Security & Compliance Section

Question 1

Responsibility - EC2

Answer 1

• For EC2 instance, customer is responsible for management of the guest OS
(including security patches and updates), firewall & network configuration, IAM
• Encrypting application data

Question 2

Responsibility - RDS

Answer 2

AWS responsibility:
• Manage the underlying EC2 instance, disable SSH access
• Automated DB patching
• Automated OS patching
• Audit the underlying instance and disks & guarantee it functions

Your responsibility:
• Check the ports / IP / security group inbound rules in DB’s SG
• In-database user creation and permissions
• Creating a database with or without public access
• Ensure parameter groups or DB is configured to only allow SSL connections
• Database encryption setting

Question 3

Responsibility - S3

Answer 3

AWS responsibility:
• Guarantee you get unlimited storage
• Guarantee you get encryption
• Ensure separation of the data between different customers
• Ensure AWS employees can’t access your data

Your responsibility: 
• Bucket configuration 
• Bucket policy / public setting 
• IAM user and roles 
• Enabling encryption

Question 4

AWS Shield Standard

Answer 4

• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks
and other layer 3/layer 4 attacks

Question 5

AWS Shield Advanced

Answer 5

• Optional DDoS mitigation service ($3,000 per month per organization)
• Protect against more sophisticated attack on Amazon EC2, Elastic Load
Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
• 24/7 access to AWS DDoS response team (DRP)
• Protect against higher fees during usage spikes due to DDoS

Question 6

AWS WAF – Web Application Firewall

Answer 6

• Protects your web applications from common web exploits (Layer 7)
• Layer 7 is HTTP (vs Layer 4 is TCP)
• Deploy on Application Load Balancer, API Gateway, CloudFront

Question 7

WAF can define Web ACL (Web Access Control List)

Answer 7

• Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
• Protects from common attack - SQL injection and Cross-Site Scripting (XSS)
• Size constraints, geo-match (block countries)
• Rate-based rules (to count occurrences of events) – for DDoS protection

Question 8

Penetration testing without approval (8 services)

Answer 8

• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
• Amazon RDS
• Amazon CloudFront
• Amazon Aurora
• Amazon API Gateways
• AWS Lambda and Lambda Edge functions
• Amazon Lightsail resources
• Amazon Elastic Beanstalk environments

Question 9

AWS KMS

Answer 9

• KMS = AWS manages the encryption keys for us

Encryption Opt-in:
• EBS volumes: encrypt volumes
• S3 buckets: Server-side encryption of objects
• Redshift database: encryption of data
• RDS database: encryption of data
• EFS drives: encryption of data

Encryption Automatically enabled:
• CloudTrail Logs
• S3 Glacier
• Storage Gateway

Question 10

CloudHSM

Answer 10

• Dedicated Hardware (HSM = Hardware Security Module)

* You manage your own encryption keys entirely (not AWS)

Question 11

Types of CMK (Customer Master Keys)

Answer 11

Customer Managed CMK:
• Create, manage and used by the customer, can enable or disable
• Possibility of rotation policy (new key generated every year, old key preserved)
• Possibility to bring-your-own-key

AWS managed CMK:
• Created, managed and used on the customer’s behalf by AWS
• Used by AWS services (aws/s3, aws/ebs, aws/redshift)

AWS owned CMK:
• Collection of CMKs that an AWS service owns and manages to use in multiple accounts
• AWS can use those to protect resources in your account (but you can’t view the keys)

CloudHSM Keys (custom keystore):
• Keys generated from your own CloudHSM hardware device
• Cryptographic operations are performed within the CloudHSM cluster

Question 12

AWS Certificate Manager (ACM)

Answer 12

• Lets you easily provision, manage, and deploy SSL/TLS Certificates
• Used to provide in-flight encryption for websites (HTTPS)
• Integrations with (load TLS certificates on): Elastic Load Balancers, CloudFront Distributions, APIs on API Gateway

Question 13

AWS Secrets Manager

Answer 13

• Automate generation of secrets on rotation (uses Lambda)
• Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
• Secrets are encrypted using KMS

Question 14

AWS Artifact

Answer 14

• Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
• Artifact reports and agreements

Question 15

Amazon GuardDuty

Answer 15

• Intelligent Threat discovery to Protect AWS Account
• Uses Machine Learning algorithms, anomaly detection, 3rd party data
• One click to enable (30 days trial), no need to install software

Input data includes:
• CloudTrail Logs: unusual API calls, unauthorized deployments
• VPC Flow Logs: unusual internal traffic, unusual IP address
• DNS Logs: compromised EC2 instances sending encoded data within DNS queries

Question 16

Amazon Inspector

Answer 16

• Automated Security Assessments for EC2 instances
• Analyze the running OS against known vulnerabilities
• Analyze against unintended network accessibility
• AWS Inspector Agent must be installed on OS in EC2 instances
• After the assessment, you get a report with a list of vulnerabilities

Question 17

AWS Config

Answer 17

• Helps with auditing and recording compliance of your AWS resources
• Helps record configurations and changes over time
• Possibility of storing the configuration data into S3 (analyzed by Athena)
• AWS Config is a per-region service
• Can be aggregated across regions and accounts

Question 18

Amazon Macie

Answer 18

fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS (PII)

Question 19

AWS Security Hub

Answer 19

• Central security tool to manage security across several AWS accounts and
automate security checks
• Automatically aggregates alerts in predefined or personal findings formats from
various AWS services & AWS partner tools:
• GuardDuty
• Inspector
• Macie
• IAM Access Analyzer
• AWS Systems Manager
• AWS Firewall Manager
• AWS Partner Network Solutions

Question 20

Amazon Detective

Answer 20

• Amazon Detective analyzes, investigates, and quickly identifies the root
cause of security issues or suspicious activities (using ML and graphs)
• Automatically collects and processes events from VPC Flow Logs,
CloudTrail, GuardDuty and create a unified view
• Produces visualizations with details and context to get to the root cause

Question 21

AWS Abuse

Answer 21

Report suspected AWS resources used for abusive or illegal purposes