AWS Security & Encryption Flashcards
What are KMS Keys tied to?
What is encryption in transit?
What is server side encryption?
What is client side encryption?
An AWS Region
SSL/TLS/HTTPS
Encryption at rest
Encrypted at client, cannot be decrypted by server.
What are the key types that KMS supports?
Symetric (Shared), Asymetric - Supports encryption and signing
What are the 3 types of customer master keys?
How are you billed for KMS?
What is the data size limit for encryption on KMS?
Default key
User keys created in KMS
User imported keys
Per non-default key and per network call to KMS (.10/10k calls)
4kb
What is a key policy?
What happens if you don’t create a key policy for KMS?
What happens if there is no key policy set?
What is defined in a custom key policy?
How can you create a snapshot across accounts?
It’s a resource policy for keys
A default policy is created that will allow anyone in the account access as long as they have the correct IAM permission
Then no one can use your keys.
The users and roles that can access your key, who can administer the key, which external accounts can access your key.
You create a key policy that allows the trusted account to read and decrypt using the key. Share the snapshot, . Create a copy of the snapshot. This snapshot will be encrypted with your key. Create a volume from the shapshot
How does automatic key rotation work?
How does manual key rotation work?
The CMK will be rotated every 1 year. The new key will receive the same ID and the old key will remain active to be able to decrypt old data
You can rotate the key at any time period. Because you’re manually rotating the key, the new key will have a new ID. Because of this you should reference the key via the an Alias rather than the ID. After the rotation, give the new key the Alias.
What is a parameter store?
How can you expire or be notified regarding some parameter store event?
Allows you to store parameters or environment variables that are accessible to your applications. These parameters can be plaintext or encrypted.
By assigning a policy to it.
What is AWS Secrets Manager
Similar to the AWS parameter store, it allows you to store sensitive parameters, but it is designed to automatically rotate the secrets and to integrate with AWS services like RDS
What is a good use case for cloud HSM?
If you want to bring your own keys. Especially Asymmetrical Keys
What is guard duty?
What is a common use case for guard duty?
It uses machine learning to analize logs, network requests etc, to determine if there is a threat. It can then notify you via sqs or lambda
Detecting crypto currency attacks.
What is Macie?
A machine learning tool that helps you identify PII in your S3 buckets. And then alerts you via the event bridge
What tool can be used to automatically detect PII in your S3 bucket?
Use Macie
What tool can be used to run OS and Network vulnerability scans from within your EC2 instance?
Inspector
In the shared responsbility model who is responsible for:
Securing cloud service infrastructure and managed services?
Who is responsible for securing the underlying OS, encrypting data and managing permissions.
Which responsibilities are shared?
AWS
Customer
Patch management, configuration management, Awareness and Training
What is shield?
What is Shield Advanced?
A web application firewall that protects against DDoS, SYN/UDP Floods, Reflection aattacks and other layer 3/4 attacks. Free and enabled by default
Provides you access to a team that will help you mitigate DDoS accounts. With this service you will not be charged for spikes caused by DDoS attacks. Cost $3k per month.
What is AWS WAF?
Which services can a WAF be applied to?
What is a Web ACL and what can it be used to define?
What is the AWS Firewall manager?
A web application firewall that provides protection against layer 7 (HTTP) attacks
Application load balancer, API Gateway, Cloudfront
A Web ACL provides the rules for the WAF including
IP Addresses, HTTP Headers, HTTP Body or URI Strings
SQL Ingection/XSS
Geo match to block countries
Rate-based rules for DDoS protection
Gives you a way to manage all of the WAF, Shield and Security group rules for an organization in one place.