Читать книгу AWS Certified SysOps Administrator Official Study Guide - Cole Stephen - Страница 25

THE AWS CERTIFIED SYSOPS ADMINISTRATOR – ASSOCIATE EXAM TOPICS COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:

Domain 1.0: Monitoring and Metrics

✔ 1.1 Demonstrate ability to monitor availability and performance

Domain 6.0: Security

✔ 6.1 Implement and manage security policies

✔ 6.2 Ensure data integrity and access controls when using the AWS platform

✔ 6.3 Demonstrate understanding of the shared responsibility model

✔ 6.4 Demonstrate ability to prepare for security assessment use of AWS

Content may include the following:

■ AWS platform compliance

■ AWS security attributes (customer workloads down to physical layer)

■ AWS administration and security services

■ AWS Identity and Access Management (IAM)

■ Amazon Virtual Private Cloud (Amazon VPC)

■ AWS CloudTrail

■ Amazon CloudWatch

■ AWS Config

■ Amazon Inspector

■ Ingress vs. egress filtering and which AWS Cloud services and features fit

■ Core Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3) security feature sets

■ Incorporating common conventional security products (firewall, Virtual Private Network [VPN])

■ Distributed Denial of Service (DDoS) mitigation

■ Encryption solutions (e.g., key services)

■ Complex access controls (e.g., sophisticated security groups, Access Control Lists [ACLs])

Security on AWS

AWS delivers a scalable cloud computing platform with high availability and dependability that provides the tools to enable you to run a wide range of applications. These tools assist you in protecting the confidentiality, integrity, and availability of your systems and data.

The AWS Certified SysOps Administrator – Associate exam focuses on how to use the AWS tool set to secure your account and your environment. The Security domain is 15 percent of this exam!

Shared Responsibility Model

Before we go into the details of how AWS secures its resources, we talk about how security in the cloud is different than security in your on-premises datacenters. When you move computer systems and data to the cloud, security responsibilities become shared between you and your Cloud Services Provider (CSP). In this case, AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything that you put on the cloud or connect to the cloud. This shared responsibility model can reduce your operational burden in many ways, and in some cases, it may even improve your default security posture without any additional action on your part.

The amount of security configuration work you have to do varies depending on which services you select and how you evaluate the sensitivity of your data. However, there are certain security features – such as individual user accounts and credentials, Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transmissions to encrypt data in transit, encryption of data at rest, and user activity logging – that you should configure no matter which AWS service you use.

AWS Security Responsibilities

AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. Protecting this infrastructure is AWS number one priority. Although you can’t visit our datacenters or offices to see this protection firsthand, we provide several reports from third-party auditors, which have verified our compliance with a variety of relevant computer security standards and regulations.

In addition to protecting this global infrastructure, AWS is responsible for the security configuration of its products that are considered managed services. Examples of these services include Amazon DynamoDB, Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon EMR, Amazon WorkSpaces, and several other services. These services provide the scalability and flexibility of cloud-based resources with the additional benefit of being managed. For these services, AWS will handle basic security tasks like guest operating system and database patching, firewall configuration, and disaster recovery. For most of these managed services, all you have to do is configure logical access controls for the resources and protect your account credentials. A few of them may require additional tasks, such as setting up database user accounts, but the overall security configuration work is performed by the service.

Customer Security Responsibilities

With the AWS Cloud, you can provision virtual servers, storage, databases, and desktops in minutes instead of weeks. You can also use cloud-based analytics and workflow tools to process your data as you need it, and then store it in your own datacenters or in the cloud. Which AWS Cloud services you use determines how much configuration work you have to perform as part of your security responsibilities. For example, for Amazon Elastic Compute Cloud (Amazon EC2) instances, you’re responsible for management of the guest operating system (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. These are basically the same security tasks that you’re used to performing no matter where your servers are located. AWS managed services like Amazon RDS or Amazon Redshift provide all of the resources you need in order to perform a specific task, but without the configuration work that can come with them. With managed services, you don’t have to worry about launching and maintaining instances, patching the guest operating system or database, or replicating databases – AWS handles that for you. But as with all services, you should protect your AWS account credentials, and set up individual user accounts with AWS Identity and Access Management (IAM) so that each of your users has her own credentials, and you can implement segregation of duties. You should consider using Multi-Factor Authentication (MFA) with each account, requiring the use of SSL/TLS to communicate with your AWS resources, and setting up Application Programming Interface (API) and user activity logging with AWS CloudTrail. Figure 3.1 demonstrates the shared responsibility model.