AWS CCP Module 9: Security

authentication

the process of verifying the identity of a user/entity through credentials like a username/password

authorization

the process of granting users certain access rights/permissions that determine which actions they can perform in a system/application

Q: After logging in to their online banking profile with their username and password, a customer attempts to transfer $10,000 from their savings to their checking account. The system checks if the customer has sufficient privileges to make transfers of this amount before proceeding.

Which type of system check is this an example of?

In this scenario, the system is checking if the customer has the right to transfer $10,000, which is an authorization control. The system verifies their privileges (what they are allowed to do).

AWS Shared Responsibility Model: security

cutomer: security IN the cloud

• managing the security of data, systems, and applications

• deciding which data and workloads to store/run in AWS

• determining which AWS services to use

• controlling who has access to environments and resources

AWS: security OF the cloud

• seucring the foundational software that powers AWS services

• the virtualization layer

• the hardware and global infrastructure that supports the data center sfrom which services operate

Q: What is the responsibility of AWS under the AWS shared responsibility model?

AWS handles all aspects of physical security for data centers, including facility access controls, environmental safeguards, power redundancy, and surveillance systems.

Q: A healthcare company is preparing to deploy a web application on Amazon EC2 instances that will process sensitive patient data. The application will use Amazon RDS for database storage and Amazon S3 for file storage. The company's security team is discussing security responsibilities for the deployment.

What is the customer's security responsibility in this scenario?

Under the AWS shared responsibility model, customers are responsible for protecting their sensitive data stored in AWS services like Amazon S3 and Amazon RDS.

AWS security controls

• prevent security incidents through proper permission and access management

• protect networks, applications, and data

• detect and respond to security incidents as they occur

AWS Identity and Access Management (IAM

a service to securely manage identities and access to AWS services and resources

• by default, all actions are denied and permissions have to be explicitly granted

principle of least privelege

you should only give people and systems access to what they need and nothing else

AWS IAM identities and controls: root user

the account owner who has permissions to do anything inside the AWS account

• all AWS accounts have a root

• associate a password with this account and turn on MFA

AWS IAM identities and controls: IAM user

a person/application that interacts with AWS services/resources

• consists of a name and credentials

• recommended to create individual IAM users for each person who needs to access the AWS account

AWS IAM identities and controls: IAM group

a collection of IAM users who’ll inherit any positions assigned to the group

AWS IAM identities and controls: IAM role

an identity that can be assumed to gain temporary access to permissions

• when assumed, all previous permissions from any previous roles are abandoned

AWS IAM identities and controls: IAM policy

a JSON document that allows/denies permissions to access AWS services and resources

• can also define the level of access to resources

Q: With AWS Identity and Access Management (IAM) all actions are denied by default. When granting permissions, access should be provided only on a need-to-have basis.

What is this concept called?

The principle of least privilege dictates that people and systems should be given access only to what they need and nothing else.

Q: AWS Identity and Access Management (IAM) provides users, groups, roles, and policies so you can configure access based on your company’s specific operational and security needs.

Which of these is specifically designed to provide temporary access to permissions?

An IAM role is an identity someone can assume to gain temporary access to permissions. When someone assumes an IAM role, they abandon all previous permissions they had under a previous role and assume the permissions of the new role.

Q: A financial services company wants to give its accountants access to a particular Amazon S3 bucket.

Which of these IAM controls is used to define this access?

An IAM policy is a JSON document that allows or denies permission to access AWS services and resources. It can be added to IAM users, groups, and roles to define access to the particular S3 bucket.

Q: A large marketing firm has a standard set of permissions used to grant designers access to certain Amazon S3 buckets. The firm added a new S3 bucket that all designers need to access.

Which AWS Identity and Access Management (IAM) control can the firm use to assign permissions that will be inherited by all of its designers?

IAM groups are specifically designed for this scenario. They are used to assign permissions to multiple users at once.

Q: All AWS accounts are given an AWS account root user. The root user is the account owner and has full permissions to perform any actions.

What are some ways to protect this powerful account? (Select TWO.)

• Delegate root user access to others.

• Delete the root user after setting up AWS Identity and Access Management (IAM) users.

• Associate a strong password with the account.

• Turn on multi-factor authentication (MFA).

• Create multiple root users for redundancy.

• Associate a strong password with the account.

• Turn on multi-factor authentication (MFA).

To protect the root user, it's recommended to associate a strong password with the account and turn on MFA. An AWS account can only have one root user. It cannot be deleted, and root user access should never be delegated to others.

AWS IAM Identity Center

centralizes identity and access management across AWS accounts and applications

• organizations can use it to implement SSO

Q: A technology company is moving some of its resources to AWS. The company wants to provide single sign-on access for its employees on AWS using its existing identity source.

Which service can help the company accomplish this?

IAM Identity Center is specifically designed to help organizations implement single sign-on for AWS resources using their existing identity providers.

federated identity management

a system that allows users to access multiple applications, services, or domains using a single set of credentials

AWS Secrets Manager

a secure way to manage, rotate, and retrieve database credentials

secrets

confidential or private information intended to be known only to specific individuals or groups

Q: A software development team needs to centrally manage its database credentials and API keys on AWS.

Which of these services should the team choose?

Secrets Manager can provide the team with a secure way to manage, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

AWS Systems Manager

a service that provides a centralized view of nodes across your organization’s accounts and Regions and multi-cloud hybrid environments

node

a connection point in a network, system, or structure

Denial of service (DoS) attack

an attacker floods a web application with excessive network traffic so that legitimate customer requests are denief if the web application becomes overloaded and can no longer respond

Distributed denial of service (DDoS) attack

an attacker can use multiple infected computers (zombie bots) to unknowingly send excessive traffic to a web application

Q: In a denial of service (DoS) attack, an attacker floods a web application with excessive network traffic. Legitimate customer requests are denied if the web application becomes overloaded and can no longer respond.

How is a distributed denial of service (DDoS) attack different?

Unlike a regular DoS attack from a single source, DDoS attacks use networks of compromised computers to send traffic to the target.

AWS protection through infrastructure: security groups

security groups only allow in proper request traffic

• operate at the AWS network level, so they can shrug off massive attacks using the entire AWS Region’s capacity

AWS protection through infrastructure: Elastic Load Balancing (ELB)

ELB handles traffic first before handing it off, so your frontend server isn’t overwhelmed

• runs at the Region level

AWS protection through infrastructure: AWS Regions

the enormous capacity of Regions makes them extremely difficult to overwhelm, as it would be massively expensive to achieve

Q: An online boutique has recently suffered a series of targeted distributed denial of service (DDoS) attacks. The owner wants to enhance the security of the boutique's web application using AWS infrastructure.

Which components can the boutique use to protect the web application on AWS from DDoS attacks? (Select TWO.)

• Auto scaling groups

• Security groups

• Compute instances

• Public subnets

• Elastic Load Balancing (ELB)

• Security groups

• Elastic Load Balancing (ELB)

Security groups make sure only traffic from authenticated users is allowed into the system, while an ELB distributes incoming traffic to prevent any single frontend server from being overwhelmed. Operating at the AWS network level, these components leverage the full capacity of the AWS Region to help absorb large-scale attacks.

AWS Shield Standard

a free service designed to automatically protect customers from DDoS attacks by using analysis techniques to detect and mitigate incoming malicious network traffic

AWS Shield Advanced

a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks

• integrates with other services, such as Amazon CloudFront, Amazon Route 53, and ELB

• can be integrated with AWS WAF

Q: A small financial services company recently moved its online resources to AWS. The security team was concerned about protection from common, frequently occurring types of distributed denial of service (DDoS) attacks.

Which AWS service automatically protects customers at no cost from DDoS attacks?

Shield is a managed DDoS protection service that safeguards applications running on AWS from common, frequently occurring types of DDoS attacks at no cost.

AWS WAF

a web application firewall that monitors network requests that come into your web applications by checking the IP address against a web access control list (ACL)

• denies access if it comes from a blocked IP address

data encryption

works like a lock-key mechanism, where:

• an encryption key turns informatino into a randomized set of characters

• a decryption key accesses the information only when it’s needed by the application

data encryption at rest

data is idle and not moving

ex: when it’s stored in a DB

data encryption in transit

data is moving between locations

ex: data is going to an application from a database

• SSL/TLS certificates are used to establish encrypted network connections from 1 system to another

Q: Protecting sensitive customer data is a vital component of maintaining customer trust. This involves encrypting data at rest and in transit.

What is used to encrypt data in transit?

SSL and its successor, TLS, are protocols specifically designed to encrypt data as it moves between systems over networks.

AWS built-in data protection: Amazon S3

by default, all buckets have encryption configured and all uploaded objects are encrypted at rest

AWS built-in data protection: Amazon EBS

volumes and snapshots can be encrypted at rest

AWS built-in data protection: Amazon DynamoDB

server-side encryption at rest is enabled on all table data using encryption keys stored in AWS KMS

AWS Key Management Service (KMS)

create and manage cryptographic keys

cryptographic key

a random string of digits used for encryption an decryption of data

Q: A security team for a large ecommerce company needs a centralized way to create and manage the encryption keys that protect its data on AWS.

Which of these services is the BEST fit for this team?

AWS KMS is specifically designed to create and manage encryption keys.

Amazon Macie

a service used to monitor your sensitive data at rest to make sure it’s safe and to assess your security posture

• uses machine learning and automation to discover sensitive data stored in S3

AWS Certificate Manager (ACM)

centralizes the management of your SSL/TSL certificates that provide data encryption in transit

Q: A tax preparation company needs to secure sensitive customer data moving from its database to its web application on AWS.

Which of these services can help them secure the data in transit?

ACM centralizes the management of SSL/TLS certificates that provide data encryption in transit.

Amazon Inspector

runs automated security assessments for Amazon EC2 instances, containers, and Lambda functions by checking applications for security vulnerabilities and deviation from security best practices

• security findings and assessments can be found in the Inspector Console

Q: A security team for a large software development company needs to check multiple applications for security vulnerabilities and deviations from security best practices. The applications are running on Amazon EC2, AWS Lambda, and in containers.

Which AWS service should they choose for the security assessments?

Amazon Inspector is specifically designed for automated vulnerability assessments of applications hosted on AWS.

Amazon GuardDuty

identifies threats by continuously monitoring streams of your account metadata and network activity in your environment

• uses known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately

Amazon Detective

investigate the root cause of a detected threat with interactive visualization

Q: A security team at a legal firm has detected a threat to their AWS environment. To investigate the root cause over time, they need interactive visualizations of security data.

Which AWS service is the BEST choice for this investigation?

Detective is specifically designed for interactive analysis and investigating security threats over time using visualizations. It's a suitable choice for the team's investigation.

AWS Security Hub

a service that brings multiple security services together in one place

• automatically aggregates security findings and organizes them into actionable, meaningful groupings called insights

• can accelerate time to resolution (TTR) with automated remediation

Q: A local government agency needs to prepare for an upcoming compliance audit. The agency needs to automatically aggregate security findings from multiple AWS services into one comprehensive view.

Which of these services should the agency choose?

Security Hub is specifically designed for the aggregation of security findings across multiple AWS services. It's a suitable choice for this use case.

AWS Marketplace

a digital catalog where you can purchase 3rd-party software and services that run on AWS

Q: Which credential components are required to gain programmatic access to an AWS account? (Select TWO.)

• An access key ID

• A primary key

• A secret access key

• A user ID

• A secondary key

• An access key ID

• A secret access key