Chapter 13: AWS Risk and Compliance
- A, B, C. Answers A through C describe valid mechanisms that AWS uses to communicate with customers regarding its security and control environment. AWS does not allow customers’ auditors direct access to AWS data centers, infrastructure, or staff.
- AWS是不允許客戶直接審計aws的數(shù)據(jù)中心票堵、架構(gòu)和職員赡盘;
- C. The shared responsibility model can include IT controls, and it is not just limited to security considerations. Therefore, answer C is correct.
- 共享責(zé)任模型包括IT control庸论,不僅僅限于安全考慮虽抄;
- A. AWS provides IT control information to customers through either specific control definitions or general control standard compliance.
- AWS提供IT控制信息給客戶粪躬,通過特定的安全定義或者通過的標(biāo)準(zhǔn)規(guī)范沃但;
- A, B, D. There is no such thing as a SOC 4 report, therefore answer C is incorrect.
- AWS的遵循的三方規(guī)范有:SOC1,PCI DSS Level 1琢歇,ISO27001
- A. IT governance is still the customer’s responsibility.
- IT 控制仍舊是客戶的責(zé)任谆甜,盡管他們已經(jīng)將其設(shè)備部署到AWS
- D. Any number of components of a workload can be moved into AWS, but it is the customer’s responsibility to ensure that the entire workload remains compliant with various certifications and third-party attestations.
- 任意數(shù)量的組件都可以遷移到AWS媒鼓,但是保證整個負(fù)載保持遵循各種認(rèn)證及三方評估是客戶的責(zé)任碍侦;
- B. An Availability Zone consists of multiple discrete data centers, each with their own redundant power and networking/connectivity, therefore answer B is correct.
- A region is a physical location in the world where we have multiple Availability Zones粱坤;
- 一個Region就是世界上的一個物理位置,里邊有多個AZ瓷产;
- Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.
- AZ由一個或者多個分離的數(shù)據(jù)中心組成站玄,每個都是有冗余的動力,網(wǎng)絡(luò)和連接濒旦,在風(fēng)火水電隔離的不同基礎(chǔ)設(shè)施中株旷;
- A, C. AWS regularly scans public-facing, non-customer endpoint IP addresses and notifies appropriate parties. AWS does not scan customer instances, and customers must request the ability to perform their own scans in advance, therefore answers A and C are correct.
- AWS一般檢查公網(wǎng)出口,非客戶訪問的API地址等
- AWS會在發(fā)現(xiàn)風(fēng)險時適時的通知合作伙伴尔邓;
- B. AWS publishes information publicly online and directly to customers under NDA, but customers are not required to share their use and configuration information with AWS, therefore answer B is correct.
- AWS會在網(wǎng)站面向客戶直接發(fā)布安全信息晾剖。但是客戶可以不需要必須遵循這些指導(dǎo);
- C. AWS has developed a strategic business plan, and customers should also develop and maintain their own risk management plans, therefore answer C is correct.
- AWS有自己的風(fēng)險管理計劃梯嗽,客戶也要有自己的風(fēng)險管理計劃齿尽;
- B. The collective control environment includes people, processes, and technology necessary to establish and maintain an environment that supports the operating effectiveness of AWS control framework. Energy is not a discretely identified part of the control environment, therefore B is the correct answer.
- 環(huán)境控制的收集包括人員、流程和技術(shù)
- D. Customers are responsible for ensuring all of their security group configurations are appropriate for their own applications, therefore answer D is correct.
- 安全組的控制灯节,是AWS提供服務(wù)循头,客戶自己進行配置;
- C. Customers should ensure that they implement control objectives that are designed to meet their organization’s own unique compliance requirements, therefore answer C is correct.
- 客戶應(yīng)該保證所有的控制目標(biāo)是為了滿足所在組織的需求炎疆;
知識點總結(jié)
Understand the shared responsibility model. The shared responsibility model is not just limited to security considerations; it also extends to IT controls. For example, the management, operation, and verification of IT controls are shared between AWS and the customer. AWS manages these controls where it relates to physical infrastructure.
共享安全模型不僅僅咸魚安全考慮卡骂。他延伸到IT controls。例如 管理形入、運營全跨、IT控制驗證是AWS與客戶雙方的責(zé)任。AWS基于物理架構(gòu)來管理這些控制亿遂。
Remember that IT governance is the customer’s responsibility. It is the customer’s responsibility to maintain adequate governance over the entire IT control environment, regardless of how its IT is deployed (on-premises, cloud, or hybrid).
IT 管理是客戶的責(zé)任浓若。客戶有責(zé)任要對IT控制環(huán)境進行足夠的管理蛇数,不管是離線數(shù)據(jù)中心挪钓、云或者混合云。
Understand how AWS provides control information. AWS provides IT control information to customers in two ways: via specific control definition and through a more general control standard compliance.
AWS提供控制信息給客戶有兩個方法:通過特定的控制定義和通過一個通用的控制準(zhǔn)則苞慢。
Remember that AWS is very proactive about risk management. AWS takes risk management very seriously, so it has developed a business plan to identify any risks and to implement controls to mitigate or manage those risks. An AWS management team reevaluates the business risk plan at least twice a year. As a part of this process, management team members are required to identify risks within their specific areas of responsibility and then implement controls designed to address and perhaps even eliminate those risks.
AWS在風(fēng)險管理領(lǐng)域非常積極而且非常嚴(yán)肅诵原。所以他開發(fā)一個商業(yè)計劃去識別任何風(fēng)險,同時去轉(zhuǎn)移或者控制這些風(fēng)險挽放。一個AWS的管理團隊每隔兩年去審視這些商業(yè)風(fēng)險計劃绍赛。作為流程的一部分,管理團隊的成員被要求去識別這些風(fēng)險在他們的專業(yè)責(zé)任領(lǐng)域內(nèi)辑畦,同時去實現(xiàn)風(fēng)險控制吗蚌,設(shè)計定位并終結(jié)這些風(fēng)險;
Remember that the control environment is not just about technology. The AWS control environment consists of policies, processes, and control activities. This control environment includes people, processes, and technology.
環(huán)境控制不是簡單的技術(shù)策略纯出。AWS的環(huán)境控制由策略蚯妇、流程敷燎、控制活動組成。參與者包括人員箩言、流程和技術(shù)硬贯;
Remember the key reports, certifications, and third-party attestations. The key reports, certifications, and third-party attestations include, but are not limited to, the following:
FedRAMP
FIPS 140–2
FISMA and DIACAP
HIPAA
ISO 9001
ISO 27001
ITAR
PCI DSS Level 1
SOC 1/ISAE 3402
SOC 2
SOC 3記錄主要的報告、認(rèn)證和第三方關(guān)注陨收,包括不限于 FedRAMP饭豹、FIPS 140-2、 FISMA and DIACAP务漩、HIPAA 拄衰、ISO 9001、ISO 27001饵骨、ITAR翘悉、PCI DSS Level1 SOC1/ISAE3402、SOC2居触、SOC3