ACG - AWS Certified Security Specialty Flashcards

1
Q

S3 policy precedents

A
  • when an AWS principal issues a request to S3, the authorization decision depends on the union of all IAM policies, S3 bucket polices and S3 ACLs that apply
  • an S3 bucket policy will take precedence over an IAM policy, unless the IAM policy contains a deny statement.
  • deny statements always take precedence over allow statements whether with-in an S3 policy, an IAM policy or an S3 ACL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

S3 ACLs

A
  • ACLs have been around since the inception of S3
  • AWS recommends using IAM or S3 bucket policies over ACLS
  • if you need to specify permissions on a specific object, you will have to use ACLs
  • ACLs can only be used to grant access to your AWS account or another AWS account using their canonical ID. You can’t use ACLs to grant access to a specific user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

S3 bucket policies

A
  • used to allow or deny actions on an S3 bucket
  • applied to the S3 bucket
  • limited to 20kb in size
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IAM policies

A
  • applied at the IAM user, group or role level

- limited to 2kb for users, 5kb for groups and 10 kb for roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS principal

A
  • term that designates an AWS user, group or role
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

S3 policy conflict flow

A
  1. access always starts with deny (least privilege)
  2. all applicable polices are evaluated
  3. if there is an explicit deny, the action is denied
  4. if there is no explicit deny and there is an allow, the action is allowed
  5. if there is neither an allow or deny, the action is denied
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

S3 Replication

A
  • the source and destination buckets must have versioning enabled and can be located in the same or different regions
  • Amazon S3 must have permissions to replicate objects on your behalf
  • If the source bucket owner is not the object owner, then the bucket owner needs Read and Read_ACP permissions via the object ACL
  • the IAM role must have permissions to replicate objects in the destination bucket
  • during replication you can change the ownership of the object replica to the AWS account that owns the destination bucket
  • any new objects created after you enable replication on the bucket are replicated
  • S3 replicates objects encrypted using S3 managed keys by default and AWS KMS if you enable it
  • S3 does not replicate objects encrypted with server side customer provided encryption keys
  • S3 replicates the object metadata, ACL updates and tags
  • delete markers are replicated, but the version history still remains on the source and destination buckets
  • S3 does not replicate deletes to a particular version of an object
  • S3 always replicates buckets over SSL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CloudFront - SSL certs

A
  • you can use a default CloudFront SSL cert that has a *.cloudfront.net domain name
  • if you want to use your own cert with your own domain name, you can register a cert in AWS ACM, but the cert must be registered in the us-east-1 region
  • you can also use a cert stored in IAM, but you must use the IAM CLI
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

S3 pre-signed URLs

A
  • you can access objects using a pre-signed URLs instead of IAM or S3 bucket policies or S3 ACLs.
  • pre-signed URLs are typically generated by the SDK, but can be generated by the CLI
  • you can change the default time-out for the token by using the –expires-in option
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security Token Service (STS)

A
  • grants users limited and temporary access to AWS resources by federating with another identity store.
  • users can be federated with Active Directory
  • users can be federated with Mobile Apps (Facebook, Amazon, Google or other OpenID providers)
  • users can be from other AWS accounts (Cross account access)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Token Service (STS) Identity Broker

A
  • a service that brokers the authentication and authorization between the identity store (like AD) and the AWS service (like S3)
  • an application sends the user’s credentials to the identity broker, who validates with the identity store (like AD)
  • the identity broker calls the GetFederationToken function using IAM credentials that have permissions to create new tokens. The call must include an IAM policy, a duration (1 to 36 hours) and a policy that specifies the permissions to be granted to the temporary security credentials
  • the STS returns to the identity broker an access key, a secret access key, a token and a duration
  • the identity broker returns the temporary credentials to the application
  • the application uses the temporary credentials to make the call to S3
  • S3 uses IAM to verify that the credentials allow the requested operation
  • IAM approves the operation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Amazon Cognito

A
  • provides Web Identity Federation with providers like Amazon, Facebook or Google
  • provides sign-up and sign-in to your apps
  • grants access for guest users
  • acts as an identity broker between your app and Web ID providers
  • synchronizes user data for multiple devices
  • recommended for all mobile apps using AWS services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cognito User Pools

A
  • user directories used to manage sign-up and sign-in functionality for mobile and web apps
  • users can sign-in directly to a User Pool or indirectly via an identity provider like Facebook, Amazon, Google
  • successful authentication generates a number of JSON Web tokens (JWTs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Cognito Identity Pools

A
  • enable you to create unique identities for your users and assign them access to AWS resources
  • the identity pool exchanges the JWT tokens for temporary AWS credentials which grant access other AWS services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Glacier Vault Lock

A
  • allows configuring and enforcing compliance controls for individual Glacier Vaults
  • you can enforce WORM archives and data retention
  • you must initiate the lock by attaching a vault lock policy
  • there is a 24 hour waiting period before you can validate the lock policy and the vault lock takes effect and becomes immutable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amazon Glacier

A
  • extremely low cost cloud storage for data archiving
  • costs as little as $0.004 GB/month
  • data is stored in Archives as .tar or .zip
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Glacier Vault

A
  • a container in Glacier storage that contains one or more archives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

AWS Organizations

A
  • an account management service which allows consolidation of multiple AWS accounts for centralize management
  • allows centralized billing
  • allows organizing accounts into OUs for access control
  • allows attaching Service Control Policies (SCPs) for restricting AWS services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Service Control Polices

A
  • used by AWS Organizations to restrict the AWS services allowed by accounts
  • can be attached to accounts directly or to OUs
  • SCPs attached to OUs higher up the Organization hierarchy will apply to all OUs and accounts beneath it
  • can be used to create a Permissions Boundary, restricting the actions users, groups and roles (including root) can do
  • SCPs can deny access only, they cannot allow
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

IAM Credential Report

A
  • exports list of users with credential information like, account creation time, password enabled, last used\last rotated, access keys enabled, last used\last rotated, certs enabled\last used, MFA enabled
  • can be generated in the AWS console or CLI
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

CloudTrail

A
  • logs API calls to resources in your AWS account
  • does not log SSH or RDP sessions
  • does log the ID of the caller, the time of the call, the source IP, the request parameters and the response from the service
  • delivered with digest file that can be used to validate the integrity of the log file
  • CloudTrail log file validation uses SHA-256 hashing and SHA-256 with RSA for digital signing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

CloudTrail logs security

A
  • CloudTrail logs contain personally identifiable information like usernames, team membership, DynamoDB table and key names
  • it is best practice to secure your CloudTrail logs by using IAM or S3 bucket polices and SSE-S3 or SSE-KMS to encrypt the logs
  • you can also enable Object lock on the S3 bucket that contains your CloudTrail logs, but only when the bucket is created
  • you can enable S3 MFA Delete (via the CLI only)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

CloudTrail log retention

A
  • logs are kept indefinitely in their S3 bucket
  • you can setup S3 Object Lifecycle Management to automatically remove the files after a certain period
  • you can move the files to AWS Glacier for cost effective long term storage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

CloudWatch

A
  • real time monitoring (detailed monitoring = every 1 min, standard monitoring = every 5 mins)
  • gathers metrics including items like CPU and network utilization
  • you can configure alarms based on metrics
  • Alarms can trigger notifications like SNS
  • can create custom metrics
  • can can also monitor on-premises servers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

CloudWatch logs

A
  • logs from other AWS services, like CloudTrail, can be pushed to CloudWatch
  • you can also setup your applications and systems to send their logs to CloudWatch via the CloudWatch Agent
  • you can setup log groups to filter the metrics from your application logs
  • the logs sent to CloudWatch will be logged indefinitely (not in an S3 bucket that we have access to)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

CloudWatch events

A
  • near real-time stream of system events
  • events are AWS resources state changes
  • can create custom & scheduled events
  • allows you to create actions based off rules that trigger when certain metrics are detected in the CloudWatch logs
  • for example a CloudWatch event could trigger a Lambda function to delete any EC2 instances provisioned by a certain user. CloudWatch would be aware of this event if CloudTrail logs were ingested into CloudWatch
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

CloudWatch security

A
  • can restrict access to CloudWatch via IAM policies
  • note that data is decoupled from its source, so you can’t restrict access to originating sources with-in CloudWatch, you can only restrict access to CloudWatch itself
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

AWS Config

A
  • enables compliance auditing, security analysis and resource tracking
  • provides configuration snapshots, logs changes of AWS resources and automates compliance checking
  • provides AWS resource inventory
  • you can aggregate AWS resource inventory or Config rule compliance status from other AWS accounts and regions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

AWS Config permissions

A
  • AWS config requires an IAM role with read only access to record resources
  • AWS config needs write access to an S3 bucket to record its results
  • AWS config needs access to publish to an SNS topic if you want it to send notifications
  • you should restrict user access to AWS Config using IAM roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

AWS CloudHSM

A
  • dedicated hardware security module
  • not shared by other tenants
  • enables control of data, evidence of control, meets tough compliance controls
  • provides secure key storage, cryptographic operations, and tamper resistant HSM
  • CloudHSM has FIPS 140-2 & EAL-4 compliance
  • AWS only administers the HSM appliance, they have no access to your keys (although they could probably destroy your keys by destroying the HSM partition)
  • the HSM can detect physical attempts at tampering and auto destroy the keys
  • if the HSM detects five unsuccessful attempts as Crypto Officer (CO), the HSM erases itself
  • if the HSM detects five unsuccessful attempts as Crypto User (CU), the user will be locked and must be unlocked by a CO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

AWS CloudHSM roles

A
  • Crypto Officer - can create Crypto Users, but can’t access keys
  • Crypto User - can create, import, export and delete keys, but can’t create users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

AWS Inspector

A
  • automated security assessment service that assesses applications for vulnerabilities or deviations from best practices
  • provides a detailed list of security findings prioritized by level of severity
  • requires an agent installed on your EC2 instances
  • available rules packages are CVE, Network Reachability, CIS OS Security Configuration Benchmarks, Security Best Practices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

AWS Trusted Advisor

A
  • online resource to help you reduce cost, increase performance and improve security though optimization
  • the Trusted Advisor will make suggestions on Cost Optimization, Performance, Security, Fault Tolerance and Service Limits
  • consists of two sets of checks Core Changes and Recommendations and Full Trusted Advisor
  • Core is available on all support levels
  • Full is available only on Business and Enterprise level support agreements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Logging in AWS

A
  • AWS Cloud Trail - logs changes to system components, should have file validation and encryption turned on
  • AWS Config - logs changes to system components
  • VPC Flow logs - logs all network traffic
  • AWS CloudWatch logs - provides performance monitoring and metrics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

AWS KMS

A
  • managed service that makes it easy to create and control encryption keys
  • uses multi-tenant HSMs to protect the keys
  • keys are regional, they can only be used in the region the were created, they can not be copied to another region
  • KMS keys are used by various AWS services, like S3 for object encryption or EBS to encrypt an EC2 volume
  • KMS keys are not used to SSH into EC2 instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

AWS KMS CMK

A
  • customer master key
  • consists of an alias, creation date, description, key state (enabled, disabled, scheduled for deletion), key material
  • key material can be either customer provided or AWS provided
  • CMKs can never be exported
  • Key Administrators are IAM users/roles that can administer the key, but not use it
  • Key Users are IAM users/roles that can use the key to encrypt\decrypt data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

AWS KMS reasons to import your own key material

A
  • prove that randomness meets your requirements
  • extend your existing processes to AWS
  • to delete key material without the 7 - 30 days wait, then be able to import them again.
  • to provide resilience against AWS failure by storing keys outside AWS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

AWS KMS customer provide key material process

A
  • create a CMK with no key material
  • download the wrapping key and import token
  • encrypt the key material using something like Open SSL
  • import the key material into the CMK
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

AWS KMS key rotation - AWS managed keys

A
  • AWS managed keys are rotated every 3 years and you have no control over this
  • when a CMK is due for rotation, a new backing key is created and marked as the active key for all new requests
  • the old backing key remains available to decrypt any existing files
  • AWS managed keys cannot be deleted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

AWS KMS key rotation - customer managed keys with AWS provided key material

A
  • automatically rotated once a year if enabled
  • AWS KMS generates new key material for the CMK every year and the old backing key is saved for decrypting old data
  • can delete the keys, requires a minimum wait period of 7 days
  • be very careful, once deleted no files encrypted with that key can be decrypted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

AWS KMS key rotation - customer managed keys with customer provided key material

A
  • you can rotate on demand manually.
  • you will need to create a new CMK, then change your applications to use the new CMK
  • you can delete customer managed keys without waiting 7 - 30 days, but be very careful, once deleted no files encrypted with that key can be decrypted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

AWS KMS - EBS volume encryption

A
  • you can use a KMS key to encrypt an EBS volume when you create it or when creating an EC2 instance
  • to encrypt an existing EBS volume, you need to first snapshot the volume, then copy the snapshot and choose to encrypt it, then deploy a new EC2 instance from the copied\encrypted snapshot
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

EC2 key pairs

A
  • you can add a key pair to an EC2 instance when you build it for ssh access
  • you can also add additional key pairs under /home/ec2-user/.ssh/authorized_keys
  • if you delete the key from EC2 -> Key Pairs, in the AWS console, this will not remove the key from the metadata of the EC2 instance or from the authorized_keys file with-in the EC2 instance
  • if you clone an EC2 instance to am AMI, all the old keys in the authorized_keys file will be left and any new keys you attach when powering on the new copy of the instance, will be appended
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

AWS WAF

A
  • web application firewall that monitors HTTP\S traffic that is forwarded to CloudFront, an Application Load Balancer or API Gateway
  • lets you control accesses to your content by configuring conditions
  • lets you allow all requests, except the ones specified
  • lets you block all requests, except the ones specified
  • lets you just monitor (count) the requests that match properties you specify
45
Q

AWS WAF conditions

A
  • block requests by originating IP or country
  • block requests based on values in the headers
  • block requests with certain strings or regex patterns
  • block requests based on lenght
  • block requests that contain SQL code (SQL injection)
  • block requests that contain scripts (cross site scripting)
46
Q

AWS Shield

A
  • provides DDoS protection
  • standard is free and provides network flow monitoring, standard DDoS protection for Load Balancers, CloudFront and Route 53
  • advanced is $3000/month and provides layer 7 traffic monitoring, customized DDoS detection and mitigation, adaptive layer 3 and 7 mitigation, layer 7 anomaly detection, event visibility and reporting, 24/7 support from the DDoS response team, cost protection from scaling due to DDoS attacks, WAF requests for protected resources and AWS firewall manager at no extra cost
47
Q

AWS WAF integration with Application Load Balancers and CloudFront

A
  • WAF integrates with Load Balancers at a regional level
  • WAF integrates with CloudFront at a global level
  • you need to associate your WAF rules to AWS resources
  • you can use WAF to protect web sites not hosted in AWS via CloudFront
  • IPs can be blocked at /8, /16, /24 and /32
  • IPv4 and IPv6 are supported
48
Q

EC2 dedicated instances

A
  • EC2 instances that run in a VPC that is on hardware that is dedicated to a single customer
  • the EC2 instances are physically isolated at the host hardware level from instances that belong to other AWS accounts
49
Q

Dedicated hosts

A
  • physical servers that are dedicated for your use
  • dedicated hosts give you additional visibility and control over how your instances are placed on the physical servers
  • you can consistently deploy your instances to the same physical server over time, which can enable you to use your existing server bound licenses or meet compliance or regulatory requirements
50
Q

AWS hypervisors

A
  • originally were based of Xen Hypervisor

- currently migrating all EC2 to Nitro Hypervisors

51
Q

HVM vs PV

A

HVM - Hardware Virtual Machine, VM type that is fully virtualized, the guest is not aware it is sharing resources with other VMs - Windows VMs can only be HVM
PV - Paravirtualization - relies on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The guest OS sits in CPU ring 1 and the guest applications sit in CPU ring 3. Used to be faster than HVM, but not recommended anymore. Linux VMs can be HVM or PV

52
Q

KMS Grants

A
  • used to grant AWS principals temporary access to a CMK
  • generally access is granted programmatically, and granularly, for example access might be granted to just encrypt or decrypt
  • grants allow access, not deny
  • when a grant is created, grant tokens are generated that can be passed as arguments to KMS API
53
Q

KMS Grant commands

A
  • create-grant - adds a grant to a CMK, specifies who can use it and what operations the grantee can perform
  • list-grant - lists the grants associated with a CMK
  • revoke-grant - removes a grant from a CMK
54
Q

KMS conditions

A
  • conditions can be used on KMS or IAM policies to restrict a policy to only take effect if certain conditions are met
  • ViaService is one of the conditions supported by KMS, it restricts the KMS policy to only take effect if the request is coming from a certain AWS service like S3 or Lambda
55
Q

KMS cross account access

A
  • enable access for the cross account in the Key Policy for the CMK
  • create an IAM role in the cross account that grants access to run the KMS commands on the CMK in the source account
56
Q

ECS vs EKS

A

Elastic Container Service - runs on Fargate, which is serverless or on managed clusters o EC2 instances. Has deep integration with AWS services. Is used internally by amazon for amazon.com
Elastic Kubernetes Service - runs on Fargate, which is serverless or on managed clusters of EC2 instances. It is certified Kubernetes conformant and benefits from the open source community of tools

57
Q

Container Security Best Practices

A
  • don’t store secrets in your container code, use Secrets Manager
  • user IAM roles instead of hard coding user credentials in your containers
  • don’t run containers as root
  • your container should only run one microservice, avoid containers that run multiple services
  • only use trusted container images, avoid images from public repositories
  • scan container images for CVE vulnerabilities, if you use AWS Elastic Container Registry, Amazon provides container scanning
  • use an ECS interface endpoint to send traffic between ECS and your VPCs and avoid sending traffic over the internet
  • use TLS for all traffic between your users and your microservices
  • you can use Amazon Certificate Manager to manage your container’s certificates
58
Q

VPC Network ACLs

A
  • are stateless, need a session’s inbound and outbound ports explicitly defined
  • rules are evaluated in order with the lower numbered rule being applied first. for example if rule 99 blocks ICMP and rule 100 allows ICMP, then ICMP will be blocked
59
Q

VPC Security Groups

A
  • are stateful, do not need an inbound session’s corresponding outbound ports explicitly defined
60
Q

VPC Virtual Private Gateway

A
  • used to connect to corporate networks with VPN
61
Q

VPC Internet Gateway

A
  • used for access to\from the internet

- can only have one igw attached to a VPC

62
Q

VPC soft limit

A
  • there is a soft limit of 5 VPCs per region, but you can request the limit be raised
63
Q

VPC peering

A
  • allows connecting one VPC with another via a direct network route using private IP addresses
  • you can peer VPCs with-in the same AWS account and with other AWS accounts
  • peering is always in a star configuration, you have one central VPC peered with other VPCs
  • there is no transitive peering
64
Q

VPC Subnets

A
  • each subnet can only exist in 1 availability zone
  • AWS reserves the following 5 IPs in each subnet
  • x.x.x.0 = network address
  • x.x.x.1 = reserved for the VPC router
  • x.x.x.2 = reserved for DNS, AWS reserves the base of the main CIDR block +2 for DNS
  • x.x.x.3 = reserved for future use
  • x.x.x.255 = reserved for network broadcast, which is not supported in VPCs
65
Q

VPC components created by default with new VPC

A
  • routing table - allows routing between all subnets in the VPC
  • Network ACL - allows all incoming and outgoing traffice
  • Security Group - allows all incoming traffic from members of the security group and all outgoing traffic to all destinations
66
Q

NAT Instances

A
  • old method of providing internet access for EC2 instances in private subnets
  • requires running an EC2 instance that has the NAT services installed, there are some in the Marketplace
  • the EC2 instance must have source\destination checks disabled so that it can forward traffic from other EC2 instances
  • you’ll need multiple instances in autoscaling groups and multiple AZs for redundancy and will have to script your failover
  • you can change the Elastic IP associated with a NAT instance anytime
  • the NAT instances will be associated with security groups
  • you can manually customize the configuration to support port forwarding
  • replaced by NAT Gateway
67
Q

NAT Gateway

A
  • highly available, but exist with-in an availability zone. Create one NAT gateway with-in each Availability zone for redundancy
  • Supports bursts up to 10Gbps
  • charged by the number of NAT gateways, duration of usage and amount of data sent through the gateway
  • can’t change the Elastic IP after creation
  • can’t be associated with a security group
  • can use a NACL to control traffic to and from the gateway
68
Q

Application Load Balancer

A
  • works at Layer 7, supports HTTP, HTTPS
  • provides content-based routing based on URL, host header, query parameters, source IP, path, etc
  • support for container-based apps hosted on ECS and Lamdba functions as targets
  • supports websockets, HTML/s and load balancing to multiple ports on the same instance
  • supports user authentication
  • source IP can be forwarded to targert via X-Forwarded-For
  • must have at least two subnets in different AZs
  • if you are choosing an internal Loadbalancer, you need to choose private subnets
  • if you are choosing an external Loadbalancer, you need to choose public subnets
69
Q

Network Load Balancer

A
  • works at layer 4, supports TCP, UDP, TLS
  • supports load balancing to multiple ports on the same instance
  • can be assigned a Static IP or Elastic IP
  • preserves source IP address
  • supports PrivateLink
  • to enable TLS all the way to your instances, configure TCP pass though and terminate TLS on the EC2 instances
70
Q

Classic Load Balancer (ELB)

A
  • original load balancer provided by AWS
  • works at layer 4 or 7
  • supports TCP, TLS, HTTP, HTTPS
  • supports EC2-Classic network
71
Q

VPC Flow Logs

A
  • enables you to capture information about the IP traffic going to and from network interfaces in your VPC
  • is stored in CloudWatch logs
  • can be created at the VPC, Subnet or Network Interface levels
  • can only enable flow logs for peered VPCs if the peered VPC is in your account
  • flow logs can’t be changed after created
  • traffic not monitored by flow logs includes: traffic to Amazon DNS servers, traffic generated by Windows activations, traffic to the instance metadata (169.254.169.254), DHCP traffic and traffic to the VPC default router
72
Q

Systems manager sessions manager

A
  • provides secure remote login to EC2 instances
  • browser based session using Powershell or Bash
  • can centrally control which instances users access using IAM users or groups
  • no ports to open, session manager is accessed through the AWS Console > Systems Manager > Sessions Manager
  • sessions are recorded in CloudTrail and will record keystroke logging and send it to CloudWatch or S3
  • the IAM role assigned to your EC2 instances must contain the AmazonEC2RoleforSSM policy
73
Q

VPC endpoints

A
  • allow AWS services, like EC2 instances to reach other AWS services without going over the public internet.
  • for example, if you have EC2 instances running in a private subnet, and they need access to S3, you can create an S3 VPC Endpoint which will route S3 traffic from the EC2 instances directly to S3
74
Q

VPC endpoint services (PrivateLink)

A
  • allows you to create an endpoint from your own application for other AWS principles to consume
75
Q

CloudHSM user types

A
  • PRECO - precrypto officer account that is created when you spin up an HSM. username is admin and password is password, you are prompted to change this at first login
  • CO - crypto officer, account type is used to manage user accounts
  • CU - crypto user, account type is used to manage keys
  • AU - appliance user, account type is used by AWS to manage the appliances
  • anyone can zeroize an HSM, including unauthenticated users
76
Q

Amazon DNS

A
  • when you create a VPC it automatically includes an Amazon provided DNS server which is used to resolve public DNS hostnames
  • it is also used for hostname resolution for instances in your VPC which are communicating over the internet
  • the DNS server is on x.x.x.2
  • you can disable the Amazon provided DNS and configure a new DHCP Options set to use your own custom DNS
77
Q

Transit Gateway

A
  • provides centralized connectivity between all your VPCs and your datacenter
  • when a new VPC or datacenter is connected to the transit gateway, it gains connectivity to all the other VPCs and datacenters that are connected to that same gateway
  • you use route tables to control which VPCs and datacenters can communicate with each other
  • eliminates creating VPNs between your datacenter and VPCs
  • all the communication between the VPCs is done over the AWS network and inter-region traffic is encrypted
  • scales to 1000s of VPCs
78
Q

DDoS attacks

A
  • a distributed denial of service attack that overwhelms your servers with traffic
  • this can be achieved by using multiple techniques like reflection and amplification attacks or by using large botnets
79
Q

DDoS amplification/reflection attack

A
  • an attacker sends a third party server (like an NTP server) a request using a spoofed IP
  • the NTP server replies with a larger payload to the spoofed IP address
  • if the attack coordinates enough NTP servers at the same time, the target (spoofed) IP is overwhelmed with traffic
80
Q

DDos application (layer 7) attacks

A
  • one example of a layer 7 attack is a “Slowloris” attack, this is when an attacker opens multiple partial HTTP requests to a web server and holds them open a long as possible, causing the server’s concurrent connection pool to fill up
81
Q

DDoS attack mitigations

A
  • minimize the attack surface, reduce the number of internet facing servers. Move all others into a private subnet
  • auto scale to meet the attack, this spreads the attack over a larger area, it buys you time to analyze the attack and respond with countermeasures, and provides you with additional redundancy
  • safeguard your entry points, use CloudFront, Route 53 and WAFs
  • CloudFront provides Geo blocking, you can restrict access to users in certain countries using allow or block lists. You can also use Origin Access Identity to restrict access to your S3 buckets so that only CloudFront can access them
  • Route 53 provides Alias Record Sets which can be used to immediately redirect your traffic to a CloudFront distro, different ELB or your own security tools.
  • You should also use private DNS to manage internal DNS names for your application resources without exposing this info to the internet
  • use a WAF to protect your web application
  • learn normal behavior, know the different types of traffic and what normal levels should be, understand expected and unexpected spikes. this allows you to create alarms to alert on abnormal behavior and to collect forensic data to understand the attack
  • create a plan for attacks, this shows you’ve validated the design of your architecture, you understand the costs for resiliency, you know what techniques to employ and who to contact when an attack happens
82
Q

Steps if an EC2 instance has been compromised

A
  • stop the instance immediately
  • take a snapshot of the EBS volume
  • deploy the instance into an isolated VPC
  • access the instance using a forensic workstation
  • check the logs to determine what happened
83
Q

Steps if AWS access keys have been leaked

A
  • assume the keys have been compromised, even if they were leaked for only a minute
  • go into IAM, disable the old key, issue new key, then delete the old key
  • for the root user, log in as the root account, go to My Security Credentials, disable the old key, issue a new one, delete the old key
84
Q

AWS pen testing - Services that AWS allows pen testing on without prior approval

A
  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateways
  • AWS Lambda and Lambda Edge functions
  • Amazon Lightsail resources
  • Amazon Elastic Beanstalk environments
85
Q

AWS pen testing - prohibited activities

A
  • DNS zone walking via Amazon Route 53 Hosted Zones
  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy)
  • Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)
86
Q

AWS Domain Name Registration

A
  • you can register a domain under Route 53
  • you can register it for up to 9 years and set it to auto renew
  • Route 53 auto creates a hosted zone, but you can delete it if you aren’t ready to use the name
87
Q

AWS Cert Manager

A
  • certs issued by ACM are auto renewed and when the cert is renewed the ARN doesn’t change
  • certs imported into ACM or associated with Route 53 private hosted zones are not auto renewed
  • certs in ACM can be used on ALB, CloudFront, API Gateway, Elasitc Beanstalk, CloudFormation
  • ACM issued certs cannot be exported
88
Q

Perfect Forward Secrecy

A
  • an encryption system that prevents past communication from being decrypted in the future if long term keys are compromised
  • each session of a communication between two parties is encrypted with a temporary key that is generated from a long term asymmetric key pair
  • if the long term key is compromised, none of the sessions can be decrypted with it
  • if one of the temporary keys is compromised, only have particular session can be decrypted
89
Q

AWS ALB Perfect Forward Secrecy

A
  • you can enable perfect forward secrecy on ALB communications by choosing one of the TLS security polices with “FS” in it’s name
90
Q

API Gateway

A
  • throttling, AWS throttles requests to your API to 10,000 steady-state requests per second with bursts of 5,000 requests across all APIs within an AWS account
  • when API requests are exceeded, the gateway replies with 429 Too Many Requests
  • you can request that AWS increase the rate and burst limits for your API
  • gateway caching, the gateway will cache your API endpoints responses for a stage (dev, stage, prod, etc) for a set TTL (default 300 seconds, max 3600 seconds) and if duplicate requests come in from clients, the gateway will respond with the cached data.
  • caching improves latency and reduces load on your API endpoints
91
Q

AWS Systems Manager Parameter Store

A
  • can store confidential information such as password, connection strings, license keys
  • can store values as plain text or can be encrypted using KMS
  • you can then reference these values using their arn
  • you can use parameter store with EC2, CloudFormation, Lambda, EC2 Run Command, etc
92
Q

AWS Systems Manager EC2 Run Command

A
  • allows you to automate common admin tasks and ad hoc configuration changes across large fleets of EC2 instances
  • commands can be applied to instances based of ID, tags or resource groups
  • the SSM agent needs to be installed on your instances
  • the commands and parameters are defined in a SSM document
  • commands can be issued using the Console, CLI, AWS PowerShell module, SSM API or SDKs
  • can be used with on premises systems as well
93
Q

Compliance Frameworks

A
  • PCI-DSS - Payment Card Industry Data Security Standard is a globally accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information
  • ISO 27001 - specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of an organizations overall business risks
  • HIPAA - federal Health Insurance Portability and Accountability Act of 1996, the goal of which is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control admin costs
  • FedRAMP - Federal Risk and Authorization Management Program is a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
  • NIST - framework for improving critical infrastructure cybersecurity, which is a set of industry standards and best practices to help organizations manage cybersecurity risks
  • SAS70 - Statement on Auditing Standards
  • SOC - Service Organization Controls - accounting standards
  • FISMA - Federal Information Security Modernization Act
  • FIPS 140-2 - U.S. government computer security standard used to approve cryptographic modules. It’s rated from Level 1 to Level 4. CloudHSM meets the level 3 standard
94
Q

PCI DSS 12 requirements

A
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Identify and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel
95
Q

Athena

A
  • interactive query service which enables you to query data located in S3 using standard SQL
  • it is a serverless service, that is charged by the query / per TB scanned
  • its commonly used to analyze log data stored in S3
96
Q

Macie

A
  • scans your S3 buckets for PII (Personally Identifiable Information)
  • uses machine learning and NLP (Natural Language Processing) to discover, classify and protect sensitive data stored in S3
  • works directly with data stored in S3 and can analyze CloudTrail logs
  • Macie’s classification types are Content type, Theme, File Extension, Regular Expression
  • Content Type classifies the files by their content, like JSON, PDF, Excel, Zip, source code, etc
  • Theme classifies files into themes based on keywords like Amex, Visa, MasterCard credit card keywords, banking or financial keywords, hacker and web exploit keywords, etc
  • File extension classifies files based of their extensions
  • Regular Expression classifies files based on regex matches
  • once classified, Macie creates dashboards, alerts and reports based on the data which give visibility into how the data is being accessed
  • can also analyze CloudTrail logs and report on suspicious API activity
97
Q

GuardDuty

A
  • a threat detection service which uses machine learning to continuously monitor for malicious behavior
  • it detects unusual API calls and calls from known malicious IPs
  • it detects attempts to disable CloudTrail logging
  • it detects unauthorized deployments, compromised EC2 instances
  • it detects reconnaissance by would be attackers, port scanning and failed logins
  • it sends alerts to the GuardDuty console and CloudWatch Events
  • it receives feeds from 4rd parties like Proofpoint, CrowdStrike and AWS Security
  • it monitors CloudTrail Logs, VPC Flow Logs and DNS Logs
  • it provides centralized threat detection across multiple AWS accounts
  • you can automate responses with CloudWatch events and Lambda
  • takes 7 - 14 days to establish a baseline for normal behavior on your account
98
Q

Secrets Manager

A
  • a service which securely stores, encrypts and rotates your DB credentials and other secrets
  • uses encryption in transit and at rest using KMS
  • applies fine grained access control using IAM policies
  • applications call the Secrets Manager API to retrieve the secret programmatically
  • commonly used to store database credentials, integrated with RDS: MySQL, PostgreSQL, Aurora
  • built in rotation for RDS secrets and Lambda rotation for other secrets. When rotation is enabled, Secrets Manager automatically rotates the secret once, if any clients had the credentials embedded, they will stop working.
  • you can store anything that is a key value pair
99
Q

Simple Email Service (SES)

A
  • cloud based email service which supports sending and receiving email
  • can be used to send marketing emails, transaction emails and email notifications from applications
  • uses standard SMTP interface and can be accessed via an API
  • all connections to the SMTP endpoint must be encrypted using TLS
  • EC2 instances can be configured to use one of the SES endpoints to send mail. The EC2 security group will need to allow access to the SES SMTP endpoint
  • EC2 instances automatically throttle traffic over port 25, use port 587 (secure mail) or 2587 instead
100
Q

Security Hub

A
  • centralized hub for security alerts, manages and aggregates the findings and alerts from key AWS security services, GuardDuty, Macie, Inspector, IAM Access Analyzer, Firewall Manager, Systems Manager Patch Manager, Detective, CloudWatch and 3rd party tools
  • performs automated checks for PCI-DSS, CIS AWS Benchmarksand AWS Foundational Security Best Practices
  • provides an ongoing security audit for your accounts
  • Security Hub is enabled per region
101
Q

Network packet inspection in AWS

A
  • AWS does not provide a service that does network packet inspection like an IDS/IPs
  • you will need to deploy a 3rd party tool like AlertLogic, TrendMicro or McAfee
102
Q

Active Directory Federation

A
  • allows logging into the AWS console with AD credentials
  • minimizes admin overhead by leveraging existing accounts, password policies and groups
  • provides SSO for users
  • ADFS must be setup as an identity provider in your AWS account
  • AWS must be setup as a Relying Party Trust in ADFS
103
Q

Active Directory Federation login process

A
  1. the user logs into their Corporate ADFS page and provides their AD credentials
  2. ADFS authenticates against AD
  3. AD returns the user’s information and group membership
  4. ADFS sends a SAML token to the user’s browser which sends the token to the AWS sign-in endpoint
  5. The AWS sign-in endpoint makes an STS AssumeRoleWithSAML request and STS returns temporary credentials
  6. The user is authenticated and allowed to use the console
    Users can use their AD credentials to gain access to the AWS API and CLI as well
104
Q

Lambda functions security

A
  • when creating Lambda functions, you must choose an IAM role to assign to the function
  • you can assign an existing role or create a new one from policy templates
  • the basic Lambda permissions, such as logging to Amazon CloudWatch, will be automatically added.
  • also if the function accesses a VPC, the required permissions will be automatically added
  • basic logging of Lambda functions is enabled by default
  • detailed logging (data events) are not enabled by default, which have a costs associated with them
  • function policy - iam policy that defines what AWS service can invoke your Lambda function
  • execution role - iam role that contains the policies for what your Lambda function can access (like CloudWatch, S3, EC2, etc)
105
Q

Troubleshooting CloudTrail logging - what to check if your CloudTrail logs are not appearing in S3

A
  • is the CloudTrail enabled
  • have you provided the correct S3 bucket name
  • is there a bucket policy preventing the logs from being written
  • S3 and Lambda data events aren’t enabled by default because they tend to be high volume and incur added costs
106
Q

Troubleshooting CloudTrail logging - what to check if a user is having access issues

A
  • check if the user’s account has access to read the CloudTrail
  • does their account have the AWSCloudTrailReadOnlyAccess IAM Policy
107
Q

Troubleshooting Network Infrastructure

A
  • check routing tables, security groups and NACLs
  • remember NACLs are stateless
  • security groups deny by default
  • NACLs explicitly deny
  • if you are peering 2 VPCs, remember to configure routing tables in both VPCs
  • internet access is achieved via either an internet gateway or a NAT gateway
  • check VPC flow logs to view allow / deny messages
108
Q

STS permissions for Federated Authentication

A
  • if authenticating with a web identity like Facebook, Google, etc the user needs the STS:AssumeRoleWithWebIdentity policy
  • if authenticating with AD, the user needs the STS:AssumeRoleWithSAML policy
  • if authenticated with AWS, the user needs the STS:AssumeRole policy
109
Q

Cross account access

A
  • in the source account you need to create an IAM role that grants the access the users in the external account will need
  • in the source account you need to set an IAM policy to trust the external account
  • in the external account, the users need an IAM policy that lets them assume the role in the source account