02 Security

Question 1

Describe Security Assertion Markup Language (SAML).

Answer 1

SAML is an open standard used by identity providers (IdP) for federation, primarily for internal corporate IdPs, and it returns a SAML assertion when a user logs in.

Question 2

How does SAML assertion work in the context of AWS?

Answer 2

When a user logs in, the IdP returns a SAML assertion which can be exchanged for credentials using sts:AssumeRoleWithSAML.

Question 3

Define IAM Identity Center and its purpose.

Answer 3

IAM Identity Center manages access to AWS accounts and custom applications using Single Sign-On (SSO), intended for workforce identity federation.

Question 4

What are the key functions of Amazon Cognito?

Answer 4

Amazon Cognito has two key functions: user pools for managing users and providing JWTs, and identity pools for exchanging external identities for temporary AWS credentials.

Question 5

How do user pools in Amazon Cognito operate?

Answer 5

User pools are a database of users that provide JWTs upon sign-in, allowing for user management, social sign-in, and optional email and MFA verification.

Question 6

Explain the role of identity pools in Amazon Cognito.

Answer 6

Identity pools offer access to temporary AWS credentials and can provide access for guest users, allowing external identities to be exchanged for AWS credentials.

Question 7

Describe Amazon Workspaces and its billing options.

Answer 7

Amazon Workspaces is a desktop-as-a-service offering with pricing available on an hourly or monthly basis, though hourly billing includes a fixed overhead.

Question 8

What is the function of AWS Directory Service in Amazon Workspaces?

Answer 8

AWS Directory Service is required for authentication and user management in Amazon Workspaces and can integrate with existing Active Directory installations.

Question 9

How does Amazon Workspaces ensure networking access?

Answer 9

Each Workspace uses an Elastic Network Interface (ENI) to access networking in a Virtual Private Cloud (VPC), with the option to add a VPN for connectivity to on-premises resources.

Question 10

What storage options are available in Amazon Workspaces?

Answer 10

Storage in Amazon Workspaces is provided by a user volume and a system volume, based on EBS volumes, which can be encrypted at rest.

Question 11

Define the availability characteristics of Amazon Workspaces.

Answer 11

Workspaces are not designed for high availability and are tied to a single Availability Zone (AZ).

Question 12

Describe the Directory Service in the context of AWS.

Answer 12

Directory Service is a native Microsoft Active Directory service that can serve as a drop-in replacement for an existing server and is highly available by default, using two AZs.

Question 13

How does Directory Service establish trust with on-premises AD servers?

Answer 13

Directory Service can establish a two-way trust, allowing users with access to an on-premises AD server to connect.

Question 14

Describe the function of the Key Management Service (KMS) in AWS.

Answer 14

KMS creates, stores, and manages cryptographic keys, implementing encryption and decryption directly without key material leaving the service.

Question 15

How does Simple AD differ from native Active Directory (AD)?

Answer 15

Simple AD is a non-native AD compatible server that is cheaper but does not support all features of native AD.

Question 16

Define the purpose of Control Tower in AWS.

Answer 16

Control Tower orchestrates other AWS services to set up multi-account environments, providing governance and management capabilities.

Question 17

What is the role of Guard Rails in Control Tower?

Answer 17

Guard Rails detect and mandate standards across all accounts, ensuring compliance and security.

Question 18

Explain the concept of Multi-Region Keys in KMS.

Answer 18

Multi-Region Keys automatically replicate cryptographic material between regions, allowing decryption of data encrypted in another region.

Question 19

How does the AD Connector function in AWS?

Answer 19

AD Connector redirects requests to an on-premises AD server, enabling AWS services to integrate with existing on-premises AD installations.

Question 20

What are the two types of Guard Rails in Control Tower?

Answer 20

Preventative Guard Rails, enforced using Service Control Policies (SCPs), and Detective Guard Rails, checked using AWS Config rules.

Question 21

Describe the automatic management features provided by AWS for patching and backups.

Answer 21

Patching, maintenance, and backups are managed automatically by AWS services.

Question 22

What is the significance of key policies in KMS?

Answer 22

Key policies are resource policies that control access to the key using IAM statements, denying all access by default.

Question 23

How many AWS accounts are automatically created by Control Tower and for what purposes?

Answer 23

Two AWS accounts are automatically created: the audit account and the log archive account.

Question 24

Define the term ‘aliases’ in the context of KMS.

Answer 24

Aliases are logical pointers to keys in KMS, allowing easier management and reference.

Question 25

What happens to key material during encryption and decryption in KMS?

Answer 25

Key material never leaves KMS; the service directly implements encryption and decryption.

Question 26

How does MFA support work in AWS services?

Answer 26

MFA is supported using RADIUS for enhanced security during authentication.

Question 27

What is the function of the Account Factory in Control Tower?

Answer 27

The Account Factory automates and standardizes the creation of new accounts within the multi-account setup.

Question 28

Explain the compliance standards associated with KMS.

Answer 28

KMS is FIPS 140-2 compliant, with some features having Level 3 compliance.

Question 29

What is the maximum amount of data that can be encrypted or decrypted at a time using KMS?

Answer 29

Only 4KB of data can be directly encrypted or decrypted at a time using KMS.

Question 30

Describe the purpose of the Landing Zone in Control Tower.

Answer 30

The Landing Zone provides the multi-account setup, establishing Single Sign-On, centralized logging, auditing, and governance.

Question 31

Describe the process of using GenerateDataKey for encryption.

Answer 31

GenerateDataKey is called to obtain a plaintext key for encryption. This key is used client-side for encryption, while the ciphertext key is stored alongside the data. When decryption is needed, the ciphertext key is decrypted via KMS.

Question 32

Define CloudHSM and its primary function.

Answer 32

CloudHSM is a hardware security module that allows for the secure management of cryptographic material, ensuring dedicated tenancy for customers’ cryptographic needs.

Question 33

How does CloudHSM ensure compliance and security?

Answer 33

CloudHSM is FIPS 140-3 compliant, providing a higher level of security than KMS, which is FIPS 140-2 compliant. AWS provisions the hardware but does not have access to the secure enclave.

Question 34

What APIs are used to access CloudHSM?

Answer 34

Access to CloudHSM is provided via industry-standard APIs such as PKCS#11, JCE, and CryptoNG.

Question 35

Explain the relationship between KMS and CloudHSM.

Answer 35

KMS can utilize CloudHSM as a custom key store, allowing for enhanced security and management of cryptographic keys.

Question 36

Describe the high availability setup for CloudHSM.

Answer 36

High availability in CloudHSM requires multiple HSMs running as a cluster, which replicates keys and other data between the HSMs.

Question 37

What role do HSMs play in SSL/TLS processing?

Answer 37

HSMs can offload SSL/TLS processing from web servers, enhancing performance and security.

Question 38

How does Certificate Manager function in AWS?

Answer 38

Certificate Manager stores SSL/TLS certificates for use by other AWS services, such as CloudFront and ELB, and can generate or import public certificates.

Question 39

What is required for generating public certificates in Certificate Manager?

Answer 39

Generating public certificates requires validation, such as through DNS, and these certificates renew automatically.

Question 40

Explain the limitations of certificates managed by Certificate Manager.

Answer 40

Certificates cannot be exported or used directly for self-managed encryption, and they are regional, meaning they cannot be used across different AWS accounts.

Question 41

Describe the function of Private CAs in Certificate Manager.

Answer 41

Private CAs generate self-signed certificates, which require clients to be configured to trust the CA.

Question 42

What is the purpose of SSM Parameter Store?

Answer 42

SSM Parameter Store is used to store parameters, which can have data types such as String, StringList, or SecureString.

Question 43

How are SecureString parameters encrypted in SSM Parameter Store?

Answer 43

SecureString parameters in SSM Parameter Store are encrypted using KMS.

Question 44

Describe how Parameter Store handles data storage.

Answer 44

Parameter Store will only store the cyphertext, and parameters are stored hierarchically and can be versioned.

Question 45

Define the primary function of Secrets Manager.

Answer 45

Secrets Manager stores secrets and allows for automatic credential rotation.

Question 46

How does Secrets Manager integrate with AWS services?

Answer 46

Secrets Manager directly integrates with some AWS services, such as RDS.

Question 47

Do Lambda functions play a role in Secrets Manager?

Answer 47

Yes, Lambda can perform automatic credential rotation in Secrets Manager.

Question 48

Explain the versioning capability of Parameter Store.

Answer 48

Parameters in Parameter Store can be versioned, allowing for management of different versions of parameters.