Term
| What are the 6 tenants of the Security pillar in the Well-Architected Framework? |
|
Definition
1. IAM
2. Data stewardship
3. Network security
4. Application security
5. Compliance
6. Security management |
|
|
Term
| Responsible for security "in" the cloud |
|
Definition
|
|
Term
| Responsible for security "of" the cloud |
|
Definition
|
|
Term
| Identity and Access Management (IAM) |
|
Definition
| key service for identity and access management, and it allows you to assign granular permissions to users, user groups, and IAM roles which can be assigned to resources and applications |
|
|
Term
| Principle of least privilege |
|
Definition
| Only grant the permissions needed to complete a task |
|
|
Term
| MFA is part of IAM. What does it do? |
|
Definition
| It secures the root user and any other users. |
|
|
Term
|
Definition
| Give permissions to users; can be assigned to user groups instead of assigning permissions individually |
|
|
Term
|
Definition
| Identifies resources with external access, validates IAM Policies, and generates IAM Policies based on usage |
|
|
Term
|
Definition
| Tests new IAM policies before granting them to users, user groups, and roles |
|
|
Term
|
Definition
| AWS can use another identity source to grant permissions to human users by leveraging an organization's existing authentication directory, like Microsoft AD. |
|
|
Term
|
Definition
| AWS service used to connect your AWS ecosystem with an existing identity source that an organization uses that is not an AWS service (i.e., Microsoft AD) |
|
|
Term
|
Definition
| Allows AWS users to leverage SSO to temporarily assume a role each time they log in |
|
|
Term
|
Definition
| Using a third-party web identity provider to verify the identity of the user requesting access to AWS resources. Amazon Cognito is the AWS version |
|
|
Term
|
Definition
| Amazon's offering of a Web Federated Identity. Creates user pools and grants temporary keys to customers to give them access to your application by leveraging social or enterprise identity providers for authentication. Think: options of logging into an app with FaceBook, Gmail, etc. |
|
|
Term
| Security Token Service (STS) |
|
Definition
| Creates temporary permissions to a temporary role for the defined AWS account |
|
|
Term
| Systems Manager Parameter Store |
|
Definition
| Keeps encrypted secrets like login credentials or environment variables |
|
|
Term
|
Definition
| Adds another layer of security by allowing automatic rotation of your secrets (keys, passwords, etc.) |
|
|
Term
|
Definition
| Network access control lists |
|
|
Term
|
Definition
| Applied to VPCs and subnet layers; block all connections coming from inside or outside (stateless) without the proper security permissions |
|
|
Term
|
Definition
| applied to the subnet layer for security; stateful - meaning, the interaction is recalled by the system. if the connection comes from inside the subnet layer, the system will allow the response because it remembers the interaction. |
|
|
Term
|
Definition
| Inspects traffic coming into your VPC; protects your AWS network like VPCs and Subnets |
|
|
Term
| AWS WAF (web application firewall) |
|
Definition
| Protects your web apps from common exploits such as SQL injection, or cross-site scripting (i.e., it protects AWS end-points) |
|
|
Term
|
Definition
| Protects web application end-points against DDoS attacks that is included in AWS Free Tier. |
|
|
Term
|
Definition
| Provides additional protection and a 24/7 response team |
|
|
Term
|
Definition
| Manages AWS WAF, AWS Shield, and AWS Network Firewall all in one place |
|
|
Term
|
Definition
| A central place where findings across your AWS security services are sent |
|
|
Term
| How does Security Hub work? |
|
Definition
| By aggregating security findings from many security services all in one place conveniently for you to review and take action |
|
|
Term
| How do you enable AWS Security Hub? |
|
Definition
| Within the AWS console; Resource recording must be turned on with AWS Config first. Then you can select the services you'd like to run checks against. |
|
|
Term
| What are the four horsemen of AWS security event services? |
|
Definition
| AWS Trusted Advisor, Amazon Inspector, Amazon GuardDuty, and Amazon Detective |
|
|
Term
|
Definition
| Gives you best practice suggestions for all kinds of things: MFA, resources exposed, security, performance, operational excellence, cost optimization, etc. |
|
|
Term
|
Definition
| Collects activity logs from around AWS and uses ML to intelligently detect threats by analyzing logs such as CloudTrail |
|
|
Term
|
Definition
| Investigates security events that have already happened and understand the degree of damage done |
|
|
Term
|
Definition
| Continuously scans compute workloads for software vulnerabilities and network exposure, and alerts you if it finds any; detects workload vulnerabilities. |
|
|
Term
| What are 3 security resources for AWS (aka the security dojo)? |
|
Definition
- AWS Cloud Security landing page
- AWS Security blog - updated innovation and announcements around cloud security
- AWS Marketplace - find pre-built security solutions from 3rd party vendors; not all security solutions should be custom-built! |
|
|
Term
|
Definition
| Administers multiple AWS accounts from a single point, consolidating cost while organizing and limiting access to resources |
|
|
Term
| What is the relationship of an AWS Organization with the accounts within it? |
|
Definition
| Parent-child. Whatever permissions/rules are applied at the Organization level are inherited at the Account level |
|
|
Term
| Service Control Policies (SCPs) |
|
Definition
| Action across your organization. Think of SCPs as the "evil twin" of IAM - regardless of the permission given by IAM Policies, SCPs will negate that ability. SCPs can't be overridden by IAM Policies. |
|
|
Term
|
Definition
| Automates account creation and the application of best-practice Config rules and SCPs. Related to AWS Organizations and creating Organizations. |
|
|
Term
| Security Hub + Organizations = ??? |
|
Definition
| A centralized view of security alerts across multiple accounts |
|
|
Term
|
Definition
| Knowing what standards to implement and how to prove those standards are enforced to third parties |
|
|
Term
|
Definition
| A repository of compliance documents that you can download and provide to auditors, regulators, or to inform your cloud architecture |
|
|
Term
|
Definition
| Automate assessments against frameworks to meet common compliance standards |
|
|
Term
| Security Token Service (STS) |
|
Definition
| Enables you to request temporary credentials for users such as auditors |
|
|
Term
| What are some AWS services that are not in scope for compliance programs like FIPS 140-2 Level 3 and HIPAA? |
|
Definition
| KMS does not meet FIPS 140-2 Level 3 and HIPAA prevents the transfer of data over public internet, so you have to use Snowball Edge |
|
|
Term
| Whose responsibility does compliance ultimately fall under? |
|
Definition
|
|
