AWS security

Question 1

AWS Config

Answer 1

• Record changes in the resources config
• Auditing changes
• Doesn’t prevent changes
• Is regional service, can be configured in cross-region or cross-account setup
• Config Rules can be created, criteria matching

Question 2

CVE

Answer 2

• Common Vulnerabilities and Exposures
• Rule set for Cloud Inspector to check against

Question 3

CIS

Answer 3

• Center of Internet Security benchmarks
• Rule set for Cloud Inspector to check against

Question 4

CloudHSM

Answer 4

• Hardware Security Module
• True “single tenant” HSM, not shared with the other accounts.
• Don’t have native integration with other AWS services (e.g. S3 SSE).
• Can be used to offload SSL/TLS processing from the Web servers.
• Can transparently encrypt data on Oracle DB.
• Protect Private keys for CA (Certificate Authority).
• AWS have no access to the module itself. If customer loses access to the module- game over.
• FIPS 140-2 Level 3, PKCS#11, Java Cryptography Extensions (JCE), Microsoft CryptoNG.
• KMS (key management Service) is shared service, AWS have some degree of access to the keys.

Question 5

WebACL

Answer 5

Web Application Firewall configuration unit

Question 6

Amazon Inspector

Answer 6

• Scans EC2 OS and containers for vulnerabilities and deviations from best security practices.
• Network assessment
• OS/host assessment (requires agent)
• Assessment is running at the regular interval (15m, 30min etc)

Question 7

CloudTrail

Answer 7

• Can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
• Logs API calls, is NOT real time. Action taken by user, role or a service.
• Stores 90 days of history.
• By default only logs management events.
• Is regional service.
• Can be configured as one region or all regions (adds other regions automatically). Global services leave records in us-east-1 region.

Question 8

AWS Shield

Answer 8

• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
• Can be Professional (paid) or Std version.

Question 9

AWS Macie

Answer 9

Data security service that discovers sensitive data (in S3) using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.

Question 10

GuardDuty

Answer 10

Threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior.

Question 11

VPC Network Access Analyzer

Answer 11

• Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS.
• You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements.
• Network Access Analyzer uses automated reasoning algorithms to analyze the network paths that a packet can take between resources in an AWS network. It then produces findings for paths that match a customer defined Network Access Scope. Network Access Analyzer performs a static analysis of a network configuration, meaning that no packets are transmitted in the network as part of this analysis.

Question 12

DNS Firewall

Answer 12

• DNS Firewall provides filtering for outbound DNS queries that pass through the Route 53 Resolver from applications within your VPCs. You can also configure DNS Firewall to send custom responses for queries to blocked domain names.

AWS Network Firewall provides filtering for both network and application layer traffic, but does not have visibility into queries made to the Route 53 Resolver.