= OREILLY Q Chapter 6. Cloud Security and Compliance This chapter covers the following subjects: * An Introduction to AWS Security: This section discusses the major aspects of the AWS approaches to securing your infrastructure and resources. * AWS Security Compliance Programs: This section of the chapter en- sures you understand the many efforts that AWS engages in to ensure you can maintain compliance in security with laws and regulations you might face. It is important that you understand the approaches that Amazon takes to security when it comes to AWS. It is also important to know specifics re- garding the levels of compliance and attestation that AWS believes are important. This chapter discusses these points in detail, providing specific technologies that AWS uses to help ensure you can create the most secure architecture possible in the cloud and beyond. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess if you should read the entire chapter. Table 6-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz questions covering the material in those headings so you can assess your knowledge of these specific ar- eas. The answers to the “Do I Know This Already?” quiz appear in Appendix A, “Answers to the “Do I Know This Already?” Quizzes and x Table 6-1 “Do I Know This Already?” Foundation Topi Question Mapping Preparing for certification? ‘Take Practice Exam => View Study Guide > Foundation Topics Section Questions An Introduction to AWS Security 12RovndationTepicpsectoPrograms Questions 4, Amazon is interested in offering you high levels of confidentiality with your data in AWS. What is a key technology area that accommodates this? a. Authentication b. Hashing c. Encryption d. Fault tolerance 2. What service in AWS assists your security efforts using roles, users, and groups? a. $3 b. IAM ©. EC2 d. Glacier 3. Amazon seeks out attestations from organizations that are what? (Choose two.) a. Dependent b. Independent x Preparing for certification? ‘Take Practice Exam => View Study Guide > c. Third party d. Subsidiary 4, Which of the following is not something Amazon typically provides to AWS customers in the area of compliance?a. Mapping documents b. Compliance playbooks c. Security features d. Physical host security playbooks Foundation Topics An Introduction to AWS Security Amazon understands that a major concern for many organizations con- sidering a move to public (or hybrid) clouds is security. As a result, they have taken great pains to ensure incredible levels of potential security for your organization. This includes massive efforts around confidentiality, integrity, and availability (CIA). This is known as the “security triad” and is depicted in Figure 6-1. Figure 6-1 The Security Triad Preparing for certification? What are some of the main approaches that Amazon t4 take Practice Exam > AWS? Let’s cover those now. View Study Guide > The first is keeping customer data as safe as possible. Amazon ensures a resilient and highly available infrastructure. High levels of the latest secu-rity technologies are deployed, and strong safeguards are in place for ev- ery aspect of Amazon’s security responsibilities. With AWS, you can take advantage of rapid innovations in security tech- nology at scale. This includes a robust Identity and Access Management (IAM) system, encryption of data at rest and in transit, and segmentation services, Figure 6-2 shows the IAM components in AWS. o@ Welcome to Identity and Access Management vases anne napenjouneensumersigamaweamazoncombonsse @) | tse 1a Resources cnet Pos 0 Secu Status ee ceascarpee, (2 Deteyour tect acass toys . (A, cat MFA co your tot acount . 1 Cros eh AM os (Use cups eas semis 1c Aonty an panera pay ‘Adio! information Fanon Figure 6.2 1AM in AWS Preparing for certification? ‘Take Practice Exam => View Study Guide > With AWS security, you pay for what you need. This permits high levels of security with controlled and elastic capacity and costs. xAWS also ensures diverse compliance support to offer adherence to gov- ernance, oversight, and automation. In addition, AWS follows a shared responsibility model that divides re- sponsibility (clearly) between the customer (you) and Amazon. You can leverage their incredible expertise in secure infrastructures and technol- ogy knowledge. However, you must have expertise in securing compo- nents within AWS services. For example, you would be responsible for patching some of your virtual machine (EC2) deployments. Note Note The hardware on which your virtual machines reside is kept highly secure by Amazon. LS Uy ei Specific security products and features encompass a variety of tools and monitoring resources, including the following: « Robust network security: Built-in firewalling, encryption in transit, private connectivity options, and built-in DDoS mitigation. + Efficient security tools: Management of resource commissions and decommission, inventory and configuration management tools, and best practice template definitions. + Data encryption at every level: This includes database systems, key management, hardware-based storage options, and API support (like everything in AWS). * Access control and management: Identity and Acq Preparing for certification? ake Practice Exam > View Study Guide > x multifactor authentication, federation support, int into all services, and API support. * Monitoring and logging tools: Deep visibility into API calls, log aggre- gation tools, alerts, and reduced risks.+ AWS Marketplace: Anti-malware, intrusion prevention systems (IPSs), and policy management tools. AWS Security Compliance Programs How does Amazon measure their success when it comes to compliance with security best practices and regulations? The success of their many customers! Customers drive AWS efforts in these categories (to name just a few): + Compliance reports * Attestations © Certifications Compliance programs and your adherence to them will actually help you implement excellent security at scale in AWS. This should also help you realize cost savings overall when it comes to your security implementation. Amazon, especially once you are a customer, will communicate its secu- rity responsibilities, success, failures, and overall efforts using the follow- ing means: © Obtaining industry certifications © Obtaining independent, third-party attestations © Publishing security information whitepapers and web content * Providing certificates, reports, and other documents to customers, sometimes under a nondisclosure agreement (NDA) Amazon also provides the following to customers: ‘ " a x + Functionality through security features * Compliance playbooks © Mapping documents Preparing for certification? ‘Take Practice Exam => View Study Guide > AWS also offers a robust risk and compliance program that helps you with the following:© Risk management * Control environments * Information security Key. Amazon regularly scans all public-facing points for vulnerabilities. They will even use independent, third-party firms to perform threat assess- ments against their technologies and infrastructure. If you (as a cus- tomer) are interested in performing penetration (pen) testing against your resources, you may do so, but you must obtain explicit permission from AWS. LS Uy ei Remember, as a customer of AWS, you should (must): « Engage in a robust security lifecycle approach that includes a review phase, a design phase, and then phases of identification and verifica- tion. The identification phase should include external controls that are required to secure the customer resources. © Understand the required compliance objectives. * Establish a control environment. * Understand the validation based on risk tolerances. « Consistently verify the effectiveness of the security measures deployed. x For more information regarding AWS and security co visit the compliance home page for AWS at https:/aws.amazon,com/compliance. You will disco’ Preparing for certification? ‘Take Practice Exam => View Study Guide > able resources linked from this page.Exam Preparation Tasks As mentioned in the section “How to Use This Book” in the Introduction, you have a few choices for exam preparation: the exercises here, Chapter 16, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online. Review All Key Topics Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 6-2 lists these key top- ics and the page numbers on which each is found, Key. Table 6-2 Key Topics for Chapter 6 Key Topic a. Page Description Element Number List Security tools in AWS 74 Overview Penetration testing 76 AWS customer security List 76 responsibilities Define Key Terms x Preparing for certification? Define the following key terms from this chapter and q yoke practice fxam > in the Glossary: View Study Guide > Confidentiality integrity.compliance Q&A The answers to these questions appear in Appendix A. For more practice with exam format questions, use the Pearson Test Prep Software Online. 1, Why might you turn to the AWS Marketplace when working on your se- curity infrastructure in AWS? 2, What should you do if you are interested in penetration testing your AWS data and resources? x Preparing for certification? ‘Take Practice Exam > View Study Guide >