Securing and Scaling Data Pipelines

Questions and Answers

Which of the following is a key aspect of a data security plan?

• Minimizing the use of cloud services to reduce potential attack vectors.
• Focusing solely on perimeter security to prevent unauthorized access.
• Implementing the latest UI frameworks for data visualization.
• Securing data at rest and data in transit. (correct)

In the shared responsibility model, which of the following is a responsibility of the customer?

• Operating system, network, and firewall configuration. (correct)
• Physical security of data centers.
• Hardware maintenance and upgrades.
• Compliance with regional data residency requirements.

Which access management principle involves granting only the necessary permissions to perform a task?

• Role-Based Access Control (RBAC).
• Attribute-Based Access Control (ABAC).
• Multi-Factor Authentication (MFA).
• Principle of Least Privilege. (correct)

What is the primary function of AWS CloudTrail?

Logging and auditing AWS account activity. (B)

What should organizations do with data classifications and protection policies from source data?

Honor them in analytics workloads. (B)

Which of the following is a recommended control for data access to analytics workloads?

Allowing data owners to determine access. (A)

Which AWS service is designed to enable governance, compliance, operational auditing, and risk auditing of an AWS account?

AWS CloudTrail. (C)

Which of the following is a key benefit of using AWS Identity and Access Management (IAM)?

It enables you to securely share and control access to AWS resources. (C)

When designing for data security, which principle involves ensuring that you can track activities and changes across your environment?

Enabling traceability. (B)

Which of the following AWS services is most suitable for creating and managing cryptographic keys used for data encryption?

AWS KMS. (C)

Why is automating security best practices important for data security?

All of the above. (D)

What action should you perform when an employee who had access to sensitive data leaves the company?

Revoke unnecessary permissions. (D)

What is the AWS service that provides a unified view of the operational health of your AWS resources, applications, and services?

Amazon CloudWatch (B)

What is a critical security Layer to apply to your data?

Identity (D)

What is an important design principle for data security with your AWS resources?

Apply security at all layers (B)

For data that persists in nonvolatile storage for any duration, which protection should you enforce?

Enforce encryption at rest (D)

For Data in Transit, what protection should you enforce?

Enforce encryption in transit. (A)

AWS Key Management Service (AWS KMS) doesn't perform which one of the functions?

Automatically encrypts all your data (C)

When it comes to logging and monitoring, which function analyzes the continuous verification of the security and performance of your resources, applications, and data?

Monitoring (C)

When it comes to enabling governance and other organizational functions on AWS, which service delivers logging?

AWS CloudTrail (D)

Which AWS service uses the visibility to spot issues before they impact operations?

Amazon CloudWatch (B)

Which of the following actions is related to the principle of authentication?

Utilizes usernames, passwords, and multi-factor authentication (B)

What is the main goal of logging and monitoring?

Assist your organization to maintain compliance with local laws and regulations. (C)

Which of the following AWS services is most relevant for identity management?

AWS IAM (C)

Which of the following is a design principle for data security that emphasizes the importance of knowing where your data is and what it is?

Classify and protect data. (A)

In a stream processing pipeline, where should the data classification be maintained?

Throughout the pipeline. (D)

When dealing with data retention, what polices should you enforce for data at rest within your AWS analytics and machine learning workloads?

Implement data retention policies (C)

To protect unauthorized access, you should take what action to safeguard that access?

Prevent unintended access (A)

What principle should you implement when contructing least privelage models?

Implement least privilege policies (C)

AWS Global Infrastructure is composed of?

All of the above (D)

Which task is a responsibility of AWS?

Networking (D)

What action should you take when sharing downstream?

Share data downstream in compliance with the source system's classification policies. (A)

After authentication takes place, what process occurs next?

Authorization (C)

Which of the following AWS services is the primary solution for logging?

AWS CloudTrail (C)

To adhere to data security an organization should follow?

Monitor the infrastructure changes and user activities (A)

What is an AWS service that uses hardware security modules (HSMs) to protect your cryptographic keys?

AWS KMS (D)

What element is an AWS service that is part of common log events?

All of the above (D)

To comply with data protection requirements, what should you implement within analytics?

Implement policies for data classifications (D)

After implementing roles, authentications and identity what action should you implement?

Implement data access authorization models (B)

What is the purpose of AWS IAM?

To manage user access and permissions in AWS. (A)

Flashcards

Cloud Security for Data Pipelines

Cloud security best practices applied to analytics and machine learning (ML) data pipelines.

Shared Responsibility Model

A model where both the customer and the cloud provider share security responsibilities.

Authentication definition

Establishing the identity of the requestor.

Authorization definition

Determining the level of access an identity has to a resource, after authentication.

Principle of Least Privilege

Granting only the permissions required to perform a task.

AWS IAM definition

AWS service to securely share and control access to AWS resources.

Data at Rest definition

Any data that persists in nonvolatile storage for any duration.

Data in Transit definition

Any data sent from one system to another.

AWS KMS definition

AWS service to create and manage cryptographic keys.

Logging definition

Collection and recording of activity and event data.

Monitoring definition

Continuous verification of security and performance of resources.

AWS CloudTrail definition

Primary AWS solution for logging.

Amazon CloudWatch definition

AWS monitoring and observability service.

Study Notes

• The module is about securing and scaling data pipelines
• The module highlights how cloud security best practices apply to analytics and machine learning (ML) data pipelines
• It lists AWS services for securing a data pipeline
• It describes how infrastructure as code (IaC) supports security and scalability of a data pipeline infrastructure
• The module identifies the function of common AWS CloudFormation template sections

Cloud Security Review

• The AWS Well-Architected Framework includes security as a key pillar
• The Shared Responsibility Model describes the division of security responsibilities between AWS and the customer
• The customer is responsible for security in the cloud
• AWS is responsible for security of the cloud
• Key design principles for data security include implementing a strong identity foundation, enabling traceability, applying security at all layers, automating security best practices, protecting data in transit and at rest, keeping people away from data, and preparing for security events

Access Management

• Authentication uses credentials to establish the identity of the requestor; it grants or denies access to resources based on identity
• Authentication utilizes usernames, passwords, and multi-factor authentication (MFA) among other methods
• Authorization takes place only after authentication and determines the level of access that an identity has to a resource
• Common authorization methods include attribute-based access control (ABAC) and role-based access control (RBAC)
• The Principle of Least Privilege involves granting only the necessary permissions to perform a task
• Start with a minimum set of permissions, grant additional permissions as necessary, and revoke unnecessary permissions

AWS Identity and Access Management (IAM)

• IAM helps securely share and control access to AWS resources for individuals and groups
• IAM integrates with most AWS services, supports federated identity management, granular permissions, and MFA
• IAM provides identity information for information assurance and compliance audits

Data Security

• Data at rest is any data that persists in nonvolatile storage for any duration
• Data in transit is any data that is sent from one system to another

Data at rest protections:

• Implement secure key management
• Enforce encryption at rest and access control
• Audit the use of encryption keys and data access logs
• Use mechanisms to keep people away from data
• Automate data-at-rest protection

Data in transit protections:

• Implement secure key and certificate management
• Enforce encryption in transit
• Authenticate network communications
• Automate detection of unintended data access
• Secure data from between VPC or on-premises locations
• AWS Key Management Service (AWS KMS) provides the ability to create and manage cryptographic keys
• KMS uses hardware security modules (HSMs) to protect keys, which are integrated with other AWS services
• KMS provides the ability to set usage policies to determine which users can use which keys

Logging and Monitoring

• Logging is the collection and recording of activity and event data
• The logged information varies based on the service
• Common log elements include date and time of event, origin of event, and identity of resources that were accessed
• Monitoring is the continuous verification of the security and performance of your resources, applications, and data
• AWS provides services that give you the visibility to spot issues before they impact operations
• AWS CloudTrail is the primary AWS solution for logging
• CloudTrail assists in enabling governance and compliance and records actions taken by users, roles, or AWS services as events
• CloudTrail can be used to view, search, download, archive, analyze, and respond to account activity across an AWS infrastructure
• Amazon CloudWatch is a monitoring and observability service
• CloudWatch provides a unified view of the operational health of AWS resources, applications, and services
• CloudWatch collects metrics in the AWS Cloud and on premises and can be used to monitor and troubleshoot infrastructure
• CloudWatch customizes logs and events

Key Takeaways for Cloud Security Review

• Access management includes authentication and authorization; adhere to the principle of least privilege with both
• IAM integrates with most AWS services and helps to securely share and control individual and group access to AWS resources
• Securing data at rest and data in transit is a key aspect of a data security plan
• Logging and monitoring can assist in maintaining compliance with local laws and regulations

Security of analytics workloads

• Classify and protect data by understanding data classifications and policies, identify the source data owners,and record data classifications into the Data Catalog
• Implement data encryption and retention policies and honor classifications downstream
• Control data access by allowing data owners to determine access, build user identity solutions, implement data access authorization models, and establish an emergency access process
• Control the access to workload infrastructure by preventing unintended access,implement least privilege policies,monitor the infrastructure changes and user activities and secure infrastructure audit logs
• Securing the Stream Processing Pipeline includes data sources, ingestion and producers, stream storage, stream processing and consumers, and downstream destinations.

Key Takeaways for Security of Analytics Workloads

• Honor data classifications and protection policies set by source data owners
• Secure access to the data in the analytics workload
• Share data downstream in compliance with the source system's classification policies
• Ensure the environment is accessible with the least permissions necessary
• Automate auditing of environment changes and alert in case of abnormal environment access