AWS Security & Encryption Flashcards

1
Q

What are KMS Keys tied to?

What is encryption in transit?

What is server side encryption?

What is client side encryption?

A

An AWS Region

SSL/TLS/HTTPS

Encryption at rest

Encrypted at client, cannot be decrypted by server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the key types that KMS supports?

A

Symetric (Shared), Asymetric - Supports encryption and signing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 3 types of customer master keys?

How are you billed for KMS?

What is the data size limit for encryption on KMS?

A

Default key
User keys created in KMS
User imported keys

Per non-default key and per network call to KMS (.10/10k calls)

4kb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a key policy?

What happens if you don’t create a key policy for KMS?

What happens if there is no key policy set?

What is defined in a custom key policy?

How can you create a snapshot across accounts?

A

It’s a resource policy for keys

A default policy is created that will allow anyone in the account access as long as they have the correct IAM permission

Then no one can use your keys.

The users and roles that can access your key, who can administer the key, which external accounts can access your key.

You create a key policy that allows the trusted account to read and decrypt using the key. Share the snapshot, . Create a copy of the snapshot. This snapshot will be encrypted with your key. Create a volume from the shapshot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does automatic key rotation work?

How does manual key rotation work?

A

The CMK will be rotated every 1 year. The new key will receive the same ID and the old key will remain active to be able to decrypt old data

You can rotate the key at any time period. Because you’re manually rotating the key, the new key will have a new ID. Because of this you should reference the key via the an Alias rather than the ID. After the rotation, give the new key the Alias.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a parameter store?

How can you expire or be notified regarding some parameter store event?

A

Allows you to store parameters or environment variables that are accessible to your applications. These parameters can be plaintext or encrypted.

By assigning a policy to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is AWS Secrets Manager

A

Similar to the AWS parameter store, it allows you to store sensitive parameters, but it is designed to automatically rotate the secrets and to integrate with AWS services like RDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a good use case for cloud HSM?

A

If you want to bring your own keys. Especially Asymmetrical Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is guard duty?

What is a common use case for guard duty?

A

It uses machine learning to analize logs, network requests etc, to determine if there is a threat. It can then notify you via sqs or lambda

Detecting crypto currency attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Macie?

A

A machine learning tool that helps you identify PII in your S3 buckets. And then alerts you via the event bridge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What tool can be used to automatically detect PII in your S3 bucket?

A

Use Macie

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What tool can be used to run OS and Network vulnerability scans from within your EC2 instance?

A

Inspector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

In the shared responsbility model who is responsible for:
Securing cloud service infrastructure and managed services?

Who is responsible for securing the underlying OS, encrypting data and managing permissions.

Which responsibilities are shared?

A

AWS

Customer

Patch management, configuration management, Awareness and Training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is shield?

What is Shield Advanced?

A

A web application firewall that protects against DDoS, SYN/UDP Floods, Reflection aattacks and other layer 3/4 attacks. Free and enabled by default

Provides you access to a team that will help you mitigate DDoS accounts. With this service you will not be charged for spikes caused by DDoS attacks. Cost $3k per month.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is AWS WAF?

Which services can a WAF be applied to?

What is a Web ACL and what can it be used to define?

What is the AWS Firewall manager?

A

A web application firewall that provides protection against layer 7 (HTTP) attacks

Application load balancer, API Gateway, Cloudfront

A Web ACL provides the rules for the WAF including
IP Addresses, HTTP Headers, HTTP Body or URI Strings
SQL Ingection/XSS
Geo match to block countries
Rate-based rules for DDoS protection

Gives you a way to manage all of the WAF, Shield and Security group rules for an organization in one place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly