site to site VPN and AWS Client VPN
- uses IPsec
70
Detecting unintended acces
- Amazon GuardDuty - detects attempts to move data outside defined boundaries
- Amazon VPC Flow Logs - capture network traffic information and can be used with Amazon EventBridge to trigger detection of abnormal connections
- S3 Access Analyzer - can help assess what data is accessible to who in your S3 buckets
71
Goals of Incident Response in Cloud environments
- establish response objectives, like containing and mitigating the issue, recovering the affected resources, preserving data for forensics
- document plans
- respond using the cloud
- know what you have and what you need, preserve logs, snapshots and other evidence
- use redeployment mechanisms, if a security anomaly is attributed to a misconfiguration, redeploy the resources with the proper configuration
- automate triage and response for repeat incidents. use human response for unique and sensitive incidents
- choose scalable solutions that reduce the time between detection and response
- run simulations to find gaps and improve processes
72
AWS Trusted Advisor
- tool that provides real time guidance to help provision resources following AWS best practices.
- helps optimize your AWS infrastructure, increase security and performance, reduce your overall costs, and monitor service limits
AWS
flashcards
Decks in class (6)
# Cards
