ACG - AWS Certified Security Specialty Flashcards

Question 1

Q

S3 policy precedents

Answer

A

when an AWS principal issues a request to S3, the authorization decision depends on the union of all IAM policies, S3 bucket polices and S3 ACLs that apply
an S3 bucket policy will take precedence over an IAM policy, unless the IAM policy contains a deny statement.
deny statements always take precedence over allow statements whether with-in an S3 policy, an IAM policy or an S3 ACL

Question 2

Q

S3 ACLs

Answer

A

ACLs have been around since the inception of S3
AWS recommends using IAM or S3 bucket policies over ACLS
if you need to specify permissions on a specific object, you will have to use ACLs
ACLs can only be used to grant access to your AWS account or another AWS account using their canonical ID. You can’t use ACLs to grant access to a specific user

Question 3

Q

S3 bucket policies

Answer

A

used to allow or deny actions on an S3 bucket
applied to the S3 bucket
limited to 20kb in size

Question 4

Q

IAM policies

Answer

A

applied at the IAM user, group or role level

- limited to 2kb for users, 5kb for groups and 10 kb for roles.

Question 5

Q

AWS principal

Answer

A

term that designates an AWS user, group or role

Question 6

Q

S3 policy conflict flow

Answer

A

access always starts with deny (least privilege)
all applicable polices are evaluated
if there is an explicit deny, the action is denied
if there is no explicit deny and there is an allow, the action is allowed
if there is neither an allow or deny, the action is denied

Question 7

Q

S3 Replication

Answer

A

the source and destination buckets must have versioning enabled and can be located in the same or different regions
Amazon S3 must have permissions to replicate objects on your behalf
If the source bucket owner is not the object owner, then the bucket owner needs Read and Read_ACP permissions via the object ACL
the IAM role must have permissions to replicate objects in the destination bucket
during replication you can change the ownership of the object replica to the AWS account that owns the destination bucket
any new objects created after you enable replication on the bucket are replicated
S3 replicates objects encrypted using S3 managed keys by default and AWS KMS if you enable it
S3 does not replicate objects encrypted with server side customer provided encryption keys
S3 replicates the object metadata, ACL updates and tags
delete markers are replicated, but the version history still remains on the source and destination buckets
S3 does not replicate deletes to a particular version of an object
S3 always replicates buckets over SSL

Question 8

Q

CloudFront - SSL certs

Answer

A

you can use a default CloudFront SSL cert that has a *.cloudfront.net domain name
if you want to use your own cert with your own domain name, you can register a cert in AWS ACM, but the cert must be registered in the us-east-1 region
you can also use a cert stored in IAM, but you must use the IAM CLI

Question 9

Q

S3 pre-signed URLs

Answer

A

you can access objects using a pre-signed URLs instead of IAM or S3 bucket policies or S3 ACLs.
pre-signed URLs are typically generated by the SDK, but can be generated by the CLI
you can change the default time-out for the token by using the –expires-in option

Question 10

Q

Security Token Service (STS)

Answer

A

grants users limited and temporary access to AWS resources by federating with another identity store.
users can be federated with Active Directory
users can be federated with Mobile Apps (Facebook, Amazon, Google or other OpenID providers)
users can be from other AWS accounts (Cross account access)

Question 11

Q

Security Token Service (STS) Identity Broker

Answer

A

a service that brokers the authentication and authorization between the identity store (like AD) and the AWS service (like S3)
an application sends the user’s credentials to the identity broker, who validates with the identity store (like AD)
the identity broker calls the GetFederationToken function using IAM credentials that have permissions to create new tokens. The call must include an IAM policy, a duration (1 to 36 hours) and a policy that specifies the permissions to be granted to the temporary security credentials
the STS returns to the identity broker an access key, a secret access key, a token and a duration
the identity broker returns the temporary credentials to the application
the application uses the temporary credentials to make the call to S3
S3 uses IAM to verify that the credentials allow the requested operation
IAM approves the operation

Question 12

Q

Amazon Cognito

Answer

A

provides Web Identity Federation with providers like Amazon, Facebook or Google
provides sign-up and sign-in to your apps
grants access for guest users
acts as an identity broker between your app and Web ID providers
synchronizes user data for multiple devices
recommended for all mobile apps using AWS services

Question 13

Q

Cognito User Pools

Answer

A

user directories used to manage sign-up and sign-in functionality for mobile and web apps
users can sign-in directly to a User Pool or indirectly via an identity provider like Facebook, Amazon, Google
successful authentication generates a number of JSON Web tokens (JWTs)

Question 14

Q

Cognito Identity Pools

Answer

A

enable you to create unique identities for your users and assign them access to AWS resources
the identity pool exchanges the JWT tokens for temporary AWS credentials which grant access other AWS services

Question 15

Q

Glacier Vault Lock

Answer

A

allows configuring and enforcing compliance controls for individual Glacier Vaults
you can enforce WORM archives and data retention
you must initiate the lock by attaching a vault lock policy
there is a 24 hour waiting period before you can validate the lock policy and the vault lock takes effect and becomes immutable

Question 16

Q

Amazon Glacier

Answer

A

extremely low cost cloud storage for data archiving
costs as little as $0.004 GB/month
data is stored in Archives as .tar or .zip

Question 17

Q

Glacier Vault

Answer

A

a container in Glacier storage that contains one or more archives

Question 18

Q

AWS Organizations

Answer

A

an account management service which allows consolidation of multiple AWS accounts for centralize management
allows centralized billing
allows organizing accounts into OUs for access control
allows attaching Service Control Policies (SCPs) for restricting AWS services

Question 19

Q

Service Control Polices

Answer

A

used by AWS Organizations to restrict the AWS services allowed by accounts
can be attached to accounts directly or to OUs
SCPs attached to OUs higher up the Organization hierarchy will apply to all OUs and accounts beneath it
can be used to create a Permissions Boundary, restricting the actions users, groups and roles (including root) can do
SCPs can deny access only, they cannot allow

Question 20

Q

IAM Credential Report

Answer

A

exports list of users with credential information like, account creation time, password enabled, last used\last rotated, access keys enabled, last used\last rotated, certs enabled\last used, MFA enabled
can be generated in the AWS console or CLI

Question 21

Q

CloudTrail

Answer

A

logs API calls to resources in your AWS account
does not log SSH or RDP sessions
does log the ID of the caller, the time of the call, the source IP, the request parameters and the response from the service
delivered with digest file that can be used to validate the integrity of the log file
CloudTrail log file validation uses SHA-256 hashing and SHA-256 with RSA for digital signing

Question 22

Q

CloudTrail logs security

Answer

A

CloudTrail logs contain personally identifiable information like usernames, team membership, DynamoDB table and key names
it is best practice to secure your CloudTrail logs by using IAM or S3 bucket polices and SSE-S3 or SSE-KMS to encrypt the logs
you can also enable Object lock on the S3 bucket that contains your CloudTrail logs, but only when the bucket is created
you can enable S3 MFA Delete (via the CLI only)

Question 23

Q

CloudTrail log retention

Answer

A

logs are kept indefinitely in their S3 bucket
you can setup S3 Object Lifecycle Management to automatically remove the files after a certain period
you can move the files to AWS Glacier for cost effective long term storage

Question 24

Q

CloudWatch

Answer

A

real time monitoring (detailed monitoring = every 1 min, standard monitoring = every 5 mins)
gathers metrics including items like CPU and network utilization
you can configure alarms based on metrics
Alarms can trigger notifications like SNS
can create custom metrics
can can also monitor on-premises servers

Question 25

Q

CloudWatch logs

Answer

A

logs from other AWS services, like CloudTrail, can be pushed to CloudWatch
you can also setup your applications and systems to send their logs to CloudWatch via the CloudWatch Agent
you can setup log groups to filter the metrics from your application logs
the logs sent to CloudWatch will be logged indefinitely (not in an S3 bucket that we have access to)

Question 26

Q

CloudWatch events

Answer

A

near real-time stream of system events
events are AWS resources state changes
can create custom & scheduled events
allows you to create actions based off rules that trigger when certain metrics are detected in the CloudWatch logs
for example a CloudWatch event could trigger a Lambda function to delete any EC2 instances provisioned by a certain user. CloudWatch would be aware of this event if CloudTrail logs were ingested into CloudWatch

Question 27

Q

CloudWatch security

Answer

A

can restrict access to CloudWatch via IAM policies
note that data is decoupled from its source, so you can’t restrict access to originating sources with-in CloudWatch, you can only restrict access to CloudWatch itself

Question 28

Q

AWS Config

Answer

A

enables compliance auditing, security analysis and resource tracking
provides configuration snapshots, logs changes of AWS resources and automates compliance checking
provides AWS resource inventory
you can aggregate AWS resource inventory or Config rule compliance status from other AWS accounts and regions

Question 29

Q

AWS Config permissions

Answer

A

AWS config requires an IAM role with read only access to record resources
AWS config needs write access to an S3 bucket to record its results
AWS config needs access to publish to an SNS topic if you want it to send notifications
you should restrict user access to AWS Config using IAM roles

Question 30

Q

AWS CloudHSM

Answer

A

dedicated hardware security module
not shared by other tenants
enables control of data, evidence of control, meets tough compliance controls
provides secure key storage, cryptographic operations, and tamper resistant HSM
CloudHSM has FIPS 140-2 & EAL-4 compliance
AWS only administers the HSM appliance, they have no access to your keys (although they could probably destroy your keys by destroying the HSM partition)
the HSM can detect physical attempts at tampering and auto destroy the keys
if the HSM detects five unsuccessful attempts as Crypto Officer (CO), the HSM erases itself
if the HSM detects five unsuccessful attempts as Crypto User (CU), the user will be locked and must be unlocked by a CO

Question 31

Q

AWS CloudHSM roles

Answer

A

Crypto Officer - can create Crypto Users, but can’t access keys
Crypto User - can create, import, export and delete keys, but can’t create users

Question 32

Q

AWS Inspector

Answer

A

automated security assessment service that assesses applications for vulnerabilities or deviations from best practices
provides a detailed list of security findings prioritized by level of severity
requires an agent installed on your EC2 instances
available rules packages are CVE, Network Reachability, CIS OS Security Configuration Benchmarks, Security Best Practices

Question 33

Q

AWS Trusted Advisor

Answer

A

online resource to help you reduce cost, increase performance and improve security though optimization
the Trusted Advisor will make suggestions on Cost Optimization, Performance, Security, Fault Tolerance and Service Limits
consists of two sets of checks Core Changes and Recommendations and Full Trusted Advisor
Core is available on all support levels
Full is available only on Business and Enterprise level support agreements

Question 34

Q

Logging in AWS

Answer

A

AWS Cloud Trail - logs changes to system components, should have file validation and encryption turned on
AWS Config - logs changes to system components
VPC Flow logs - logs all network traffic
AWS CloudWatch logs - provides performance monitoring and metrics

Question 35

Q

AWS KMS

Answer

A

managed service that makes it easy to create and control encryption keys
uses multi-tenant HSMs to protect the keys
keys are regional, they can only be used in the region the were created, they can not be copied to another region
KMS keys are used by various AWS services, like S3 for object encryption or EBS to encrypt an EC2 volume
KMS keys are not used to SSH into EC2 instances

Question 36

Q

AWS KMS CMK

Answer

A

customer master key
consists of an alias, creation date, description, key state (enabled, disabled, scheduled for deletion), key material
key material can be either customer provided or AWS provided
CMKs can never be exported
Key Administrators are IAM users/roles that can administer the key, but not use it
Key Users are IAM users/roles that can use the key to encrypt\decrypt data

Question 37

Q

AWS KMS reasons to import your own key material

Answer

A

prove that randomness meets your requirements
extend your existing processes to AWS
to delete key material without the 7 - 30 days wait, then be able to import them again.
to provide resilience against AWS failure by storing keys outside AWS

Question 38

Q

AWS KMS customer provide key material process

Answer

A

create a CMK with no key material
download the wrapping key and import token
encrypt the key material using something like Open SSL
import the key material into the CMK

Question 39

Q

AWS KMS key rotation - AWS managed keys

Answer

A

AWS managed keys are rotated every 3 years and you have no control over this
when a CMK is due for rotation, a new backing key is created and marked as the active key for all new requests
the old backing key remains available to decrypt any existing files
AWS managed keys cannot be deleted

Question 40

Q

AWS KMS key rotation - customer managed keys with AWS provided key material

Answer

A

automatically rotated once a year if enabled
AWS KMS generates new key material for the CMK every year and the old backing key is saved for decrypting old data
can delete the keys, requires a minimum wait period of 7 days
be very careful, once deleted no files encrypted with that key can be decrypted

Question 41

Q

AWS KMS key rotation - customer managed keys with customer provided key material

Answer

A

you can rotate on demand manually.
you will need to create a new CMK, then change your applications to use the new CMK
you can delete customer managed keys without waiting 7 - 30 days, but be very careful, once deleted no files encrypted with that key can be decrypted

Question 42

Q

AWS KMS - EBS volume encryption

Answer

A

you can use a KMS key to encrypt an EBS volume when you create it or when creating an EC2 instance
to encrypt an existing EBS volume, you need to first snapshot the volume, then copy the snapshot and choose to encrypt it, then deploy a new EC2 instance from the copied\encrypted snapshot

Question 43

Q

EC2 key pairs

Answer

A

you can add a key pair to an EC2 instance when you build it for ssh access
you can also add additional key pairs under /home/ec2-user/.ssh/authorized_keys
if you delete the key from EC2 -> Key Pairs, in the AWS console, this will not remove the key from the metadata of the EC2 instance or from the authorized_keys file with-in the EC2 instance
if you clone an EC2 instance to am AMI, all the old keys in the authorized_keys file will be left and any new keys you attach when powering on the new copy of the instance, will be appended

Question 44

Q

AWS WAF

Answer

A

web application firewall that monitors HTTP\S traffic that is forwarded to CloudFront, an Application Load Balancer or API Gateway
lets you control accesses to your content by configuring conditions
lets you allow all requests, except the ones specified
lets you block all requests, except the ones specified
lets you just monitor (count) the requests that match properties you specify

Question 45

Q

AWS WAF conditions

Answer

A

block requests by originating IP or country
block requests based on values in the headers
block requests with certain strings or regex patterns
block requests based on lenght
block requests that contain SQL code (SQL injection)
block requests that contain scripts (cross site scripting)

Question 46

Q

AWS Shield

Answer

A

provides DDoS protection
standard is free and provides network flow monitoring, standard DDoS protection for Load Balancers, CloudFront and Route 53
advanced is $3000/month and provides layer 7 traffic monitoring, customized DDoS detection and mitigation, adaptive layer 3 and 7 mitigation, layer 7 anomaly detection, event visibility and reporting, 24/7 support from the DDoS response team, cost protection from scaling due to DDoS attacks, WAF requests for protected resources and AWS firewall manager at no extra cost

Question 47

Q

AWS WAF integration with Application Load Balancers and CloudFront

Answer

A

WAF integrates with Load Balancers at a regional level
WAF integrates with CloudFront at a global level
you need to associate your WAF rules to AWS resources
you can use WAF to protect web sites not hosted in AWS via CloudFront
IPs can be blocked at /8, /16, /24 and /32
IPv4 and IPv6 are supported

Question 48

Q

EC2 dedicated instances

Answer

A

EC2 instances that run in a VPC that is on hardware that is dedicated to a single customer
the EC2 instances are physically isolated at the host hardware level from instances that belong to other AWS accounts

Question 49

Q

Dedicated hosts

Answer

A

physical servers that are dedicated for your use
dedicated hosts give you additional visibility and control over how your instances are placed on the physical servers
you can consistently deploy your instances to the same physical server over time, which can enable you to use your existing server bound licenses or meet compliance or regulatory requirements

Question 50

Q

AWS hypervisors

Answer

A

originally were based of Xen Hypervisor

- currently migrating all EC2 to Nitro Hypervisors

Question 51

Q

HVM vs PV

Answer

A

HVM - Hardware Virtual Machine, VM type that is fully virtualized, the guest is not aware it is sharing resources with other VMs - Windows VMs can only be HVM
PV - Paravirtualization - relies on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The guest OS sits in CPU ring 1 and the guest applications sit in CPU ring 3. Used to be faster than HVM, but not recommended anymore. Linux VMs can be HVM or PV

Question 52

Q

KMS Grants

Answer

A

used to grant AWS principals temporary access to a CMK
generally access is granted programmatically, and granularly, for example access might be granted to just encrypt or decrypt
grants allow access, not deny
when a grant is created, grant tokens are generated that can be passed as arguments to KMS API

Question 53

Q

KMS Grant commands

Answer

A

create-grant - adds a grant to a CMK, specifies who can use it and what operations the grantee can perform
list-grant - lists the grants associated with a CMK
revoke-grant - removes a grant from a CMK

Question 54

Q

KMS conditions

Answer

A

conditions can be used on KMS or IAM policies to restrict a policy to only take effect if certain conditions are met
ViaService is one of the conditions supported by KMS, it restricts the KMS policy to only take effect if the request is coming from a certain AWS service like S3 or Lambda

Question 55

Q

KMS cross account access

Answer

A

enable access for the cross account in the Key Policy for the CMK
create an IAM role in the cross account that grants access to run the KMS commands on the CMK in the source account

Question 56

Q

ECS vs EKS

Answer

A

Elastic Container Service - runs on Fargate, which is serverless or on managed clusters o EC2 instances. Has deep integration with AWS services. Is used internally by amazon for amazon.com
Elastic Kubernetes Service - runs on Fargate, which is serverless or on managed clusters of EC2 instances. It is certified Kubernetes conformant and benefits from the open source community of tools

Question 57

Q

Container Security Best Practices

Answer

A

don’t store secrets in your container code, use Secrets Manager
user IAM roles instead of hard coding user credentials in your containers
don’t run containers as root
your container should only run one microservice, avoid containers that run multiple services
only use trusted container images, avoid images from public repositories
scan container images for CVE vulnerabilities, if you use AWS Elastic Container Registry, Amazon provides container scanning
use an ECS interface endpoint to send traffic between ECS and your VPCs and avoid sending traffic over the internet
use TLS for all traffic between your users and your microservices
you can use Amazon Certificate Manager to manage your container’s certificates

Question 58

Q

VPC Network ACLs

Answer

A

are stateless, need a session’s inbound and outbound ports explicitly defined
rules are evaluated in order with the lower numbered rule being applied first. for example if rule 99 blocks ICMP and rule 100 allows ICMP, then ICMP will be blocked

Question 59

Q

VPC Security Groups

Answer

A

are stateful, do not need an inbound session’s corresponding outbound ports explicitly defined

Question 60

Q

VPC Virtual Private Gateway

Answer

A

used to connect to corporate networks with VPN

Question 61

Q

VPC Internet Gateway

Answer

A

used for access to\from the internet

- can only have one igw attached to a VPC

Question 62

Q

VPC soft limit

Answer

A

there is a soft limit of 5 VPCs per region, but you can request the limit be raised

Question 63

Q

VPC peering

Answer

A

allows connecting one VPC with another via a direct network route using private IP addresses
you can peer VPCs with-in the same AWS account and with other AWS accounts
peering is always in a star configuration, you have one central VPC peered with other VPCs
there is no transitive peering

Question 64

Q

VPC Subnets

Answer

A

each subnet can only exist in 1 availability zone
AWS reserves the following 5 IPs in each subnet
x.x.x.0 = network address
x.x.x.1 = reserved for the VPC router
x.x.x.2 = reserved for DNS, AWS reserves the base of the main CIDR block +2 for DNS
x.x.x.3 = reserved for future use
x.x.x.255 = reserved for network broadcast, which is not supported in VPCs

Answer 65

A

routing table - allows routing between all subnets in the VPC
Network ACL - allows all incoming and outgoing traffice
Security Group - allows all incoming traffic from members of the security group and all outgoing traffic to all destinations

Answer 66

A

old method of providing internet access for EC2 instances in private subnets
requires running an EC2 instance that has the NAT services installed, there are some in the Marketplace
the EC2 instance must have source\destination checks disabled so that it can forward traffic from other EC2 instances
you’ll need multiple instances in autoscaling groups and multiple AZs for redundancy and will have to script your failover
you can change the Elastic IP associated with a NAT instance anytime
the NAT instances will be associated with security groups
you can manually customize the configuration to support port forwarding
replaced by NAT Gateway

Answer 67

A

highly available, but exist with-in an availability zone. Create one NAT gateway with-in each Availability zone for redundancy
Supports bursts up to 10Gbps
charged by the number of NAT gateways, duration of usage and amount of data sent through the gateway
can’t change the Elastic IP after creation
can’t be associated with a security group
can use a NACL to control traffic to and from the gateway

Answer 68

A

works at Layer 7, supports HTTP, HTTPS
provides content-based routing based on URL, host header, query parameters, source IP, path, etc
support for container-based apps hosted on ECS and Lamdba functions as targets
supports websockets, HTML/s and load balancing to multiple ports on the same instance
supports user authentication
source IP can be forwarded to targert via X-Forwarded-For
must have at least two subnets in different AZs
if you are choosing an internal Loadbalancer, you need to choose private subnets
if you are choosing an external Loadbalancer, you need to choose public subnets

Answer 69

A

works at layer 4, supports TCP, UDP, TLS
supports load balancing to multiple ports on the same instance
can be assigned a Static IP or Elastic IP
preserves source IP address
supports PrivateLink
to enable TLS all the way to your instances, configure TCP pass though and terminate TLS on the EC2 instances

Answer 70

A

original load balancer provided by AWS
works at layer 4 or 7
supports TCP, TLS, HTTP, HTTPS
supports EC2-Classic network

Answer 71

A

enables you to capture information about the IP traffic going to and from network interfaces in your VPC
is stored in CloudWatch logs
can be created at the VPC, Subnet or Network Interface levels
can only enable flow logs for peered VPCs if the peered VPC is in your account
flow logs can’t be changed after created
traffic not monitored by flow logs includes: traffic to Amazon DNS servers, traffic generated by Windows activations, traffic to the instance metadata (169.254.169.254), DHCP traffic and traffic to the VPC default router

Answer 72

A

provides secure remote login to EC2 instances
browser based session using Powershell or Bash
can centrally control which instances users access using IAM users or groups
no ports to open, session manager is accessed through the AWS Console > Systems Manager > Sessions Manager
sessions are recorded in CloudTrail and will record keystroke logging and send it to CloudWatch or S3
the IAM role assigned to your EC2 instances must contain the AmazonEC2RoleforSSM policy

Answer 73

A

allow AWS services, like EC2 instances to reach other AWS services without going over the public internet.
for example, if you have EC2 instances running in a private subnet, and they need access to S3, you can create an S3 VPC Endpoint which will route S3 traffic from the EC2 instances directly to S3

Answer 74

A

allows you to create an endpoint from your own application for other AWS principles to consume

Answer 75

A

PRECO - precrypto officer account that is created when you spin up an HSM. username is admin and password is password, you are prompted to change this at first login
CO - crypto officer, account type is used to manage user accounts
CU - crypto user, account type is used to manage keys
AU - appliance user, account type is used by AWS to manage the appliances
anyone can zeroize an HSM, including unauthenticated users

Answer 76

A

when you create a VPC it automatically includes an Amazon provided DNS server which is used to resolve public DNS hostnames
it is also used for hostname resolution for instances in your VPC which are communicating over the internet
the DNS server is on x.x.x.2
you can disable the Amazon provided DNS and configure a new DHCP Options set to use your own custom DNS

Answer 77

A

provides centralized connectivity between all your VPCs and your datacenter
when a new VPC or datacenter is connected to the transit gateway, it gains connectivity to all the other VPCs and datacenters that are connected to that same gateway
you use route tables to control which VPCs and datacenters can communicate with each other
eliminates creating VPNs between your datacenter and VPCs
all the communication between the VPCs is done over the AWS network and inter-region traffic is encrypted
scales to 1000s of VPCs

Answer 78

A

a distributed denial of service attack that overwhelms your servers with traffic
this can be achieved by using multiple techniques like reflection and amplification attacks or by using large botnets

Answer 79

A

an attacker sends a third party server (like an NTP server) a request using a spoofed IP
the NTP server replies with a larger payload to the spoofed IP address
if the attack coordinates enough NTP servers at the same time, the target (spoofed) IP is overwhelmed with traffic

Answer 80

A

one example of a layer 7 attack is a “Slowloris” attack, this is when an attacker opens multiple partial HTTP requests to a web server and holds them open a long as possible, causing the server’s concurrent connection pool to fill up

Answer 81

A

minimize the attack surface, reduce the number of internet facing servers. Move all others into a private subnet
auto scale to meet the attack, this spreads the attack over a larger area, it buys you time to analyze the attack and respond with countermeasures, and provides you with additional redundancy
safeguard your entry points, use CloudFront, Route 53 and WAFs
CloudFront provides Geo blocking, you can restrict access to users in certain countries using allow or block lists. You can also use Origin Access Identity to restrict access to your S3 buckets so that only CloudFront can access them
Route 53 provides Alias Record Sets which can be used to immediately redirect your traffic to a CloudFront distro, different ELB or your own security tools.
You should also use private DNS to manage internal DNS names for your application resources without exposing this info to the internet
use a WAF to protect your web application
learn normal behavior, know the different types of traffic and what normal levels should be, understand expected and unexpected spikes. this allows you to create alarms to alert on abnormal behavior and to collect forensic data to understand the attack
create a plan for attacks, this shows you’ve validated the design of your architecture, you understand the costs for resiliency, you know what techniques to employ and who to contact when an attack happens

Answer 82

A

stop the instance immediately
take a snapshot of the EBS volume
deploy the instance into an isolated VPC
access the instance using a forensic workstation
check the logs to determine what happened

Answer 83

A

assume the keys have been compromised, even if they were leaked for only a minute
go into IAM, disable the old key, issue new key, then delete the old key
for the root user, log in as the root account, go to My Security Credentials, disable the old key, issue a new one, delete the old key

Answer 84

A

Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateways
AWS Lambda and Lambda Edge functions
Amazon Lightsail resources
Amazon Elastic Beanstalk environments

Answer 85

A

DNS zone walking via Amazon Route 53 Hosted Zones
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy)
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)

Answer 86

A

you can register a domain under Route 53
you can register it for up to 9 years and set it to auto renew
Route 53 auto creates a hosted zone, but you can delete it if you aren’t ready to use the name

Answer 87

A

certs issued by ACM are auto renewed and when the cert is renewed the ARN doesn’t change
certs imported into ACM or associated with Route 53 private hosted zones are not auto renewed
certs in ACM can be used on ALB, CloudFront, API Gateway, Elasitc Beanstalk, CloudFormation
ACM issued certs cannot be exported

Answer 88

A

an encryption system that prevents past communication from being decrypted in the future if long term keys are compromised
each session of a communication between two parties is encrypted with a temporary key that is generated from a long term asymmetric key pair
if the long term key is compromised, none of the sessions can be decrypted with it
if one of the temporary keys is compromised, only have particular session can be decrypted

Answer 89

A

you can enable perfect forward secrecy on ALB communications by choosing one of the TLS security polices with “FS” in it’s name

Answer 90

A

throttling, AWS throttles requests to your API to 10,000 steady-state requests per second with bursts of 5,000 requests across all APIs within an AWS account
when API requests are exceeded, the gateway replies with 429 Too Many Requests
you can request that AWS increase the rate and burst limits for your API
gateway caching, the gateway will cache your API endpoints responses for a stage (dev, stage, prod, etc) for a set TTL (default 300 seconds, max 3600 seconds) and if duplicate requests come in from clients, the gateway will respond with the cached data.
caching improves latency and reduces load on your API endpoints

Answer 91

A

can store confidential information such as password, connection strings, license keys
can store values as plain text or can be encrypted using KMS
you can then reference these values using their arn
you can use parameter store with EC2, CloudFormation, Lambda, EC2 Run Command, etc

Answer 92

A

allows you to automate common admin tasks and ad hoc configuration changes across large fleets of EC2 instances
commands can be applied to instances based of ID, tags or resource groups
the SSM agent needs to be installed on your instances
the commands and parameters are defined in a SSM document
commands can be issued using the Console, CLI, AWS PowerShell module, SSM API or SDKs
can be used with on premises systems as well

Answer 93

A

PCI-DSS - Payment Card Industry Data Security Standard is a globally accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information
ISO 27001 - specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of an organizations overall business risks
HIPAA - federal Health Insurance Portability and Accountability Act of 1996, the goal of which is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control admin costs
FedRAMP - Federal Risk and Authorization Management Program is a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
NIST - framework for improving critical infrastructure cybersecurity, which is a set of industry standards and best practices to help organizations manage cybersecurity risks
SAS70 - Statement on Auditing Standards
SOC - Service Organization Controls - accounting standards
FISMA - Federal Information Security Modernization Act
FIPS 140-2 - U.S. government computer security standard used to approve cryptographic modules. It’s rated from Level 1 to Level 4. CloudHSM meets the level 3 standard

Answer 94

A

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect all systems against malware and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

Answer 95

A

interactive query service which enables you to query data located in S3 using standard SQL
it is a serverless service, that is charged by the query / per TB scanned
its commonly used to analyze log data stored in S3

Answer 96

A

scans your S3 buckets for PII (Personally Identifiable Information)
uses machine learning and NLP (Natural Language Processing) to discover, classify and protect sensitive data stored in S3
works directly with data stored in S3 and can analyze CloudTrail logs
Macie’s classification types are Content type, Theme, File Extension, Regular Expression
Content Type classifies the files by their content, like JSON, PDF, Excel, Zip, source code, etc
Theme classifies files into themes based on keywords like Amex, Visa, MasterCard credit card keywords, banking or financial keywords, hacker and web exploit keywords, etc
File extension classifies files based of their extensions
Regular Expression classifies files based on regex matches
once classified, Macie creates dashboards, alerts and reports based on the data which give visibility into how the data is being accessed
can also analyze CloudTrail logs and report on suspicious API activity

Answer 97

A

a threat detection service which uses machine learning to continuously monitor for malicious behavior
it detects unusual API calls and calls from known malicious IPs
it detects attempts to disable CloudTrail logging
it detects unauthorized deployments, compromised EC2 instances
it detects reconnaissance by would be attackers, port scanning and failed logins
it sends alerts to the GuardDuty console and CloudWatch Events
it receives feeds from 4rd parties like Proofpoint, CrowdStrike and AWS Security
it monitors CloudTrail Logs, VPC Flow Logs and DNS Logs
it provides centralized threat detection across multiple AWS accounts
you can automate responses with CloudWatch events and Lambda
takes 7 - 14 days to establish a baseline for normal behavior on your account

Answer 98

A

a service which securely stores, encrypts and rotates your DB credentials and other secrets
uses encryption in transit and at rest using KMS
applies fine grained access control using IAM policies
applications call the Secrets Manager API to retrieve the secret programmatically
commonly used to store database credentials, integrated with RDS: MySQL, PostgreSQL, Aurora
built in rotation for RDS secrets and Lambda rotation for other secrets. When rotation is enabled, Secrets Manager automatically rotates the secret once, if any clients had the credentials embedded, they will stop working.
you can store anything that is a key value pair

Answer 99

A

cloud based email service which supports sending and receiving email
can be used to send marketing emails, transaction emails and email notifications from applications
uses standard SMTP interface and can be accessed via an API
all connections to the SMTP endpoint must be encrypted using TLS
EC2 instances can be configured to use one of the SES endpoints to send mail. The EC2 security group will need to allow access to the SES SMTP endpoint
EC2 instances automatically throttle traffic over port 25, use port 587 (secure mail) or 2587 instead

Answer 100

A

centralized hub for security alerts, manages and aggregates the findings and alerts from key AWS security services, GuardDuty, Macie, Inspector, IAM Access Analyzer, Firewall Manager, Systems Manager Patch Manager, Detective, CloudWatch and 3rd party tools
performs automated checks for PCI-DSS, CIS AWS Benchmarksand AWS Foundational Security Best Practices
provides an ongoing security audit for your accounts
Security Hub is enabled per region

Answer 101

A

AWS does not provide a service that does network packet inspection like an IDS/IPs
you will need to deploy a 3rd party tool like AlertLogic, TrendMicro or McAfee

Answer 102

A

allows logging into the AWS console with AD credentials
minimizes admin overhead by leveraging existing accounts, password policies and groups
provides SSO for users
ADFS must be setup as an identity provider in your AWS account
AWS must be setup as a Relying Party Trust in ADFS

Answer 103

A

the user logs into their Corporate ADFS page and provides their AD credentials
ADFS authenticates against AD
AD returns the user’s information and group membership
ADFS sends a SAML token to the user’s browser which sends the token to the AWS sign-in endpoint
The AWS sign-in endpoint makes an STS AssumeRoleWithSAML request and STS returns temporary credentials
The user is authenticated and allowed to use the console
Users can use their AD credentials to gain access to the AWS API and CLI as well

Answer 104

A

when creating Lambda functions, you must choose an IAM role to assign to the function
you can assign an existing role or create a new one from policy templates
the basic Lambda permissions, such as logging to Amazon CloudWatch, will be automatically added.
also if the function accesses a VPC, the required permissions will be automatically added
basic logging of Lambda functions is enabled by default
detailed logging (data events) are not enabled by default, which have a costs associated with them
function policy - iam policy that defines what AWS service can invoke your Lambda function
execution role - iam role that contains the policies for what your Lambda function can access (like CloudWatch, S3, EC2, etc)

Answer 105

A

is the CloudTrail enabled
have you provided the correct S3 bucket name
is there a bucket policy preventing the logs from being written
S3 and Lambda data events aren’t enabled by default because they tend to be high volume and incur added costs

Answer 106

A

check if the user’s account has access to read the CloudTrail
does their account have the AWSCloudTrailReadOnlyAccess IAM Policy

Answer 107

A

check routing tables, security groups and NACLs
remember NACLs are stateless
security groups deny by default
NACLs explicitly deny
if you are peering 2 VPCs, remember to configure routing tables in both VPCs
internet access is achieved via either an internet gateway or a NAT gateway
check VPC flow logs to view allow / deny messages

Answer 108

A

if authenticating with a web identity like Facebook, Google, etc the user needs the STS:AssumeRoleWithWebIdentity policy
if authenticating with AD, the user needs the STS:AssumeRoleWithSAML policy
if authenticated with AWS, the user needs the STS:AssumeRole policy

Answer 109

A

in the source account you need to create an IAM role that grants the access the users in the external account will need
in the source account you need to set an IAM policy to trust the external account
in the external account, the users need an IAM policy that lets them assume the role in the source account

Brainscape's Knowledge GenomeTM

ACG - AWS Certified Security Specialty Flashcards

Brainscape's Knowledge Genome^TM