Security Flashcards

Question

Security - Kinesis Data Streams

Answer 1

* Kinesis Data Streams * SSL endpoints using the HTTPS protocol to do encryption in flight * AWS KMS provides server-side encryption [Encryption at rest] * For client side-encryption, you must use your own encryption libraries * Supported Interface VPC Endpoints / Private Link – access privately * KCL – must get read / write access to DynamoDB table

Answer 2

* Attach IAM roles so it can deliver to S3 / ES / Redshift / Splunk * Can encrypt the delivery stream with KMS [Server side encryption] * Supported Interface VPC Endpoints / Private Link – access privately * Kinesis Data Analytics * Attach IAM role so it can read from Kinesis Data Streams and reference sources and write to an output destination (example Kinesis Data Firehose)

Answer 3

* Encryption in flight using the HTTPS endpoint * Server Side Encryption using KMS * IAM policy must allow usage of SQS * SQS queue access policy * Client-side encryption must be implemented manually * VPC Endpoint is provided through an Interface

Answer 4

* AWS IoT policies: * Attached to X.509 certificates or Cognito Identities * Able to revoke any device at any time * IoT Policies are JSON documents * Can be attached to groups instead of individual Things. * IAM Policies: * Attached to users, group or roles * Used for controlling IoT AWS APIs * Attach roles to Rules Engine so they can perform their actions

Answer 5

* IAM policies * S3 bucket policies * Access Control Lists (ACLs) * Encryption in flight using HTTPS * Encryption at rest * Server-side encryption: SSE-S3, SSE-KMS, SSE-C * Client-side encryption – such as Amazon S3 Encryption Client * Versioning + MFA Delete * CORS for protecting websites * VPC Endpoint is provided through a Gateway * Glacier – vault lock policies to prevent deletes (WORM)

Answer 6

* Data is encrypted in transit using TLS (HTTPS) * DynamoDB tables are encrypted at rest * KMS encryption for base tables and secondary indexes * AWS owned key (default) * AWS managed key (aws/dynamodb) * AWS customer managed key (your own) * Access to tables / API / DAX using IAM * DynamoDB Streams are encrypted * VPC Endpoint is provided through a Gateway

Answer 7

* VPC provides network isolation * Security Groups control network access to DB Instances * KMS provides encryption at rest * SSL provides encryption in-flight * IAM policies provide protection for the RDS API * IAM authentication is supported by PostgreSQL and MySQL * Must manage user permissions within the database itself * MSSQL Server and Oracle support TDE (Transparent Data Encryption)

Answer 8

* (very similar to RDS) * VPC provides network isolation * Security Groups control network access to DB Instances * KMS provides encryption at rest * SSL provides encryption in-flight * IAM authentication is supported by PostgreSQL and MySQL * Must manage user permissions within the database itself

Answer 9

* IAM roles attached to each Lambda function * Sources * Targets * KMS encryption for secrets * SSM parameter store for configurations * CloudWatch Logs * Deploy in VPC to access private resources

Answer 10

* IAM policies for the Glue service * Configure Glue to only access JDBC through SSL * Data Catalog: Encrypted by KMS * Connection passwords: Encrypted by KMS * Data written by AWS Glue – Security Configurations: * S3 encryption mode: SSE-S3 or SSE-KMS * CloudWatch encryption mode * Job bookmark encryption mod

Answer 11

* Using Amazon EC2 key pair for SSH credentials * Attach IAM roles to EC2 instances for: * proper S3 access * for EMRFS requests to S3 * DynamoDB scans through Hive * EC2 Security Groups * One for master node * Another one for cluster node (core node or task node) * Encrypts data at-rest: EBS encryption, Open Source HDFS Encryption, LUKS + EMRFS for S3 * In-transit encryption: node to node communication, EMRFS, TLS * Data is encrypted before uploading to S3 * Kerberos authentication (provide authentication from Active Directory) * Apache Ranger: Centralized Authorization (RBAC – Role Based Access) – setup on external EC2 * https://aws.amazon.com/blogs/big-data/best-practices-for-securing-amazon-emr/

Answer 12

* Amazon VPC provides network isolation * ElasticSearch policy to manage security further * Data security by encrypting data at-rest using KMS * Encryption in-transit using SSL * IAM or Cognito based authentication * Amazon Cognito allow end-users to log-in to Kibana through enterprise identity providers such as Microsoft Active Directory using SAML

Answer 13

* VPC provides network isolation * Cluster security groups * Encryption in flight using the JDBC driver enabled with SSL * Encryption at rest using KMS or an HSM device (establish a connection) * Supports S3 SSE using default managed key * Use IAM Roles for Redshift * To access other AWS Resources (example S3 or KMS) * Must be referenced in the COPY or UNLOAD command (alternatively paste access key and secret key creds)

Answer 14

* IAM policies to control access to the service * Data is in S3: IAM policies, bucket policies & ACLs * Encryption of data according to S3 standards: SSE-S3, SSEKMS, CSE-KMS * Encryption in transit using TLS between Athena and S3 and JDBC * Fine grained access using the AWS Glue Catalog

Answer 15

* Standard edition: * IAM users * Email based accounts * Enterprise edition: * Active Directory * Federated Login * Supports MFA (Multi Factor Authentication) * Encryption at rest and in SPICE * Row Level Security to control which users can see which rows

Answer 16

* Allows to grant limited and temporary access to AWS resources. * Token is valid for up to one hour (must be refreshed) * Cross Account Access * Allows users from one AWS account access resources in another * Federation (Active Directory) * Provides a non-AWS user with temporary AWS access by linking users Active Directory credentials * Uses SAML (Security Assertion markup language) * Allows Single Sign On (SSO) which enables users to log in to AWS console without assigning IAM credentials * Federation with third party providers / Cognito * Used mainly in web and mobile applications * Makes use of Facebook/Google/Amazon etc to federate them

Answer 17

* Define an IAM Role for another account to access * Define which accounts can access this IAM Role * Use AWS STS (Security Token Service) to retrieve credentials and impersonate the IAM Role you have access to (AssumeRole API) * Temporary credentials can be valid between 15 minutes to 1 hour

Answer 18

* Federation lets users outside of AWS to assume temporary role for accessing AWS resources. * These users assume identity provided access role. * Federation assumes a form of 3rd party authentication * LDAP * Microsoft Active Directory (~= SAML) * Single Sign On * Open ID * Cognito * Using federation, you don’t need to create IAM users (user management is outside of AWS)

Answer 19

* To integrate Active Directory / ADFS with AWS (or any SAML 2.0) * Provides access to AWS Console or CLI (through temporary)

Answer 20

* Use only if identity provider is not compatible with SAML 2.0 * The identity broker must determine the appropriate IAM policy https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_ common-scenarios_federated-users.html

Answer 21

* Goal: * Provide direct access to AWS Resources from the Client Side * How: * Log in to federated identity provider – or remain anonymous * Get temporary AWS credentials back from the Federated Identity Pool * These credentials come with a predefined IAM policy stating their permissions * Example: * provide (temporary) access to write to S3 bucket using Facebook Login * Note: * Web Identity Federation is an alternative to using Cognito but AWS recommends against it

Answer 22

* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_ policies_variables.html * ${aws:username} : to restrict users to tables / buckets * ${aws:principaltype} : account, user, federated, or assumed role * ${aws:PrincipalTag/department} : to restrict using Tags * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_ policies_iam-condition-keys.html#condition-keys-wif * ${aws:FederatedProvider} : which IdP was used for the user (Cognito, Amazon..) * ${www.amazon.com:user_id} , ${cognitoidentity.amazonaws.com:sub} … * ${saml:sub}, ${sts:ExternalId}

Answer 23

* For S3 - let’s analyze the policies at: https://docs.aws.amazon.com/AmazonS3/latest/dev/examplebucket-policies.html * For DynamoDB – let’s analyze the policies at: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html * Note for RDS – IAM policies don’t help with in-database security, as it’s a proprietary technology and we are responsible for users & authorization

Answer 24

* Provides governance, compliance and audit for your AWS Account * CloudTrail is enabled by default! * Get an history of events / API calls made within your AWS Account by: * Console * SDK * CLI * AWS Services * Can put logs from CloudTrail into CloudWatch Logs * If a resource is deleted in AWS, look into CloudTrail first! * CloudTrail shows the past 90 days of activity * The default UI only shows “Create”, “Modify” or “Delete” events * CloudTrail Trail: * Get a detailed list of all the events you choose * Ability to store these events in S3 for further analysis * Can be region specific or global * CloudTrail Logs have SSE-S3 encryption when placed into S3 * Control access to S3 using IAM, Bucket Policy, etc…

Answer 25

Endpoints * Endpoints allow you to connect to AWS Services using a private network instead of the public www network * They scale horizontally and are redundant * They remove the need of IGW, NAT, etc… to access AWS Services * Gateway: provisions a target and must be used in a route table ONLY S3 and DynamoDB * Interface: provisions an ENI (private IP address) as an entry point (must attach security group) – most AWS services Also called VPC PrivateLink

Security Flashcards

(49 cards)