Chapter 12: Security on AWS

1. B. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

• 哪些流程是AWS数据安全的操作流程：这里退役的存储设备，AWS是先经过消磁，然后进行销毁，基于行业最佳实践进行的。

2. C. The administrator password is encrypted with the public key of the key pair, and you provide the private key to decrypt the password. Then log in to the instance as the
   administrator with the decrypted password.

• 虽然windows实例是通过rdp访问的，但是管理员的密码是通过公钥进行加密的，我们需要通过私钥解密进行使用；

3. C. By default, network access is turned off to a DB Instance. You can specify rules in a security group that allows access from an IP address range, port, or Amazon Elastic
   Compute Cloud (Amazon EC2) security group.

• 数据库的安全组默认是不允许任何访问的，你可以在安全组构建规则，设置IP范围，端口等

4. A. Amazon S3 SSE uses one of the strongest block ciphers available, 256-bit AES.

• AWS S3的sse使用的是最强的跨加密算法 AES 256；

5. C. IAM permits users to have no more than two active access keys at one time.

• IAM允许用户一次不能使用超过两个AK

6. B. The shared responsibility model is the name of the model employed by AWS with its customers.

• AWS与他的客户之间的模型是共享责任模型，AWS负责基础设施安全，客户负责基础设施之上的所有内容安全

7. D. When you choose AWS KMS for key management with Amazon Redshift, there is a four-tier hierarchy of encryption keys. These keys are the master key, a cluster key, a
   database key, and data encryption keys.

• Redshift有四层架构的加密key：master key、cluster key、database key、data key

8. D. Elastic Load Balancing supports the Server Order Preference option for negotiating connections between a client and a load balancer. During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client’s list that matches any one of the load balancer’s ciphers is selected for the SSL connection. If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client’s list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.

• ELB是通过Server Order Perference设置ssl证书的；

9. C. Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without transmitting actual data.

• Amazon WorkSpaces 提供了一种简便的方式来为您的最终用户提供基于云的桌面体验。您可以选择提供不同数量的 CPU、内存和存储的捆绑包，也可以选择应用程序。用户可以从 PC、Mac 台式计算机、iPad、Kindle 或 Android 平板电脑连接。
• 他的安全策略是 PC-OVER-IP（PCoIP）

10. C. Distributing applications across multiple Availability Zones provides the ability to
    remain resilient in the face of most failure modes, including natural disasters or system
    failures.

• 保证高可用是架构师第一考虑要务；

11. A. A virtual MFA device uses a software application that generates six-digit authentication codes that are compatible with the TOTP standard, as described in RFC 6238.

• MFA软件应用生成临时的一次性访问密码。这个在RFC6238中体现过；

12. B, D. Amazon DynamoDB does not have a server-side feature to encrypt items within a table. You need to use a solution outside of DynamoDB such as a client-side library to encrypt items before storing them, or a key management service like AWS Key Management Service to manage keys that are used to encrypt items before storing them in DynamoDB.

• DynamoDB没有server-side的加密特性；只能通过客户端加密的方式存储数据。KMS可以通过数据加密的能力；

13. B. If your private key can be read or written to by anyone but you, then SSH ignores your key.

• EC2的private key如果可以被任意人进行访问读写，SSH会忽略这个key；

14. D. Amazon Cognito Identity supports public identity providers—Amazon, Facebook, and Google—as well as unauthenticated identities.

• AWS的Cognito支持公共的ID提供商有：Amazon、Facebook、Google

15. A. An instance profile is a container for an IAM role that you can use to pass role
    information to an Amazon EC2 instance when the instance starts.

• IAM是AWS用来设置安全访问策略的服务。EC2一般通过角色方式进行访问；

16. B. A network ACL is an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional
    layer of security to your Amazon VPC.

• ACLs很类似SG，ACL是用来增加VPC额外安全层的方案，但是他是无状态的。SG的进出规则是有状态的；

17. D. The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS Software Development Kits (SDKs), those tools automatically sign requests for you based on credentials that you
    specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.

• Signature Version4 是最新的数字签名版本；

18. B. Dedicated instances are physically isolated at the host hardware level from your instances that aren’t dedicated instances and from instances that belong to other AWS accounts.

• 专属instance是让租户将所有ec2在一个设备上生成；

19. C. Amazon EMR starts your instances in two Amazon Elastic Compute Cloud (Amazon EC2) security groups, one for the master and another for the slaves. The master security group has a port open for communication with the service. It also has the SSH port open to allow you to securely connect to the instances via SSH using the key specified at startup. The slaves start in a separate security group, which only allows interaction with the master instance. By default, both security groups are set up to prevent access from external sources, including Amazon EC2 instances belonging to other customers. Because these are security groups in your account, you can reconfigure them using the standard Amazon EC2 tools or dashboard.

• EMR的master安全组和slave安全组是独立的，并且设置成slave安全组只允许master访问；

20. A. When you create an Amazon EBS volume in an Availability Zone, it is automatically replicated within that Availability Zone to prevent data loss due to failure of any single hardware component. An EBS Snapshot creates a copy of an EBS volume to Amazon S3 so that copies of the volume can reside in different Availability Zones within a region.

• EBS是默认将数据在一个region中跨AZ进行复制；
• EBS的snapshot创建一个EBS卷到S3中，所以卷的副本可以在一个region的不同AZ复制；

知识点总结

• Understand the shared responsibility model. AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.

• AWS的安全模型是共享责任模型。AWS为云的基础设施架构负责，客户为任何部署在云上或者联接到云上的服务安全服务则

• Understand regions and Availability Zones. Each region is completely independent. Each region is designed to be completely isolated from the other regions. This achieves the greatest possible fault tolerance and stability. Regions are a collection of Availability Zones. Each Availability Zone is isolated, but the Availability Zones in a region are connected
  through low-latency links.

• AWS的每个region完全独立。每个region被设计成完全独立于其他区域。这个会最大的支持容灾和稳定性。区域由一系列AZ组成。每个AZ也是独立的，但是同一个region中的不同AZ是低延迟的联接。

• Understand High-Availability System Design within AWS. You should architect your AWS usage to take advantage of multiple regions and Availability Zones. Distributing applications across multiple Availability Zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.

• AWS的高可用系统设计要求，架构必须利用多region和多AZ的特性。分布式的应用要基于多AZ部署，在面对失败模式的时候保持可用，例如自然灾害和系统失败。

• Understand the network security of AWS. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, ACLs, and configurations to enforce the flow of information to
  specific information system services. AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow HTTPS access, which allows you to establish a secure communication session with your storage or compute instances within AWS. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.

• AWS的网络安全。网络设备，包括防火墙和其他边界设备，被用作监控和控制内外部网络边界。这些边界设备可以设置规则集合，处理访问控制，配置强制信息流量到指定的系统服务。AWS有一个策略性质的限制云的访问点，用来监控网络流量的出入。企业客户可以通过API endpoints范文，支持https形式的访问，允许你建立一个安全的会话，在你的存储和instance之间。EC2实例不能发送一个不受信任的流量。AWS的受控防火墙基础设施将不会允许除了自己之外的任何实例通过一个sourceIP或者mac地址去传递流量。

• Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every reported violation is investigated.
  It is not possible for an Amazon EC2 instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance.

• EC2客户未经授权的端口扫描是违反AWS使用协议的。违法AWS使用协议是非常严肃的事情，每个违反报告都会被调查。对于EC2实例来说是不能在一种不确定嗅探规则下运行的。

• Understand the use of credentials on AWS. AWS employs several credentials in order to positively identify a person or authorize an API call to the platform. Credentials include:
  Passwords
  AWS root account or IAM user account login to the AWS Management Console
  Multi-Factor Authentication (MFA)
  AWS root account or IAM user account login to the AWS Management Console
  Access Keys
  Digitally signed requests to AWS APIs (using the AWS SDK, CLI, or REST/Query APIs)

• AWS的证书使用场景。AWS提供了几种授信模式去识别一个人或者一个API的调用。授信证书包括：密码、AWS root账户或者IAM user账户登录AWS管理控制台、MFA、Access Keys、API的数字签名请求；

• Understand the proper use of access keys. Because access keys can be misused if they fall into the wrong hands, AWS encourages you to save them in a safe place and not to embed them in your code. For customers with large fleets of elastically-scaling Amazon EC2
  instances, the use of IAM roles can be a more secure and convenient way to manage the distribution of access keys.

• 了解access keys的使用场景。因为AK可以被他们错误的使用。AWS建议你将他们存储在一个安全的地方，而不是嵌入在code中。对于使用大量EC2的场景，使用IAM roles会更加的安全便利；

• Understand the value of AWS CloudTrail. AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. AWS CloudTrail’s benefit is visibility into account activity by recording API calls made on your account.

• AWS CloudTrail 是一个web service用来记录你账户的API调用，同时提供调用日志在你的S3上。AWS CloudTrail’s的好处是将账户的所有调动记录了并可视化。

• Understand the security features of Amazon EC2. Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Public-key cryptography uses a public key to encrypt a piece of data, such as a password, and then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair.To log in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSH. With Windows instances, you use a key pair to obtain the administrator password and then log in using RDP.
  A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You
  can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

• 理解EC2的安全特性。EC2使用公钥和私钥加密信息提供登录。默认是不提供任何访问密码的。通过创建密钥对，将私钥存储下载，通过SSH加载私钥访问EC2。对于windows instance，是采用一个秘钥端来获取管理员账号密码，然后通过RDP登录。

• 安全组扮演了一个虚拟防火墙的角色，用来控制一个或者多个instance的流量。当你启动一个instance，你会关联一个或者多个安全组，你可以为每个安全组增加规则来管理instance的流量进出。你可以随时修改安全组的规则，关联到安全组的实例会实时生效。

• Understand AWS use of encryption of data in transit. All service endpoints support encryption of data in transit via HTTPS.

• AWS的有服务endpoints的数据传输加密是通过HTTPS完成的

• Know which services offer encryption of data at rest as a feature. The following services offer a feature to encrypt data at rest:
  Amazon S3
  Amazon EBS
  Amazon Glacier
  AWS Storage Gateway
  Amazon RDS
  Amazon Redshift
  Amazon WorkSpaces

• 提供数据加密特性的服务如下：S3、EBS、Glacier、Storage Gateway、RDS、Redshift、WorkSpaces