Cloud Practitioner Domain -2
Cloud Practitioner Domain 2 consists of Concept on Cloud Security and It Contains 24% of Question
Information security is of paramount importance to Amazon Web Services (AWS) Customers.Security is a core functional requirement that protects mission critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion.
AWS Shared Responsibility Model
- The AWS Cloud follows shared responsibility model. While AWS manages security of the cloud, you are responsible for security in the cloud. This means that you retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center.
- AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
- Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities.For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), Amazon Virtual Private Cloud (Amazon VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks.
AWS WAF (Web Application Firewall )
- AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
- AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. Custom rules consists of SQL injection or cross-site scripting, and rules that are designed for your specific application.
- With AWS WAF you pay only for what you use. AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives. There are no upfront commitments.
- AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.
- Two Type of AWS Shield
- Standard :- AWS Shield Standard is automatically enabled to all aws account by default with no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon Cloud front and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
- Advanced :- For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced.In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall.
- Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports
- Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances.These assessments are actually a predefined rule packages mapped to common security best practices and vulnerability definitions.
AWS Trusted Advisor
- It is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.
- AWS Trusted Advisor analyzes your AWS environment and provides best practice recommendations in five categories:
- Cost Optimization
- Fault Tolerance
- Service Limits
- AWS CloudTrail is a service that can log API Calls, continuously monitor, and retain account activity related to actions across your AWS infrastructure. Hence enables governance, compliance, operational auditing, and risk auditing of your AWS account.
- You can identify which users or accounts called AWS , the source IP from which the call was made and when the call occurred.