1
Q
What is DDOS attack?
A
- A Distributed Denial of Service (DDoS) attack attempts to make your website or application unavailable to your end users.
- Common DDoS attacks include Layer 4 attacks such as SYN floods or NTP
amplification attacks. - Common Layer 7 attacks include floods of GET/POST requests.
2
Q
What Is CloudTrail?
A
AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls.
- You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred
3
Q
What is logged in CloudTrail?
A
- Metadata around API calls
- The identity of the API caller
- The time of the API call
- The source IP address of the API caller
- The request parameters
- The response elements returned by the service
4
Q
What CloudTrail Allows?
A
- After-the-fact incident investigation
- Near real-time intrusion detection
- Industry and regulatory compliance
- CloudTrail is basically just CCTV for your AWS account. It logs all API calls made to your AWS account and stores these logs in S3.
5
Q
What is AWS Shield?
A
- Protects all AWS customers on Elastic Load Balancing (ELB, Amazon CloudFront, and Route 53).
- Protects against SYN/UDP floods, reflection attacks, and other Layer 3
and Layer 4 attacks.
6
Q
What Is Shield Advanced?
A
- Provides enhanced protections for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront, and Route 53 against larger and more sophisticated attacks. Level 7 DDOS protection(uses WAF).
- Offers always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks.
- Gives you 24/7 access to the DDoS Response Team (DRT to help manage and mitigate application-layer DDoS attacks.
- Protects your AWS bill against higher fees due to Elastic Load Balancing (ELB), AmazonCloudFront, and Amazon Route 53 usage spikes during a DDoS attack.
- Shield Advanced costs 3,000$ per month per organization.
7
Q
What Is AWS WAF?
A
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront(Public Service) or an Application Load Balancer(Regional service).
AWS WAF also lets you control access to your content.
-
8
Q
What are conditions in AWS WAF?
A
With Web ACLs you can define conditions by using characteristics
of web requests such as the following:
- IP addresses that requests originate from
- Country that requests originate from
- Values in request headers
- Presence of SQL code that is likely to be malicious (known as SQL injection)
- Presence of a script that is likely to be malicious (known as cross-site scripting)
- Strings that appear in requests — either specific strings or strings that match regular expression (regex) patterns
9
Q
What Is Firewall Manager?
A
Firewall Manager is a security management service in a single pane
of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.
10
Q
What are the benefits of Firewall Manager?
A
- Simplify Management of Firewall Rules across Your Accounts: One single pane of glass allows you to manage security across multiple AWS services and accounts.
- Ensure Compliance of Existing and New Applications: Firewall Manager automatically enforces security policies that you create across existing and newly created resources, across multiple accounts.
11
Q
What is GuardDuty?
A
GuardDuty is a threat detection service that uses machine learning to continuously monitor for malicious behavior. PROACTIVE
- Unusual API calls, calls from a known malicious IP
- Attempts to disable CloudTrail logging
- Unauthorized deployments
- Compromised instances
- Reconnaissance by would-be attackers
- Port scanning, failed logins
12
Q
What are some GuardDuty features?
A
- Alerts appear in the GuardDuty console and CloudWatch Events
- Receives feeds from third parties like Proofpoint and CrowdStrike, as well as AWS Security, about known malicious domains and IP addresses, etc.
- Monitors CloudTrail logs, VPC Flow Logs, and DNS logs
- Centralize threat detection across multiple AWS accounts
- Automated response using CloudWatch Events and Lambda
- Machine learning and anomaly detection
13
Q
What is GuardDuty Pricing?
A
30 DAYS FREE! CHARGES BASED ON
- Quantity of CloudTrail events
- Volume of DNS and VPC Flow Logs data
14
Q
What is Macie?
A
Macie uses machine learning and pattern-matching to discover sensitive data stored in S3.
- Uses AI to recognize if your S3 objects contain sensitive data, such as PII, PHI, and financial data
- Alerts you to unencrypted buckets
- Alerts you about public buckets
- Can also alert you about buckets shared with AWS accounts outside of those defined in your AWS organizations
- Great for frameworks like HIPAA and GDPR
15
Q
What are Macie Alerts?
A
- You can filter and search Macie alerts in the AWS console.
- Alerts sent to Amazon EventBridge can be integrated with your security incident and event management (SIEM) system.
- Can be integrated with AWS Security Hub for a broader analysis of your organization’s security posture.
- Can also be integrated with other AWS services, such as Step Functions, to automatically take remediation actions.
16
Q
What Is Amazon Inspector?
A
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. REACTIVE
Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
It’s used to perform vulnerability scans on both EC2 instances(and the instance OS) and VPCs(and containers).
17
Q
What are Assessment Findings in Amazon Inspector?
A
After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.
These findings can be reviewed directly or as part of detailed assessment reports that are available via the Amazon Inspector console or API.
18
Q
What are 2 Types of Assessment in Amazon Inspector?
A
- Network Assessments: Network configuration analysis to check for ports reachable from outside the VPC
An inspector agent is not required. - Host Assessments: Vulnerable software (CVE), host
hardening (CIS Benchmarks), and security best practices
An inspector agent is required
19
Q
What Is KMS?
A
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
- AWS KMS is integrated with other AWS services — such as EBS, S3, and RDS as well as other services to make it simple to encrypt your data with encryption keys you manage.
20
Q
What is CMK?
A
A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state.
The CMK also contains the key material used to encrypt and decrypt data.
You start using KMS by requesting the creation of a CMK. You control the lifecycle of the CMK as well as who can use or manage it.
***CMK keys now called KMS keys
21
Q
What is HSM?
A
A hardware security module (HSM) is a physical computing device that
safeguards and manages digital keys and performs encryption and decryption functions.
An HSM contains one or more secure cryptoprocessor chips.
22
Q
What are the 3 Ways to Generate a CMK?
A
- AWS creates the CMK for you. The key material for a CMK is generated within HSMs managed by AWS KMS.
- Import key material from your own key management infrastructure and associate it with a CMK.
- Have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS.
23
Q
What is Key Rotation?
A
- You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS HSMs.
- Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.
- Key rotation(once per year) is by default on keys that are created by AWS. You cannot disable key rotation for AWS-managed keys.
24
Q
What is the primary way to manage access to your
AWS KMS CMKs?
A
Key Policies
In AWS KMS, you must attach resource-based
policies to your customer master keys (CMKs).
These are called key policies.
All KMS CMKs have a key policy.
25
What is CloudHSM?
AWS CloudHSM is a cloud-based HSM that enables you to easily generate and use your own encryption keys on the AWS Cloud. No AWS integration.
It is a physical device, entirely dedicated to you, that can be deployed in a highly available fashion.
- CloudHSM is required to achieve compliance with certain security standards such as FIPS 140-2 Level 3.
- It uses industry-standard APIs such as PKCS#11, JCE, and CryptoNG.
26
What Is Secrets Manager?
Secrets Manager is a service that securely stores, encrypts, and rotates your database credentials and other secrets(e.g SSH keys, API
keys).
* Encryption in transit and at rest using KMS
* Automatically rotates credentials
* Apply fine-grained access control using IAM policies
* Costs money but is highly scalable
* can generate passwords with CLoudFormation
* Applications use the Secrets Manager API.
27
When should enable key rotation in secrets manager?
This is the recommended setting if your applications are not already using
embedded credentials (i.e., they are not going to try to connect to the database using the old credentials).
If your applications are still using embedded credentials, do not enable rotation because the embedded credentials will no longer work and
this will break your application.
28
What is Parameter Store?
Parameter Store is a capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management.
You can store data such as passwords, database strings, Amazon Machine Image (AMI IDs, and license codes as parameter values. You can store values as plain text or encrypted data.
Can create events!
Can be integrated with KMS!
Parameter Store is free!
29
What are the 2 big limits of Parameter Store?
- Limit the number of parameters you can store (currently 10,000). For more charges apply.
- No key rotation
30
What is presigned URL in S3?
Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a
presigned URL, using their own security credentials, to grant time-limited permission to download the objects.
31
What are Presigned Cookies in S3?
This can be useful when you want to provide access to multiple restricted files. The cookie will be saved on the user’s computer, and they will be
able to browse the entire contents of the restricted content.
32
What Is AWS Certificate Manager?
AWS Certificate Manager allows you to create, manage, and deploy public and private SSL certificates for use with other AWS services.
It integrates with other services(aws services) — such as Elastic Load Balancing, CloudFront distributions, and API Gateway**not EC2** — allowing you to easily manage and deploy SSL certificates in your AWS environment.
**Regional service**, cross-region is not supported, but for CloudFront because it is a globlal service it si always in us-east-1.
33
What are the Benefits of AWS Certificate Manager?
1. **Cost**:
No more paying for SSL certificates! AWS Certificate Manager provisions both public(for free) and private certificates. You will still pay for the resources that utilize your certificates (such as Elastic Load Balancing).
2. **Automated Renewals and Deployment**:
Certificate Manager can automate the renewal of your SSL certificate(**can renew only certificates that it creates**) and then automatically update the new certificate with ACM-integrated
services, such as Elastic Load Balancing, CloudFront, and API Gateway.
3. **Easier to Set Up**:
Removes a lot of the manual process, such as generating a key pair or creating a certificate signing request (CSR). You can create your own
SSL certificate with just a few clicks in the AWS Management Console.
34
What Is Audit Manager?
With it, you can **continually** audit your AWS usage to make sure you stay
compliant with industry standards and regulations.
Audit Manager is an automated service that produces **reports** specific to
auditors for PCI compliance, GDPR, and more.
35
What Is Artifact?
Artifact is a single source you can visit to get the **compliance-related
information** that matters to you, such as AWS security and compliance
reports or select online agreements.
36
What Is Cognito?
Cognito provides **authentication, authorization, and user management**
for your web and mobile apps in a single service without the need for
custom code. Your users can sign in directly with a username and
password they create or through a third party (e.g., Facebook, Amazon,
Google, or Apple).
37
What are some features that Cognito provides?
- Sign-up and sign-in options for your apps
- Access for guest users
- Acts as an identity broker between your application and web ID providers, so you don’t need to write any custom code
- Synchronizes user data across multiple devices
- Recommended for all mobile applications that call AWS services
38
What are User Pools and Identity Pools?
**User pools** are directories of users that provide sign-up and sign-in options for your application users.
**Identity pools** allow you to give your users access to other AWS services. You can use identity pools and user pools either separately or together.
39
What Is Detective?
Using Detective, you can **analyze, investigate, and quickly identify** the root cause of potential security issues or suspicious activities.
Detective pulls data in from your AWS resources and uses **machine learning, statistical analysis, and graph theory** to build a linked set of data that enables you to quickly figure out the root cause of your security issues.
40
What are the Detective Sources?
Detective uses several sources within your AWS account (including
**VPC Flow Logs, CloudTrail logs, Amazon Elastic Kubernetes Service
audit logs, and Amazon GuardDuty findings**) to automatically create an
overview of your users, resources, and the interactions between them over
time.
41
What are the differences between Detective and Inspector?
Detective operates across multiple AWS services and analyzes **the root cause of an event**.
Do not confuse this with Inspector, which is an automated vulnerability
management service that continually scans EC2 and container workloads for software vulnerabilities and unintended network exposure.
42
What Is AWS Network Firewall?
Network Firewall is a managed service that makes it easy to deploy **physical firewall protection across your VPCs**. It has a
managed infrastructure (i.e., a physical firewall that is managed by AWS.
Network Firewall includes a firewall rules engine that gives you complete control over your network traffic, allowing you to do things such as block outbound Server Message Block (SMB requests to stop the spread of
malicious activity.
43
What Is Security Hub?
Security Hub is a single place to view all your security alerts from
services like Amazon GuardDuty, Amazon Inspector, Amazon Macie,
and AWS Firewall Manager. It works across multiple accounts.
44
How many days of data are stored by default in CloudTrail at no cost?
90 days.
45
What are the 3 types of CloudTrail events?
1. Management events (e.g. creating/terminating an aws resource)
2. Data events (resource operations performed on a resource e.g. adding to a bucket).
3. Insight events
46
What are the default events that are logged by CloudTrail?
Management events. Because they have a lower volume.
47
CloudTrail is a regional or global service?
Regional. Can be configured to provide all region trails as one logical trail.
48
Where do global AWS services(e.g. IAM, STS, CloudFront) log their trails?
In US East 1.
49
Where can CloudTrail put its trails?
1. S3 Bucket.
2. CloudWatch logs
50
Can CloudTrail be used for real-time data?
Not ideal has a 15-minute delay. Not the product for real-time trail.
51
Where by default all CloudTrail logs are stored?
In CloudTrail history events for 90 days. Without creating a trail.
52
Is KMS a regional or global service?
Regional.
53
What is the security certification level achieved by AWS Key Management Service (KMS)?
FIPS 140-2 L2
54
What role separation means in the context of KMS?
Role separation in the context of AWS Key Management Service (KMS) means dividing responsibilities between key administrators, who manage keys, and key users, who use keys for encryption and decryption, to enhance security and control over cryptographic keys.
55
What is the difference between the default policy behavior for AWS KMS keys and other AWS resources in relation to the root user?
The key difference is that other AWS resources typically do not have default resource policies that restrict the root user's access, and the root user cannot be restricted from accessing them. In contrast, every KMS key has a default policy attached to it that grants access to the root user (by trust), and this access can be restricted by removing or modifying that policy.
56
Can KMS keys replicated in other regions?
Yes(recently), by selecting the Multi-region key option(instead of single region). This will replicate the key to other regions as well.
57
When creating a KMS key, step 3 is "Define key administrative permissions". What permissions does it produce?
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::645307551852:root"
},
"Action": "kms:*",
"Resource": "*"
},
///////////////////////// it adds the following to the default policy for the cloud_user selected
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::645307551852:user/cloud_user"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
58
When creating a KMS key, step 4 is Step 4
"Define key usage permissions" What permissions does it produce?
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::645307551852:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::645307551852:user/cloud_user"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
////////////////////// it adds the following for the cloud_user selected
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::645307551852:user/cloud_user"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::645307551852:user/cloud_user"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
59
Do we need to provide the Key ID or alias to decrypt ciphertext in AWS Key Management Service (KMS)?
No. When you encrypt data with a KMS key, the key ID is encrypted into the ciphertext. This means that KMS knows which key to use to decrypt the data without you having to specify it.
60
When we delete a KMS key, how long does it take to be deleted?
By default, it takes 30 days to delete an AWS KMS key. This is called the waiting period. You can change the waiting period to 7-30 days.
61
What type of encryption uses SSE-S3?
AES-256
62
What are S3 Bucket Keys and how they are useful?
Time-limited Bucket keys used to generate DECs(Data Encryption Key) inside S3. Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption using AWS Key Management Service (SSE-KMS). Bucket-level keys for SSE can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS.
63
What are rule groups in AWS WAF?
- Rule groups are used to organize and manage sets of rules in AWS WAF.
- They are associated with web ACLs, which define conditions for controlling access to web content.
- Predefined rule groups target common attack patterns, addressing vulnerabilities like SQL injection and XSS.
- Rule groups streamline the process of implementing and managing security policies for web applications.
64
What is AWS Config?
- AWS Config is a service that records the configuration of resources over time (configuration items) into configuration histories.
- All the information is stored regionally in an S3 config bucket.
- AWS Config can check for compliance .. and generate notifications and events based on compliance.
- Does NOT fix or protect, but can be configured using EventBridge and lambda.
Test
flashcards
Decks in class (22)
# Cards
