Show
As an AWS customer you inherit all the best practices of AWS policies, architecture, and operational processes. The AWS Cloud enables a shared responsibility model. AWS manages security OF the cloud; you are responsible for security IN the cloud. You retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center. Benefits of AWS Security
ComplianceAWS Cloud Compliance enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared. Compliance programs include:
AWS ArtifactAWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). Amazon GuardDutyAmazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Intelligent threat detection service. Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise. Continuous monitoring for events across:
AWS WAF & AWS ShieldWAF:
Shield:
AWS Key Management Service (AWS KMS)AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control. AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console or using the AWS SDK to easily add encryption in their application code. AWS CloudHSMAWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. AWS Certificate ManagerAWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. AWS Inspector and AWS Trusted AdvisorAWS Inspector:
AWS Trusted Advisor:
Trusted Advisor scans your AWS infrastructure and compares is to AWS best practices in five categories:
Trusted Advisor comes in two versions. Core Checks and Recommendations (free):
Full Trusted Advisor Benefits (business and enterprise support plans):
Penetration TestingPenetration testing is the practice of testing one’s own application’s security for vulnerabilities by simulating an attack. AWS allows penetration testing. There is a limited set of resources on which penetration testing can be performed. You do not need permission to perform penetration testing against the following services:
You can read the full vulnerability and penetration testing support policy here. In case an account is or may be compromised, AWS recommend that the following steps are taken:
AWS Single Sign-On (AWS SSO)AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all your AWS accounts and cloud applications. It helps you manage SSO access and user permissions across all your AWS accounts in AWS Organizations. AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0. AWS SSO includes a user portal where your end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place. Amazon CognitoAmazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect. The two main components of AWS Cognito are user pools and identity pools:
You can use identity pools and user pools separately or together. AWS Directory ServicesAWS provides several directory types. The following three types currently feature on the exam and will be covered on this page:
As an alternative to the AWS Directory service you can build your own Microsoft AD DCs in the AWS cloud (on EC2). The table below summarizes the directory services covered on this page as well as a couple of others, and provides some typical use cases:
AWS Systems Manager Parameter StoreProvides secure, hierarchical storage for configuration data management and secrets management. It is highly scalable, available, and durable. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plaintext (unencrypted data) or ciphertext (encrypted data). You can then reference values by using the unique name that you specified when you created the parameter. AWS Secrets ManagerLike Parameter Store. Allows native and automatic rotation of keys. Fine-grained permissions. Central auditing for secret rotation. AWS ArtifactAWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). Related posts:What AWS service would you use to download AWS security and compliance reports?You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.
What AWS service is used to help with regulatory compliance?AWS Compliance Center
The tool helps customers browse country-specific resources, identify local regulatory requirements, and view AWS compliance programs that may apply to that country.
Which AWS security Service assesses applications to improve their security and compliance?Security Hub enables you to understand your overall security posture via a consolidated security score across all of your AWS accounts, automatically assesses the security of your AWS accounts resources via the AWS Foundational Security Best Practices standard and other compliance frameworks.
Which AWS service or feature can the is used to securely provide access to its application?AWS Identity Services enable you to securely manage identities, resources, and permissions at scale. With AWS, you have identity services for your workforce and customer-facing applications to get started quickly and manage access to your workloads and applications.
|