search

Domain 2: Security and Compliance

hashtag
Define the AWS shared responsibility model

hashtag
AWS Shared Responsibility Model Explained

This model denotes how security and compliance responsibilities are shared between AWS and the customer.

circle-info

Think of the Shared Responsibility Model as a partnership. AWS secures the foundation, and you secure what you put on it.

hashtag
Customer's Responsibility on AWS

hashtag
Depending on the AWS service used, the responsibility might vary:

  • RDS: AWS manages underlying infrastructure, database patching.

  • Lambda: AWS manages the infrastructure, OS, and application stack.

  • EC2: You manage guest OS, updates, and the application.

hashtag
AWS Responsibilities

AWS is responsible for the security of the cloud, including infrastructure, hardware, software, and facilities.

hashtag
Who is responsible for patching the database in Amazon RDS?

a) Customer b) AWS

circle-check

b) AWS

hashtag
Define AWS Cloud security and compliance concepts

hashtag
AWS Compliance Information

AWS offers compliance controls like HIPPA and SOCs. Not all AWS services might comply with every standard.

circle-info

Compliance requirements might vary per AWS service and region.

hashtag
Achieving Compliance on AWS

hashtag
AWS offers different encryption options:

  • In Transit: Data encrypted while moving.

  • At Rest: Data encrypted while stored.

hashtag
Auditing and Reporting Services:

AWS provides tools like Amazon CloudWatch, AWS Config, and AWS CloudTrail for monitoring, auditing, and reporting.

hashtag
Least Privileged Access Concept:

Always grant only the permissions required to perform a task.

hashtag
AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) allows you to securely control access to AWS resources.

It allows you to create and manage AWS users and groups and assign permissions to allow or deny their access to AWS resources.

hashtag
Key IAM Entities:

  • User: Individual people, system users, or services that will be interacting with AWS.

  • Group: A collection of IAM users. You can specify permissions for multiple users, which can make it easier to manage the permissions for those users.

  • Role: Not tied to a specific user or group. Instead, roles are assumed by trusted entities, such as IAM users, applications, or AWS services like EC2.

  • Policies: Documents defining permissions and can be attached to users, groups, or roles.

hashtag
Best Practices

hashtag
Root vs. IAM User:

  • Root User: When you open an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources. This is termed as the "root" user.

triangle-exclamation

Don't use your AWS root user credentials to access AWS, and no one else should either. Instead, create individual IAM users.

hashtag
Access Keys:

Access keys consist of an access key ID and secret access key, used to sign programmatic requests to AWS.

hashtag
Password Policies:

Set requirements for IAM user passwords.

hashtag
Multi-Factor Authentication (MFA):

Uses multiple factors to authenticate a user, adding an extra layer of security.

hashtag
Deep Dive into IAM Roles, Users, and Groups

hashtag
Roles:

Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

  • Example: An EC2 instance might need access to an S3 bucket. Instead of hardcoding AWS credentials, you'd assign the EC2 instance an IAM role with the necessary permissions.

hashtag
Users:

Intended for humans or services. They have permanent long-term credentials.

  • Example: A developer named John in your team might have a user account with permissions to access only specific S3 buckets and EC2 instances.

hashtag
Groups:

A way to assign policies to multiple users simultaneously.

  • Example: If you have a group of developers, rather than assign each of them permissions, you'd place them in an Developers group and assign the necessary permissions to that group.

hashtag
IAM Permission Policies

hashtag
Managed Policies:

AWS managed policies are designed to provide permissions for many common use cases. AWS controls these.

  • Example: AmazonS3ReadOnlyAccess – Provides read-only access to all buckets via the AWS Management Console.

hashtag
Custom Policies:

You define custom permissions according to your needs.

  • Example: A policy that allows a user to only read a specific S3 bucket and not any other bucket.

circle-info

Never use the root account for daily tasks.

hashtag
Identify resources for security support

hashtag
Network Security Capabilities

AWS offers tools like security groups, Network ACLs, and AWS WAF. Also, 3rd party security products are available on the AWS Marketplace.

hashtag
Finding Documentation

hashtag
Access resources such as:

  • AWS Knowledge Center

  • Security Center

  • Security forum

  • Security blogs

hashtag
Where can you find official AWS security best practices?

a) Google b) AWS Knowledge Center c) Random blogs d) Reddit

circle-check

b) AWS Knowledge Center

hashtag
AWS Trusted Advisor

This tool offers insights to follow best practices, including security checks.

PreviousDomain 1: Cloud ConceptsNextDomain 3: Technology

Last updated