02 Security Flashcards
Describe Security Assertion Markup Language (SAML).
SAML is an open standard used by identity providers (IdP) for federation, primarily for internal corporate IdPs, and it returns a SAML assertion when a user logs in.
How does SAML assertion work in the context of AWS?
When a user logs in, the IdP returns a SAML assertion which can be exchanged for credentials using sts:AssumeRoleWithSAML.
Define IAM Identity Center and its purpose.
IAM Identity Center manages access to AWS accounts and custom applications using Single Sign-On (SSO), intended for workforce identity federation.
What are the key functions of Amazon Cognito?
Amazon Cognito has two key functions: user pools for managing users and providing JWTs, and identity pools for exchanging external identities for temporary AWS credentials.
How do user pools in Amazon Cognito operate?
User pools are a database of users that provide JWTs upon sign-in, allowing for user management, social sign-in, and optional email and MFA verification.
Explain the role of identity pools in Amazon Cognito.
Identity pools offer access to temporary AWS credentials and can provide access for guest users, allowing external identities to be exchanged for AWS credentials.
Describe Amazon Workspaces and its billing options.
Amazon Workspaces is a desktop-as-a-service offering with pricing available on an hourly or monthly basis, though hourly billing includes a fixed overhead.
What is the function of AWS Directory Service in Amazon Workspaces?
AWS Directory Service is required for authentication and user management in Amazon Workspaces and can integrate with existing Active Directory installations.
How does Amazon Workspaces ensure networking access?
Each Workspace uses an Elastic Network Interface (ENI) to access networking in a Virtual Private Cloud (VPC), with the option to add a VPN for connectivity to on-premises resources.
What storage options are available in Amazon Workspaces?
Storage in Amazon Workspaces is provided by a user volume and a system volume, based on EBS volumes, which can be encrypted at rest.
Define the availability characteristics of Amazon Workspaces.
Workspaces are not designed for high availability and are tied to a single Availability Zone (AZ).
Describe the Directory Service in the context of AWS.
Directory Service is a native Microsoft Active Directory service that can serve as a drop-in replacement for an existing server and is highly available by default, using two AZs.
How does Directory Service establish trust with on-premises AD servers?
Directory Service can establish a two-way trust, allowing users with access to an on-premises AD server to connect.
Describe the function of the Key Management Service (KMS) in AWS.
KMS creates, stores, and manages cryptographic keys, implementing encryption and decryption directly without key material leaving the service.
How does Simple AD differ from native Active Directory (AD)?
Simple AD is a non-native AD compatible server that is cheaper but does not support all features of native AD.
Define the purpose of Control Tower in AWS.
Control Tower orchestrates other AWS services to set up multi-account environments, providing governance and management capabilities.
What is the role of Guard Rails in Control Tower?
Guard Rails detect and mandate standards across all accounts, ensuring compliance and security.
Explain the concept of Multi-Region Keys in KMS.
Multi-Region Keys automatically replicate cryptographic material between regions, allowing decryption of data encrypted in another region.
How does the AD Connector function in AWS?
AD Connector redirects requests to an on-premises AD server, enabling AWS services to integrate with existing on-premises AD installations.
What are the two types of Guard Rails in Control Tower?
Preventative Guard Rails, enforced using Service Control Policies (SCPs), and Detective Guard Rails, checked using AWS Config rules.
Describe the automatic management features provided by AWS for patching and backups.
Patching, maintenance, and backups are managed automatically by AWS services.
What is the significance of key policies in KMS?
Key policies are resource policies that control access to the key using IAM statements, denying all access by default.
How many AWS accounts are automatically created by Control Tower and for what purposes?
Two AWS accounts are automatically created: the audit account and the log archive account.
Define the term ‘aliases’ in the context of KMS.
Aliases are logical pointers to keys in KMS, allowing easier management and reference.
What happens to key material during encryption and decryption in KMS?
Key material never leaves KMS; the service directly implements encryption and decryption.
How does MFA support work in Directory Services?
MFA is supported using RADIUS for enhanced security during authentication.
What is the function of the Account Factory in Control Tower?
The Account Factory automates and standardizes the creation of new accounts within the multi-account setup.
Explain the compliance standards associated with KMS.
KMS is FIPS 140-2 compliant, with some features having Level 3 compliance.
What is the maximum amount of data that can be encrypted or decrypted at a time using KMS?
Only 4KB of data can be directly encrypted or decrypted at a time using KMS.
Describe the purpose of the Landing Zone in Control Tower.
The Landing Zone provides the multi-account setup, establishing Single Sign-On, centralized logging, auditing, and governance.
Describe the process of using GenerateDataKey for encryption.
GenerateDataKey is called to obtain a plaintext key for encryption. This key is used client-side for encryption, while the ciphertext key is stored alongside the data. When decryption is needed, the ciphertext key is decrypted via KMS.
Define CloudHSM and its primary function.
CloudHSM is a hardware security module that allows for the secure management of cryptographic material, ensuring dedicated tenancy for customers’ cryptographic needs.
How does CloudHSM ensure compliance and security?
CloudHSM is FIPS 140-3 compliant, providing a higher level of security than KMS, which is FIPS 140-2 compliant. AWS provisions the hardware but does not have access to the secure enclave.
What APIs are used to access CloudHSM?
Access to CloudHSM is provided via industry-standard APIs such as PKCS#11, JCE, and CryptoNG.
Explain the relationship between KMS and CloudHSM.
KMS can utilize CloudHSM as a custom key store, allowing for enhanced security and management of cryptographic keys.
Describe the high availability setup for CloudHSM.
High availability in CloudHSM requires multiple HSMs running as a cluster, which replicates keys and other data between the HSMs.
What role do HSMs play in SSL/TLS processing?
HSMs can offload SSL/TLS processing from web servers, enhancing performance and security.
How does Certificate Manager function in AWS?
Certificate Manager stores SSL/TLS certificates for use by other AWS services, such as CloudFront and ELB, and can generate or import public certificates.
What is required for generating public certificates in Certificate Manager?
Generating public certificates requires validation, such as through DNS, and these certificates renew automatically.
Explain the limitations of certificates managed by Certificate Manager.
Certificates cannot be exported or used directly for self-managed encryption, and they are regional, meaning they cannot be used across different AWS accounts.
Describe the function of Private CAs in Certificate Manager.
Private CAs generate self-signed certificates, which require clients to be configured to trust the CA.
What is the purpose of SSM Parameter Store?
SSM Parameter Store is used to store parameters, which can have data types such as String, StringList, or SecureString.
How are SecureString parameters encrypted in SSM Parameter Store?
SecureString parameters in SSM Parameter Store are encrypted using KMS.
Describe how Parameter Store handles data storage.
Parameter Store will only store the cyphertext, and parameters are stored hierarchically and can be versioned.
Define the primary function of Secrets Manager.
Secrets Manager stores secrets and allows for automatic credential rotation.
How does Secrets Manager integrate with AWS services?
Secrets Manager directly integrates with some AWS services, such as RDS.
Do Lambda functions play a role in Secrets Manager?
Yes, Lambda can perform automatic credential rotation in Secrets Manager.
Explain the versioning capability of Parameter Store.
Parameters in Parameter Store can be versioned, allowing for management of different versions of parameters.
