What are the resposibily of AWS?
- Security of the Cloud
- Manged Services (Lambda, S3, etc)
Page 332
What are the responsibilies of Customer?
- The Data in AWS
- Manage all the services that are no Managed by AWS, like services on EC2 Instances.
- Security data, encrypting data
Page 332
What are the share responnsibility of AWS and Customer?
- Patch Managmet
- Configuration Managment
- Awareness
- Trainning
Page 332
What is a DDOS Attack?
Distributed Denail of Service.
Happens when the service receive high level of work from several sources (Bots) with the intention of running out the resources of the platform.
Page 336
Does AWS Shield Standar works against DDoS?
Yes, it works for Apps and Websites
Page 337
What is the difference between AWS Shield and AWS Shield Advance?
- AWS Shield Advance provides a 24/4 premium protection.
- In AWS Shield standar, you will have a fee on Highe Loads.
Page 337
Does AWS WAF works against DDoS Attack?
Yes, AWS Web Application Firewall work filtering requests on base of rules.
Page 337
How Cluoud Route 53 can be used against DDoS Attaks?
- Distributing all the load along several servers, avoidin concentrate all the trafin in one server.
- It is impleenting on the edge, providing a high level security along with AWS Shield.
Page 337
Auto Scaling is a good thecnic agains DDoS Attack?
Yes, you can increase you capacity accoriding the load but you must specify a limit.
Page 337
Talking about OSI Model, what are the Layers where AWS Shield works with?
On Layer 3 (TCP) and 4 (Internet)
Page 339
Talking about OSI Model, what are the Layers where AWS WAF works with?
Layer 7 (Application/HTTP Layer) HTTP Protocol is considered as a Application Protocol.
page 340
On what of these services is deployed AWS WAF?
a. EC2
b. Application Lod Balancer
c. ECS
d. Route53
e. API Gateway
f. NACL
g. CloudFront
h. AWS AppSync
i. Amazon Cognito resources.
B. Application Load Balancer (Works with HTTP requests)
E. API Gateway (Works with HTTP requests)
G, H, I. Are service management as a Webservice.
Page 340
What is Web ACL?
Web Access Control List
It’s a set of configuratioon of AWF where you can filter with more detail:
+ By IP
+ By Coutnry Origin
+ String match or regular expression (regex) match in a + part of the request
+ Size of a particular part of the request
+ Detection of malicious SQL code or scripting
+ Frequency, against DDoS.
Basicaly, it analize most of the HTTP Request to see if it meets some of these filtered characteritics.
Page 340
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.h
What is Penetration Testing on AWS?
It’s a simulated cyber attack against your computer system to check for exploitable vulnerabilities.
Stages:
1. Planning and reconnaissance. Define de Goal of the attack
2. Scanning. Assesment how the system response againts attaks.
3. Gain Access. Evaluate if it’s possible access to the system.
4. Maintaning Access. Evaluate how long can the intrution has been accessed.
5. Analysis and WAF Configuration. With the outcomes, set the proper configurations on WAF.
Page 341
https://www.imperva.com/learn/application-security/penetration-testing/
What are Data in Rest and Data in Transit?
Data in Rest: Any data that is kept/stored/achived.
Data in Transit: Any data that is travelint long communication paths, like public or private networks.
Page 343
What are Encryption Keys?
They’re keys to encrypt and decrypt data in motion or rest.
What is AWS KMS
AWS Key Management Service
+ It’s the manager for Encryption Keys
+ All the keys are managed for all the AWS services.
Page 344
What are the three services that automaticaly encrypt data?
- AWS CloudTrail Logs
- S3 Glacier
- Storage Gateway
All other services are optional to encrypt.
Page 344
What is CloudHSM
It’s the same that AWS KMS but onpremise.
AWS Doesn’t manage you KMS, but you.
Page 345
https://aws.amazon.com/es/cloudhsm/
What are the types of Customer Master Keys (CMK)?
- Customer Managed CMK. Customer has the full control of the keys.
- AWS managed CMK. Keys that AWS created for our behalf (beneffit).
- AWS owned CMK. They’re the keys created and managed by AWS for itself.
- Cloud HSM Keys. All the keys generate by you own CloudHSM.
Page 347
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
What is ACM?
AWS Certified Manager
+ Provides and provisioning TLS/SSL Certificates.
+ Performes autorenewal of certificates.
+ Support public and private certificates.
Page 348
Which services can use ACM?
+ Elastic Load Balancer
+ CloudFront Distributions
+ API On Gateway
Page 348
What is AWS Secret Manager?
+ It’s a storage to keep all kind of private credentials from AWS or 3rths.
+ It can be integrated with Amazon RDS.
+ Secrets are encrypted with KMS.
+ It can rotate secrets, avoiding static secrets.
Page 348
What is AWS Artifact?
It’s a Portal where you can check and download compliance documentation and AWS agreements
It’s useful to support internal audit or compliance.
Page 350
-
Whats Cloud Computing23
-
IAM40
-
EC2 (Elastic Compute Cloud)35
-
EC2 Instance Storage21
-
Elastic Load Balancing & Auto Scaling Groups Section19
-
**AWS S3**63
-
Databases & Analytics31
-
ECS (Elastic Container Service)20
-
Deploying and Managing Infrastructure at Scale24
-
Global Infrastructure26
-
Cloud Integration7
-
Cloud Monitoring22
-
VPC34
-
Security & Compliance42
-
Machine Learning11
-
Account Management, Billing & Support Pt 133
-
Leadership Principles16
