Securing Data Pipelines in AWS

Questions and Answers

In the AWS shared responsibility model, which of the following is primarily the customer's responsibility?

• Managing and securing the operating system of EC2 instances. (correct)
• Securing the underlying hardware of AWS data centers.
• Ensuring network resilience across availability zones.
• Physical security of AWS facilities.

Which of the following design principles is MOST relevant to ensuring continuous monitoring and alerting of security-related events in a data pipeline?

• Automate security best practices.
• Prepare for security events. (correct)
• Apply security at all layers.
• Implement a strong identity foundation.

Which access management principle focuses on granting only the essential permissions required to perform a specific task?

• Authorization
• Authentication
• Principle of least privilege (correct)
• Role-based access control (RBAC)

What is the primary function of AWS Identity and Access Management (IAM)?

To securely share and control access to AWS resources for individuals and groups. (A)

When implementing data security, what is the PRIMARY difference between 'data at rest' and 'data in transit'?

Data at rest is any data that persists in nonvolatile storage, while data in transit is data being transferred between systems. (B)

AWS Key Management Service (KMS) uses Hardware Security Modules (HSMs) to protect your keys. What does this protect against?

Unauthorized physical extraction of keys. (A)

Why is logging and monitoring crucial for maintaining data security in AWS?

It helps spot issues before they impact operations and assists in compliance with regulations. (D)

What is the primary purpose of AWS CloudTrail?

To record actions taken by users, roles, and AWS services as events. (A)

Which of the following best describes the capabilities of Amazon CloudWatch?

It is a monitoring and observability service that provides a unified view of the operational health of AWS resources. (A)

What is the main takeaway regarding access management and the 'principle of least privilege'?

Access management should consist of authentication and authorization, adhering to the principle of least privilege with both. (A)

What is the recommended first step when classifying and protecting data in analytics workloads?

Understand data classifications and policies. (D)

When controlling data access in analytics workloads, what is the PRIMARY responsibility of data owners?

To determine who should have access to the data. (D)

What is crucial to implement regarding security to workload infrastructure?

Implement least privilege policies. (C)

In a stream processing pipeline, what should happen to data classifications?

The data classifications should be maintained throughout the pipeline. (A)

An organization wants to set up automated notifications whenever there are unusual access patterns to sensitive data stored in Amazon S3. Which AWS service would be MOST suitable for this purpose?

Amazon CloudWatch (D)

A company needs to ensure that all data transferred to and from their Amazon S3 buckets is encrypted. What is the MOST efficient way to achieve this?

Enable default encryption on the S3 bucket. (B)

A data engineer is tasked with creating an audit trail for all API calls made within their AWS account. Which AWS service should they use?

AWS CloudTrail (C)

An organization wants to enforce multi-factor authentication (MFA) for all IAM users accessing the AWS Management Console. How can they achieve this?

Create an IAM policy that requires MFA for console access. (C)

A company is designing a data pipeline that involves processing sensitive customer data. Which of the following security measures is MOST important to implement?

Enforce encryption at rest and in transit. (B)

A security engineer needs to ensure that only authorized applications can access an Amazon RDS database instance. How can this be achieved?

By configuring security groups to allow traffic only from authorized sources. (C)

You need to monitor the CPU utilization of an EC2 instance and receive an alert if it exceeds 80%. Which AWS service should you use?

Amazon CloudWatch (B)

Which of the following is a key aspect of a data security plan?

Securing data at rest and data in transit. (C)

What is the primary purpose of AWS KMS?

Create and manage cryptographic keys. (C)

Which of the following is an example of client-side encryption?

Encrypting data on a local machine before uploading it to AWS. (D)

What is the purpose of federated identity management?

To enable users to access AWS resources using existing credentials from corporate directories. (D)

What type of action should be taken in response to unauthorized access of your AWS account?

Change the password and set up logging. (C)

What is the correct order to undertake operations to protect data?

Understand, identify, implement. (B)

What is the AWS service that can allow you to monitor changes of infrastructure?

CloudTrail (D)

What is the first step to building and maintaining a secure and robust data pipeline?

Classify and protect the data. (B)

In AWS, which service helps you to manage encryption keys?

AWS KMS (B)

Which of the below is the best practice to follow for the access and use of data?

Revoke unnecessary permissions. (B)

How can you monitor the logs on AWS?

CloudWatch (C)

Which service is the primary AWS soluton for logging activity?

CloudTrail (C)

Logging and monitoring can help maintain compliance with?

Local laws and regulations. (D)

To ensure compliance and protect sensitive information, what is one thing you should share downstream when accessing data?

Data classifications. (A)

Which AWS service can assist in enabling governance and compliance as well as operational and risk auditing of your AWS account?

AWS CloudTrail (B)

Which action allows for the most secure environment?

Implement least privilege policies. (C)

Which can AWS CloudTrail record?

Actions taken by a user, role, or AWS service as events. (C)

In AWS, what is 'data at rest'?

Any data that persists in nonvolatile storage for duration. (D)

Flashcards

Module Objective

Highlight cloud security best practices for analytics and ML data pipelines.

Module Objective

List AWS services that secure a data pipeline.

Module Objective

Describe how IaC supports data pipeline security and scalability.

Module Objective

Identify the function of common AWS CloudFormation template sections.

Customer responsibility

Responsibility for security in the cloud.

AWS responsibility

Responsibility for security of the cloud

Customer Security Examples

Platform, applications, identity, and access management.

AWS Security Examples

Compute, storage, databases, and networking.

Data security principle

Implement a strong identity foundation.

Data security principle

Enable traceability.

Data security principle

Apply security at all layers.

Data security principle

Automate security best practices.

Data security principle

Protect data in transit and at rest.

Data security principle

Keep people away from data.

Data security principle

Prepare for security events.

Authentication

Uses credentials to establish the identity of the requestor.

Authorization

Takes place only after authentication.

Principle of Least Privilege

Grant only the permissions that are required to perform a task.

AWS IAM

Helps you securely share and control access to your AWS resources for individuals and groups.

AWS KMS

Protects your keys with hardware security modules (HSMs).

Logging

Collection and recording of activity and event data.

Monitoring

Continuous verification of the security and performance of your resources, applications, and data.

AWS CloudTrail

The primary AWS solution for logging.

Amazon CloudWatch

Monitoring and observability service to monitor AWS cloud resources.

Data at Rest

Data that persists in nonvolatile storage for any duration.

Data in Transit

Data that is sent from one system to another.

Data at rest protection

Implement secure key management.

Data at rest protection

Enforce encryption at rest.

Data in transit protection

Implement secure key and certificate management.

Analytic workloads principle

Ensure environments are accessible with the least permissions.

Analytic workloads principle

Honor the data classifications and protection policies

Study Notes

• Cloud security best practices apply to analytics and machine learning (ML) data pipelines
• AWS services play key roles in securing a data pipeline
• Infrastructure as Code (IaC) supports the security and scalability of a data pipeline infrastructure
• Identify the function of common AWS CloudFormation template sections

AWS Well-Architected Framework: Security

• Security is a component of theAWS Well-Architected Framework
• Operational Excellence is a component of theAWS Well-Architected Framework
• Reliability is a component of theAWS Well-Architected Framework
• Performance Efficiency is a component of theAWS Well-Architected Framework
• Cost Optimization is a component of theAWS Well-Architected Framework
• Sustainabilty is a component of theAWS Well-Architected Framework

Shared Responsibility Model

• Customer responsibilities in the cloud include securing customer data, managing platforms, applications, identity, and access, and configuring the operating system, network, and firewalls
• Customer is responsible for client-side data encryption, data integrity, and authentication
• Customer is responsible for server-side encryption (file system and data)
• Customer is responsible for networking traffic protection (encryption, integrity, and identity)
• AWS responsibilities include providing foundation services like compute, storage, and databases
• AWS is responsible for networking, global infrastructure, including Regions, Availability Zones, and Edge Locations

Design Principles for Data Security

• Implement a strong identity foundation
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events

Access management

• Authentication uses credentials to establish the identity of the requestor
• Authentication grants or denies access to resources based on identity
• Authentication utilities usernames, passwords, and multi-factor authentication (MFA) among other methods
• Authorization takes place only after authentication
• Authorization determines the level of access that an identity has to a resource
• Authorization methods include attribute-based access control (ABAC) and role-based access control (RBAC)
• Principle of least privilege grants only the permissions that are required to perform a task
• Users should start with a minimum set of permissions
• Grant additional permissions as necessary
• Revoke unnecessary permissions

AWS Identity and Access Management (IAM)

• Enables securely sharing and controlling access to AWS resources for individuals and groups
• Integrates with most AWS Services
• Supports federated identity management
• Supports granular permissions
• Supports MFA
• Provides identity information for information assurance and compliance audits

Data Security

• Data at rest persists in nonvolatile storage for any duration
• Enforce access control policies for data at rest
• Audit the use of encryption keys for data at rest
• Implement secure key management for data at rest
• Enforce encryption at rest
• Automate data-at-rest protection
• Audit data access logs
• Apply mechanisms to keep people away from data
• Data in transit is data that is sent from one system to another
• Implement secure key and certificate management for data in transit
• Enforce encryption in transit
• Authenticate network communications for data in transit
• Automate detection of unintended data access for data in transit
• Secure data from between VPC or on-premises locations

AWS Key Management Service (AWS KMS)

• The AWS Key Management Service AWS KMS creates and manages cryptographic keys
• It utilizes hardware security modules (HSMs) to protect keys
• Is integrated with other AWS services
• Allows setting usage policies to determine which users can use which keys

Logging and monitoring

• Logging is the collection and recording of activity and event data
• The information logged varies based on the service
• Common log elements include date and time of event, origin of event, and identity of resources that were accessed
• Monitoring is the continuous verification of the security and performance of resources, applications, and data
• AWS provides several services that give visibility to spot issues before they impact operations

AWS CloudTrail

• CloudTrail is the primary AWS solution for logging
• CloudTrail assists in enabling governance and compliance
• It assists in enabling operational and risk auditing of AWS accounts
• Records actions taken by a user, role, or AWS service as events
• CloudTrail can be used to view, search, download, archive, analyze, and respond to account activity across the AWS infrastructure

Amazon CloudWatch

• CloudWatch is a monitoring and observability service
• CloudWatch provides a unified view of the operational health of AWS resources, applications, and services
• It collects metrics in the AWS Cloud and on-premises
• CloudWatch can be used to monitor and troubleshoot infrastructure
• CloudWatch has ability to customize logs and events

Key Takeaways: Cloud Security Review

• Access management consists of authentication and authorization; adhere to the principle of least privilege with both
• IAM integrates with most AWS services and helps securely share and control individual and group access to AWS resources
• Securing data at rest and data in transit is a key aspect of a data security plan
• Logging and monitoring can assist your organization to maintain compliance with local laws and regulations

Classify and Protect Data

• Data classifications and policies are needed as a requirement
• Identifying the source data owners is needed as a requirement
• Recording data classifications into the Data Catalog is needed as a requirement
• Implementing data encryption policies is needed as a requirement
• Implementing data retention policies is needed as a requirement
• Honoring classifications downstream is recommended

Control the Data Access

• Allowing data owners to determine access is required
• Building user identity solutions is required
• Implementing data access authorization models is recommended
• Establishing an emergency access process is recommended

Control Access to Workload Infrastructure

• Preventing unintended access is required
• Implementing least privilege policies is required
• Monitoring the infrastructure changes and user activities is recommended
• Securing infrastructure audit logs is recommended

Securing the Stream Processing Pipeline

• Data classification is maintained throughout the pipeline
• Stream processing pipeline includes data sources (continuous stream)
• Stream processing pipeline includes ingestion and producers
• Stream processing pipeline includes Stream storage
• Stream processing pipeline includes stream processing and consumers
• Stream processing pipeline includes downstream destinations
• AWS activities that emit CloudWatch include Events, Kinesis Data Streams, Amazon Managed Service for Apache Flink, Amazon S3, and Amazon Redshift

Key Takeaways: Security of Analytics Workloads

• Honor the data classifications and protection policies that the owners of the source data assigned
• Secure access to the data in the analytics workload
• Share data downstream in compliance with the source system's classification policies
• Ensure the environment is accessible with the least permissions necessary
• Automate auditing of environment changes, and alert in case of abnormal environment access