Module 6 - Security

Question 1

Shared Responsibility Model

Answer 1

AWS is responsible for some parts of your environment and the customer is responsible for other parts.

Question 2

Customer responsibilities

Answer 2

 “security in the cloud”.

 Customers responsible for security of everything they create and put in AWS Cloud.

 Customer maintains complete control over their content when using AWS services.

 Responsible for managing security requirements for your content.

• Which content you choose to store on AWS.
• Which AWS services you use.
• Who has access to that content.
• How access rights are granted, managed and revoked.

Question 3

Customer security steps factors

Answer 3

• Services that you use.
• Complexity of your systems.
• Company’s specific operational and security needs.

Question 4

Customer security steps include:

Answer 4

• Selecting, configuring and patching operating systems that will run on Amazon EC2 instances.
• Configuring security groups.
• Managing user accounts.

Question 5

AWS responsibilities

Answer 5

 “security of the cloud”.

 AWS responsible for security of the cloud.

 AWS operates, manages, and controls components at all layers of infrastructure.
• Host operating system.
• Virtualisation layer.
• Physical security of data centres from which services operate.

 AWS responsible for protecting global infrastructure that runs all of services offered in AWS Cloud.
• AWS Regions.
• Availability Zones.
• Edge locations.

	AWS manages security of cloud specifically physical infrastructure that hosts your resources.
•	Physical security of data centres.
•	Hardware and software infrastructure.
•	Network infrastructure.
•	Virtualisation infrastructure.

 AWS provides several reports from third-party auditors.
• Auditors verified compliance with variety of computer security standards and regulations.

Question 6

AWS Identity and Access Management (IAM)

Answer 6

• Enables you to manage access to AWS services and resources securely.
• Gives you flexibility to configure access based on your company’s specific operational and security needs.

Question 7

IAM features

Answer 7

 IAM users, groups, roles.
 IAM policies.
 Multi-factor authentication.

Question 8

AWS Account Root User

Answer 8

• Root user – first create an AWS account and begin identity.
o Accessed by signing in with email address and password that you used to create your AWS account.
o Complete access to all AWS services and resources in account.

Question 9

AWS Account Root User Best Practice

Answer 9

o Do not use root user for everyday tasks.
o Use root user to create first IAM user and assign it permissions to create other users.
o Continue to create IAM users and access those identities for performing regular tasks throughout AWS.
o Only use root user when need perform limited number of tasks only available to root user.
o E.g. changing root user email address, changing AWS support plan.

Question 10

IAM Users

Answer 10

• Identity you create in AWS.
• Represents person or application that interacts with AWS services and resources.
• Consists of name and credentials.
• Default – when you create new IAM user in AWS, has no permissions associated with it.
• Allow IAM user to perform specific actions in AWS – must grant IAM user necessary permissions.

Question 11

IAM Users Best Practice

Answer 11

o Create individual IAM users for each person who needs access AWS.
o Provides additional security by allowing each IAM user to have unique set of security credentials.

Question 12

IAM Policies

Answer 12

• Document that allows/denies permissions to AWS services and resources.
• Enable you to customise users’ levels of access to resources

Question 13

IAM Policies Best Practice

Answer 13

o Follow security principle of least privilege when granting permissions.

o Help prevent users/roles from having more permissions than needed to perform tasks.

Question 14

IAM Groups

Answer 14

• Collection of IAM users.
• Assign IAM policy to group – all users in group granted permissions specified by policy.

• Assigning IAM policies at group level makes it easier to adjust permissions when employee transfers to different job.
o Ensures employees have only permissions that are required for their current role.

Question 15

IAM Roles

Answer 15

• Identity that you can assume to gain temporary access to permissions.
• Before IAM user, application, or service can assume IAM role – must be granted permissions to switch to role.
• Someone assumes IAM role – abandon all previous permissions they had under previous role and assume permissions of new role.

Question 16

IAM Roles Best Practice

Answer 16

o IAM roles ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.

Question 17

Multi-Factor Authentication

Answer 17

Provides extra layer of security for AWS account.

Question 18

AWS Organisations

Answer 18

• Use to consolidate and manage multiple AWS accounts within central location.
• Create organisation – AWS Organisations automatically creates root which is parent container for all accounts in your organisation.
• Consolidated billing another feature of AWS Organisations.

Question 19

Service Control Policies (SCPs)

Answer 19

enable you to place restrictions on AWS services, resources, and individual API actions that users and roles in each account can access.
o Centrally control permissions for accounts in organisation.

Question 20

Organisational Units (OUs)

Answer 20

• Can group accounts into organisational units (OUs).
o Make easier to manage accounts with similar business/security requirements.
o More easily isolate workloads/applications that have specific security requirements.
• Apply policy to OU.
o All accounts in OU automatically inherit permissions specified in policy.

Question 21

Compliance

Answer 21

AWS Artifact

Customer Compliance Centre

Question 22

AWS Artifact

Answer 22

• Service that provides on-demand access to AWS security and compliance reports and select online agreements.

Two sections: AWS Artifact Agreements + AWS Artifact Reports

Question 23

AWS Artifact Agreements

Answer 23

 Review, accept and manage agreements for an individual account and for all your accounts in AWS Organisations.

 Different types agreements offered to address needs of customers subject to specific regulations.

Question 24

AWS Artifact Reports

Answer 24

 Provide compliance reports from third-party auditors.

 Auditors tested and verified AWS is compliant with variety of global, regional and industry-specific security standards and regulations.

 Remains up to date with latest reports released.

 Can provide AWS audit artifacts to your auditors/regulators as evidence of AWS security controls.

Question 25

Customer Compliance Centre

Answer 25

* Contains resources to help you learn more about AWS compliance. * Can read customer compliance stories to discover how companies in regulated industries solved various compliance, governance, and audit challenges.

Question 26

Customer Compliance Centre Whitepapers and Documentation

Answer 26

o AWS answers to key compliance questions. o An overview of AWS risk and compliance. o An auditing security checklist.

Question 27

Customer Compliance Centre Auditor Learning Path

Answer 27

o Designed for individuals in auditing, compliance, legal roles who want to learn more about how their internal operations demonstrate compliance using AWS Cloud.

Question 28

Denial-of-service (DoS) Attacks

Answer 28

Deliberate attempt to make a website or application unavailable to users.

Question 29

Distributed Denial-of-service Attacks (DDoS)

Answer 29

* Multiple sources used to start an attack that aims to make website/application unavailable. * Group of attackers or single attacker. * Single attacker can use multiple infected computers (“bots”) to send excessive traffic to website or application.

Question 30

AWS Shield

Answer 30

Service that protects applications against DDoS attacks. AWS Shield Standard AWS Shield Advanced

Question 31

AWS Shield Standard

Answer 31

 Automatically protects all AWS customers at no cost.  Protects your AWS resources from most common types of DDoS attacks.  Uses variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.

Question 32

AWS Shield Advanced

Answer 32

 Paid service that provides detailed attack diagnostics and ability to detect and mitigate sophisticated DDoS attacks.  Integrates with other services: • Amazon CloudFront. • Amazon Route 53. • Elastic Load Balancing.  can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.

Question 33

Additional Security Services

Answer 33

AWS Key Management Service (AWS KMS) AWS WAF Amazon Inspector Amazon GuardDuty

Question 34

AWS Key Management Service (AWS KMS)

Answer 34

• Enables you to perform encryption operations through use of cryptographic keys. o Random string of digits used for locking (encrypting) and unlocking (decrypting) data. o Can use AWS KMS to create, manage, and use cryptographic keys. o Control use of keys across wide range of services and in your applications. • Can choose specific levels of access control you need for your keys. o Can temporarily disable keys so that they are no longer in use by anyone. * Keys never leave AWS KMS and you are always in control of them. * must ensure applications’ data is secure while in storage (encryption at rest) and while it is transmitted (encryption in transit).

Question 35

Amazon Inspector

Answer 35

• Helps to improve security and compliance of applications by running automated security assessments. • Checks applications for security vulnerabilities and deviations from security best practices. o E.g. open access to Amazon EC2 instances and installations of vulnerable software versions. • After performed assessment – provides you with list of security findings. o List prioritises by severity level – including detailed description of each security issue and recommendation for how to fix it. • AWS does not guarantee provided recommendations resolves every potential security issue. • Shared responsibility model. o Customers responsible for security of their applications, processes, tools run on AWS services.

Question 36

Amazon GuardDuty

Answer 36

• Service that provides intelligent threat detection for your AWS infrastructure and resources. • Identifies threats by continuously monitoring network activity and account behaviour within your AWS environment. o GuardDuty begins monitoring your network and account activity. o Do not have to deploy/manage additional security software. o GuardDuty continuously analyses data from multiple AWS sources including VPC Flow Logs and DNS logs. o GuardDuty detects threats – can review detailed findings about them from AWS Management Console.  Findings include recommended steps for remediation.  Can configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.