What is AWS responsible for in the AWS Cloud infrastructure?
Protecting the infrastructure that runs the services
What is the customer responsible for in AWS services?
Everything they decide to do with the services offered by AWS
What should be considered when looking for solutions in AWS?
Total cost of ownership
What is the Shared Responsibility Model in AWS?
Division of responsibilities between AWS and the customer
What are Security Certifications & Attestations in AWS?
Independent assessments and attestations to provider's capacity for industry-specific workloads
What is a certification in AWS Security Certifications & Attestations?
Issued by an accredited specialized company, lasts 1-3 years, snapshot in time
What is an attestation in AWS Security Certifications & Attestations?
Focuses on continuous implementation, attests evidence of appropriateness and effectiveness over time
What is HIPAA/HITECH in AWS Security Certifications & Attestations?
Certification for handling medical data
What is ISO/IEC 27001:2022 in AWS Security Certifications & Attestations?
Security management standard specifying best practices for security controls
What is FIPS 140-2 Level 3 in AWS Security Certifications & Attestations?
U.S. government security standard for approving cryptographic modules
What is Cloud Computing Compliance Controls Catalog (C5) in AWS Security Certifications & Attestations?
German Government Backed attestation scheme by BSI
What is the implication for cloud engineers in AWS regarding different services for the same tasks?
Ensuring the entire application adheres to the required standard
What does AWS IAM allow you to define in one central place?
Who can access what
What does AWS IAM provide for defining access control?
Roles, users, groups, policies (and resource policies)
What does AWS Identity and Access Management (IAM) focus on?
Defining access control for AWS services
What does AWS IAM User EC2 provide access to?
CLI, Web, SDKs
What does AWS IAM allow you to define?
Who can access what in one central place
What components does AWS IAM provide for defining access control?
Roles, users, groups, policies (and resource policies)
What can a user do with AWS IAM?
Assume a role for temporary credentials
What is recommended when managing access with AWS IAM?
Use temporary credentials
What is the Principle of Least Privilege?
Aim for providing minimal required permissions
What tool can be used to iterate on permissions in AWS?
AWS Policy Analyzer
How can user pools be federated with existing AD providers in AWS IAM?
Through Identity Federation
What does AWS CloudTrail allow you to monitor?
Requests for resources in your account
Why is splitting workloads into multiple accounts recommended?
Provides security, access, and billing boundaries
What are guardrails in AWS multi-account setups?
Governance rules to enforce compliance
What are the two types of guardrails for enforcing compliance?
Preventive and Detective
What is implemented with Service Control Policies for preventive guardrails?
Preventive guardrails
What allows consolidation of multiple accounts into organizational units and central management?
AWS Organizations
What service allows central management of access to AWS accounts with temporary credentials?
IAM Identity Center
What combines AWS Organizations with other services for multi-account setup management?
AWS Control Tower
What should be enabled for users to enhance security?
MFA
What are the requirements for secrets management?
Centralized storage, fine-grained access control, encryption at rest and in transit, secret rotation, integration with other services
What is a widespread authorization standard?
OAuth 2.0
Why is the implicit flow no longer considered safe?
Security risks
What is the authentication/authorization service that covers OAuth 2.0, OICD, and SAML standards?
Cognito
What are some Authentication Authorization Standards mentioned in the text?
OAuth 2.0, OICD, SAML
What is the current version of Apache Webserver Project mentioned in the text?
v.2.4.59
What is the purpose of Patch Management in the context of application security?
To find and install patches to protect against vulnerabilities
What is Configuration Management responsible for ensuring?
That the configuration of managed systems conforms to security requirements
What service provided by AWS helps define configurations for managed nodes and reapply them automatically?
Systems Manager
What is the recommended approach for managing configuration and deploying it together with the application or infrastructure?
Configuration should be managed as code
What is the advice given regarding patching of systems?
Automate it
What are some tools mentioned for automated patch management in the software development life cycle?
Dependabot, Renovate
What does Data in Transit refer to in the context of encrypted communication?
Data sent from A to B
What is recommended to be used for encrypted communication to ensure secure data transfer?
TLS
What AWS service can be used to provision/manage certificates for AWS workloads?
AWS Certificate Manager
What does Encryption at Rest mean in terms of data protection?
Storing data encrypted both at rest
What is the central key management service used for Encryption at Rest in AWS?
AWS KMS
What is recommended for auditing key usage and implementing automated anomaly detection for Encryption at Rest?
CloudTrail
What should be leveraged for fine-grained permission control to KMS keys in AWS?
IAM
What is the purpose of CloudTrail?
Implement automated anomaly detection for auditory, regulatory, and compliance needs
How can IAM be leveraged for permission control to KMS keys?
Fine grained permission control
What does the EU Datenschutzverordnung require by default?
Datensparsamkeit
How long should data be archived for compliance reasons?
10 years
What are some AWS solutions for data protection and lifecycle management?
S3 IA, S3 Glacier, Lifecycle policies, DDB TTL, Amazon Data Lifecycle Manager
What are the different types of DDoS attacks based on layers of the OSI model?
Layer 7 attacks (exhaust target's resources), Layer 3 or 4 attacks (exhaust state of resources or network equipment), Volumetric attacks (consume all available bandwidth)
What are some mitigation options for DDoS attacks?
Blackhole routing, rate limiting, overprovisioning, building resilient applications with Firewalls and content delivery networks, AWS WAF, AWS Shield, Shield Advanced
What is the concept of Zero Trust in network security?
Consider each application and component as discrete entities, don't trust anyone on the network
How are VPCs used to model networks in AWS?
Logically separated virtual networks with specific IP address ranges, contain subnets for further isolation
Why is it recommended to have one subnet per availability zone?
For redundancy and fault resilience
What is the purpose of separating applications into separate subnets?
For more fine-grained segmentation
What is the benefit of having multiple subnets spread throughout Availability Zones (Azs)?
Better distribution of resources for redundancy and fault tolerance
How does using NAT Gateways enhance security in a network setup?
Allows subnets to access the internet without exposing them directly via Route Tables
What is the purpose of VPC endpoints in AWS network security?
Ensures private traffic to AWS resources without going through the internet
What is the role of Flow logs in network security?
Capture and monitor IP traffic for analysis and security auditing
What is Network Access Control Lists (NACL) in AWS?
A control layer on the subnet/VPC level acting as a stateless firewall with inbound and outbound rules
How are rules evaluated in Network Access Control Lists (NACL)?
In order, starting from the lowest numbered rule, with only the first matching rule being applied
What is the purpose of Security Groups in AWS network security?
Provide fine-grained access control to AWS resources at the instance level
What is the key difference between NACLs and Security Groups in AWS?
NACLs are subnet/VPC level controls, while Security Groups are instance level controls
How can you verify the accessibility and security of an application in AWS network setup?
Use Reachability Analyzer, VPC Network Access Analyzer, and VPC Flow Logs for analysis and monitoring
What is the importance of combining network separation with account separation for security?
Enhances security by adding multiple layers of protection and access control
What is the recommended approach for maintaining system security in AWS?
Constantly monitor, analyze, and adapt security measures at all levels of the infrastructure
What is the significance of considering the total cost of ownership in system security?
Maintenance costs can be unexpectedly high, so it's important to factor in all expenses including security measures
What is the advice regarding the use of managed services in maintaining system security?
Prefer managed services to reduce operational overhead and ensure security updates are managed by experts
What is the importance of automation in maintaining system security?
Automate security processes to reduce human errors and ensure consistent application of security policies
What should be ensured regarding compliance requirements in the technology stack?
Ensure the entire technology stack adheres to compliance regulations and standards to avoid security breaches and penalties
What is AWS responsible for in the AWS Cloud infrastructure?
Protecting the infrastructure that runs the services
What is the customer responsible for in AWS services?
Everything they decide to do with the services offered by AWS
What is the Shared Responsibility Model in AWS?
Division of responsibilities between AWS and the customer
What are Security Certifications & Attestations in AWS?
Independent assessments and attestations to provider's capacity for industry-specific workloads
What is a certification in AWS Security Certifications & Attestations?
Issued by an accredited specialized company, lasts 1-3 years, snapshot in time
What is an attestation in AWS Security Certifications & Attestations?
Focuses on continuous implementation, attests evidence of appropriateness and effectiveness over time
What is HIPAA/HITECH in AWS Security Certifications & Attestations?
Certification for handling medical data
What is ISO/IEC 27001:2022 in AWS Security Certifications & Attestations?
Security management standard specifying best practices for security controls
What is FIPS 140-2 Level 3 in AWS Security Certifications & Attestations?
U.S. government security standard for approving cryptographic modules
What is Cloud Computing Compliance Controls Catalog (C5) in AWS Security Certifications & Attestations?
German Government Backed attestation scheme by BSI
What is the implication for cloud engineers in AWS regarding different services for the same tasks?
Ensuring the entire application adheres to the required standard
What does AWS IAM provide for defining access control?
Roles, users, groups, policies (and resource policies)
What does AWS Identity and Access Management (IAM) focus on?
Defining access control for AWS services
What components does AWS IAM provide for defining access control?
Roles, users, groups, policies (and resource policies)
Why is splitting workloads into multiple accounts recommended?
Provides security, access, and billing boundaries
What allows consolidation of multiple accounts into organizational units and central management?
AWS Organizations
What service allows central management of access to AWS accounts with temporary credentials?
IAM Identity Center
What combines AWS Organizations with other services for multi-account setup management?
AWS Control Tower
What are the requirements for secrets management?
Centralized storage, fine-grained access control, encryption at rest and in transit, secret rotation, integration with other services
What is the authentication/authorization service that covers OAuth 2.0, OICD, and SAML standards?
Cognito
What is the purpose of Patch Management in the context of application security?
To find and install patches to protect against vulnerabilities
What is Configuration Management responsible for ensuring?
That the configuration of managed systems conforms to security requirements
What service provided by AWS helps define configurations for managed nodes and reapply them automatically?
Systems Manager
What is the recommended approach for managing configuration and deploying it together with the application or infrastructure?
Configuration should be managed as code
What are some tools mentioned for automated patch management in the software development life cycle?
Dependabot, Renovate
What AWS service can be used to provision/manage certificates for AWS workloads?
AWS Certificate Manager
What is recommended for auditing key usage and implementing automated anomaly detection for Encryption at Rest?
CloudTrail
What is the purpose of CloudTrail?
Implement automated anomaly detection for auditory, regulatory, and compliance needs
What are some AWS solutions for data protection and lifecycle management?
S3 IA, S3 Glacier, Lifecycle policies, DDB TTL, Amazon Data Lifecycle Manager
What are the different types of DDoS attacks based on layers of the OSI model?
Layer 7 attacks (exhaust target's resources), Layer 3 or 4 attacks (exhaust state of resources or network equipment), Volumetric attacks (consume all available bandwidth)
What are some mitigation options for DDoS attacks?
Blackhole routing, rate limiting, overprovisioning, building resilient applications with Firewalls and content delivery networks, AWS WAF, AWS Shield, Shield Advanced
What is the concept of Zero Trust in network security?
Consider each application and component as discrete entities, don't trust anyone on the network
How are VPCs used to model networks in AWS?
Logically separated virtual networks with specific IP address ranges, contain subnets for further isolation
What is the purpose of separating applications into separate subnets?
For more fine-grained segmentation
What is the benefit of having multiple subnets spread throughout Availability Zones (Azs)?
Better distribution of resources for redundancy and fault tolerance
How does using NAT Gateways enhance security in a network setup?
Allows subnets to access the internet without exposing them directly via Route Tables
What is the purpose of VPC endpoints in AWS network security?
Ensures private traffic to AWS resources without going through the internet
What is the role of Flow logs in network security?
Capture and monitor IP traffic for analysis and security auditing
What is Network Access Control Lists (NACL) in AWS?
A control layer on the subnet/VPC level acting as a stateless firewall with inbound and outbound rules
How are rules evaluated in Network Access Control Lists (NACL)?
In order, starting from the lowest numbered rule, with only the first matching rule being applied
What is the purpose of Security Groups in AWS network security?
Provide fine-grained access control to AWS resources at the instance level
What is the key difference between NACLs and Security Groups in AWS?
NACLs are subnet/VPC level controls, while Security Groups are instance level controls
How can you verify the accessibility and security of an application in AWS network setup?
Use Reachability Analyzer, VPC Network Access Analyzer, and VPC Flow Logs for analysis and monitoring
What is the importance of combining network separation with account separation for security?
Enhances security by adding multiple layers of protection and access control
What is the recommended approach for maintaining system security in AWS?
Constantly monitor, analyze, and adapt security measures at all levels of the infrastructure
What is the significance of considering the total cost of ownership in system security?
Maintenance costs can be unexpectedly high, so it's important to factor in all expenses including security measures
What is the advice regarding the use of managed services in maintaining system security?
Prefer managed services to reduce operational overhead and ensure security updates are managed by experts
What is the importance of automation in maintaining system security?
Automate security processes to reduce human errors and ensure consistent application of security policies
What should be ensured regarding compliance requirements in the technology stack?
Ensure the entire technology stack adheres to compliance regulations and standards to avoid security breaches and penalties
Are you sure you want to delete 0 flashcard(s)? This cannot be undone.
Select tags to remove from 0 selected flashcard(s):
Loading tags...