AWS Cloud Security and Compliance
Flashcard Study
What is the Shared Responsibility Model?
A concept that outlines the division of responsibility between a cloud service provider and the customer when it comes to security and compliance.
What is AWS responsible for under the Shared Responsibility Model?
AWS is responsible for protecting the infrastructure that runs all of the services offered in the cloud, including the hardware, software, networking, and facilities.
What is Infrastructure as a Service (IaaS)?
It is a cloud computing model where the cloud service provider provides the infrastructure, such as virtual machines, storage, and networking.
What is the customer responsible for when using IaaS services?
The customer is responsible for managing the operating system, middleware, and applications.
What is the customer responsible for when using EC2?
The customer is responsible for managing the operating system, application software, and data. The customer is also responsible for configuring the security groups and firewalls to control access to the instances.
What is the customer responsible for when using Amazon S3?
Customers access the endpoints to store and retrieve data.
What is the customer responsible for when using Amazon RDS?
The customer is responsible for managing the database itself, including creating and managing databases and users, securing data, and applying software patches and upgrades.
What is AWS responsible for when a customer uses AWS Lambda?
AWS is responsible for managing the underlying infrastructure, including the hardware, software, and network.
What is the customer responsible for when using AWS Lambda?
The customer is responsible for providing the code and configuring the runtime, security settings, and environment variables.
What are some examples of services and features designed to support HIPAA compliance?
Amazon RDS for SQL Server and Amazon S3 with encryption options.
What is in-transit encryption?
It is used to protect data as it travels over networks.
What are some examples of AWS encryption options?
Amazon S3 server-side encryption, Amazon EBS encryption, and Amazon RDS encryption.
What is Amazon S3 server-side encryption?
It is a way to automatically encrypt your data when you store it in an Amazon S3 bucket.
What does Amazon EBS encryption do?
It provides an easy way to encrypt your data at rest, by encrypting the data stored on the EBS volumes that are attached to your EC2 instances.
What encryption algorithm does Amazon RDS encryption use?
Amazon RDS encryption provides a way to encrypt your data at rest by using the industry-standard Advanced Encryption Standard (AES-256) encryption algorithm.
What are some AWS services that allow customers to control access to their resources?
AWS Identity and Access Management (IAM) and Amazon S3 bucket policies.
What does AWS Config do?
It provides a detailed inventory of the resources in an AWS account and monitors for changes to those resources.
What are the two types of encryption provided by AWS for data stored in S3?
Server-side encryption and client-side encryption.
When is data encrypted when using server-side encryption?
Data is encrypted right before storing it on S3 servers when using server-side encryption.
Who manages the encryption keys for server-side encryption?
AWS automatically encrypts data at rest and manages the encryption keys for you when using server-side encryption.
What are the different server-side encryption options available on AWS for S3?
S3 Managed Encryption Keys (SSE-S3), AWS Key Management Service (KMS) Managed Encryption Keys (SSE-KMS), and Server-side Encryption with Customer-Provided Encryption Keys (SSE-C).
What is S3 Managed Encryption Keys (SSE-S3)?
It is the simplest server-side encryption option where S3 encrypts data at rest using the AES-256 encryption algorithm.
Who manages the encryption keys in SSE-S3?
The encryption keys are managed by S3 and are rotated regularly for added security.
What is AWS Key Management Service (KMS) Managed Encryption Keys (SSE-KMS)?
It is a more secure server-side encryption option compared to SSE-S3 where S3 encrypts data at rest using the AES-256 encryption algorithm and the encryption keys are managed by AWS Key Management Service (KMS).
What additional security features does KMS provide for SSE-KMS?
KMS provides additional security features such as key access policies and key usage auditing.
What is the customer's responsibility when using SSE-C?
The customer uploads their encryption keys to S3, and S3 uses the keys to encrypt data at rest using the AES-256 encryption algorithm.
Who manages the encryption keys when using SSE-C?
The encryption keys are managed by the customer.
Who manages the encryption keys in client-side encryption?
The encryption keys are managed by the client and are not stored on the S3 servers.
What are the services provided by AWS to aid in auditing and reporting?
Amazon CloudWatch, AWS Config, and AWS CloudTrail.
What is the purpose of Amazon CloudWatch?
It is a monitoring service that provides customers with the ability to collect and track metrics, logs, and set alarms.
What can customers monitor using Amazon CloudWatch?
They can monitor the performance and health of their AWS resources, applications, and services.
What is the purpose of AWS Config?
It is a service that provides customers with an inventory of their AWS resources and the configuration of those resources.
What can customers evaluate using AWS Config?
They can evaluate changes to their resources over time and receive detailed reports on the configuration of their resources.
How does AWS Config help customers mitigate potential security risks?
By providing the ability to receive notifications when changes are made to their resources.
What is the purpose of AWS CloudTrail?
It allows customers to track the activity of their AWS resources, including the actions taken by users, roles, and services.