1. Shared Responsibility Model
1.1. Customer responsibilities
1.1.1. Customers are responsible for the security of everything that THEY create and put in the AWS Cloud.
1.1.1.1. Think "homeowner"
1.2. AWS responsibilities
1.2.1. AWS is responsible for security of the cloud.
1.2.1.1. Think "homebuilder"
2. User permissions and access
2.1. Account
2.1.1. AWS account root user
2.1.1.1. Gmail and Credit Card User
2.1.2. Multi-factor authentication
2.1.2.1. In IAM, multi-factor authentication (MFA) provides an extra layer of security for your AWS account.
2.2. AWS Identity and Access Management (IAM)
2.2.1. AWS Identity and Access Management enables you to manage access to AWS services and resources securely.
2.2.2. IAM user
2.2.2.1. An IAM user is an identity that you create in AWS.
2.2.3. IAM policies
2.2.3.1. An IAM policy is a document that allows or denies permissions to AWS services and resources.
2.2.4. IAM groups
2.2.4.1. An IAM group is a collection of IAM users.
2.2.5. IAM roles
2.2.5.1. An IAM role is an identity that you can assume to gain temporary access to permissions.
3. AWS Organizations
3.1. Use AWS Organizations to consolidate and manage multiple AWS accounts within a central location.
3.2. In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs).
3.3. You can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements.
4. Compliance
4.1. AWS Artifact
4.1.1. AWS Artifact is a service that provides on-demand access to AWS SECURITY and COMPLIANCE REPORTS and select online agreements.
4.1.2. Two Components
4.1.2.1. AWS Artifact Agreements
4.1.2.1.1. In AWS Artifact Agreements, you can review, accept, and manage agreements for an individual account and for all your accounts in AWS Organizations.
4.1.2.2. AWS Artifact Reports
4.1.2.2.1. AWS Artifact Reports provide compliance reports from third-party auditors.
4.2. Customer Compliance Center
4.2.1. The Customer Compliance Center contains resources to help you learn more about AWS compliance.
5. Denial-of-service attacks
5.1. Types
5.1.1. DoS
5.1.1.1. A denial-of-service (DoS) attack is a deliberate attempt to make a website or application unavailable to users.
5.1.2. DDoS
5.1.2.1. In a distributed denial-of-service (DDoS) attack, multiple sources are used to start an attack that aims to make a website or application unavailable.
5.2. AWS Shield
5.2.1. AWS Shield Standard (no cost)
5.2.1.1. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks.
5.2.2. AWS Shield Advanced (cost)
5.2.2.1. Is a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.
6. Additional security services
6.1. AWS Key Management Service (KMS)
6.1.1. Enables you to perform ENCRYPTION operations through the use of cryptographic KEYS.
6.1.1.1. Encrypt data at REST and in TRANSIT
6.2. AWS Web Application Firewall (WAF)
6.2.1. WAF lets you monitor network requests that come into your web applications.
6.2.1.1. Similar to NACL but uses web access control list (WACL)
6.3. Amazon Inspector
6.3.1. Improve the security and compliance of applications by running AUTOMATED security ASSESSMENTS
6.3.1.1. INSPECT your AWS infrastructure and resources.
6.4. Amazon GuardDuty
6.4.1. Provides intelligent threat detection for your AWS infrastructure and resources.
6.4.1.1. Guard your AWS infrastructure and resources against THREATS