Security & Compliance

Question 1

What is the Shared Responsibility Model?

Answer 1

Simplified Definition:
The Shared Responsibility Model defines what you (as an AWS account holder/user) and Amazon Web Services are responsible for when it comes to security and compliance.

AWS Definition:
Security and compliance is a shared responsiblity between AWS and the customer. This shared model can help relieve ducomster’s operational burden as AWS operates, manages, and controls the componets from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsiblity and amangement of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.

Question 2

What is the cusotmer responsible for under the Shared Responsibility Model?

Answer 2

Customer is responsible for security “in” the cloud. Includes:

• Customer data,
• Platform, applications, identity and access management.
• Operating system, network, & firewall configuration.
• Client-side data encription & data integrity authentication
• Server-side encryption (file system and/or data)
• Networking traffic protection (encryption, integriy, identity)

Question 3

What is AWS responsible for under the Shared Responsibility Model?

Answer 3

AWS is responsible for security “of” the cloud:

• Software inlcuding, compute, storage, database, networking.
• Hardware/AWS Global Infrastructure including, regions, availability zones, edge locations.

Question 4

What 8 services does Amazon allow customers to carry out security assessment or penetration tests without prior approval?

Answer 4

1. EC2 isntances, NAT Gatewarys, and Elastic Load Balancers.
2. RDS
3. CloudFront
4. Aurora
5. API Gateways
6. Lambda and Lambda Edge functions
7. Lightsail resources
8. Elastic Beanstalk environments

Question 5

Which security assessment or penetration tests does Amazon NOT allow customers to carry out ?

Answer 5

1. DNS zone walking via Route 53 hosted zones.
2. Denial of Service (DoS), distributed denial of service (DDoS), simulated DoS, simulated DDoS
3. Port flooding
4. Protocol flooding
5. Request flooding (login request flooding, API request flooding)

Question 6

6 other AWS security-related services?

Answer 6

1. AWS Organizations
2. Amazon GuardDuty
3. Amazon Inspector
4. AWS Shield
5. AWS Web Application Firewall (WAF)
6. AWS Artifact

Question 7

What is AWS Organizations?

Answer 7

AWS Organizations allows for centralized management of AWS accounts and billing, but it can also define policies that restrict, at the account level, what services and actions member accounts may take.

Question 8

What is Amazon GuardDuty?

Answer 8

Amazon GuardDuty is a threat detection service that provides a way to continuously monitor and protect AWS accounts and workloads. GuardDuty uses threat intelligence feeds to detect threats to the environment. GuardDuty is designed to actively protect the environment from threats.

Question 9

What is Amazon Inspector?

Answer 9

Amazon Inspector analyzes the VPC environment for potential security issues. Inspector uses a defined template and assesses the environment. It provides the findings and recommends steps to resolve any potential security issues found.

Question 10

What is AWS Shield?

Answer 10

AWS Shield provides management DDoS protection. DDoS attacks happen when multiple compromised systems attempt to flood a target with traffec. That target could be DNS, a web application, or a network.

Question 11

What is AWS Web Application Firewall (WAF)?

Answer 11

WAF monitors web requests forwarded by an ELB, CloudFront, or API Gateway. WAF can allow or deny access to content based on specified conditions.

Question 12

What is AWS Artifact?

Answer 12

AWS Artifact is a portal that provides access to AWS’ compliance documentation, such as payment card industry (PCI) and ISO certifications, and System and Organization Control (SOC) reports.

Question 13

What does KMS stand for?

Answer 13

Key Management Service

Question 14

What is Key Management Service (KMS)?

Answer 14

AWS KMS enables encryption of data and provides centralized encryption key storage, management, and auditing. The data may be encrypted for use with applications or to encrypt data stored on AWS.

Question 15

Key facts about KMS?

Answer 15

Key Management Storage:

• Keys may be generated in KMS, in an AWS CloudHSM hardware cluster, or you may import keys from your own encryption key service.
• Data is submitted directly to KMS for encryption/decryption using the master keys.
• KMS integrates with other AWS services, including:
• S3 and Glacier
• Storage Gateway
• EBS and RDS
• DynamoDB
• SNS
• CloudTrail