AWS Security

Question 1

How do you ensure Kinesis Data Streams data is encrypted in Transit?

Answer 1

Use the ‘StartStreamEncryption’ API

Question 2

What is the new name for Amazon Kinesis Data Analytics for Apache Flink?

Answer 2

Amazon Managed Service for Apache Flink

Question 3

What’s tricky about thinking about access vs trust when establishing one-way trust relationships between on-prem AD and AWS?

Answer 3

The direction of the trust relationship is the opposite of the direction of access.

I.e. if you extend an outgoing trust from AWS to on-prem AD, this grants access from AD to AWS, not the other way around.

Question 4

How can you prevent user access to EC2 metadata?

Answer 4

Disallow it using IAM or SCPs.

Question 5

Between the master account users and member account users in a multi-account GuardDuty setup, who can generate sample findings?

Answer 5

Both member and master account users.

Question 6

Between the master account users and member account users in a multi-account GuardDuty setup, who upload and manage trusted IP and threat lists?

Answer 6

Master account users.

Question 7

Between the master account users and member account users in a multi-account GuardDuty setup, who can archive findings?

Answer 7

Master account users

Question 8

What does this principle refer to in a KMS Key policy:

“Principal”: {
“AWS”: “arn:aws:iam::111122223333:root”
},

Answer 8

Any user in the account can be granted access via IAM.

“root” in this case of key policies is not referring to the root user of the account.

Question 9

Does log file integrity validation automatically enable encryption?

Answer 9

No.

Question 10

What’s the most efficient way to encrypt CloudTrail logs with customer managed keys?

Answer 10

Use server-side encryption with AWS KMS–managed keys (SSE-KMS)

Question 11

What is envelope encryption?

Answer 11

where you encrypt plaintext data with a data key and then encrypt the data key with a top-level plaintext master key

Question 12

What form of data encryption provides an audit trail which shows who used the encryption key?

Answer 12

Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

(NOT a feature of S3-managed keys)

Question 13

How can you encrypt data before it is sent to a DynamoDB table, with full customer control of the encryption keys?

Answer 13

Configure the DynamoDB table to enable customer-managed CMK server-side encryption

Question 14

In a KMS key policy, what is the difference between the ‘aws:sourceVpce’ condition and the ‘aws:sourceVpc’ condition?

Answer 14

the former is to specify a specific vpc endpoint, the latter is to specify the whole vpc.

Question 15

If a principle is granted access to an S3 bucket via the bucket policy, but not their IAM policy, do they have access to the bucket?

Answer 15

Yes. As long as there’s no explicit deny in any policy.

Question 16

Linux EC2: What is the path of CloudWatch Logs Agent log file (used for log propagation troubleshooting)?

Answer 16

/var/log/awslogs.log

Question 17

What type of encryption is provided by SSE-S3 encryption?

Answer 17

AES-256

Question 18

How can you allow outbound traffic from ephemeral ports?

Answer 18

allow outbound traffic on ports 1024 – 65535

Question 19

When should you allow outbound traffic from ephemeral ports?

Answer 19

When you want to enable the connection to a service running on an instance

Question 20

What are the two resource-based access control mechanisms of KMS?

Answer 20

key policies and grants.

Question 21

(3) Which types of KMS keys do not grant automatic rotation?

Answer 21

KMS keys in custom key stores
Asymmetric KMS keys
KMS keys that have imported key material

Question 22

Which AWS services can offer SSL/TLS cipher suites for Perfect Forward Secrecy?

Answer 22

Amazon CloudFront and Elastic Load Balancers

Question 23

How do you prevent EC2 instances from using Amazon-provided DNS in a VPC?

Answer 23

Set the ‘enableDnsHostnames’ and ‘enableDnsSupport’ attributes in the VPC to false

Question 24

How could you dynamically reference a secrets manager secret called ‘password’ from a cloudformation script?

Answer 24

{{resolve:secretsmanager:AppKey:SecretString:password}}

Question 25

How can you ensure several applications have their own programmatic access control permissions on a CMK?

Answer 25

Configure each application to use a grant on the KMS CMK which will add or remove specific access controls on the CMK.

Question 26

Auto-scaling application:

How can you securely allow multiple domains to serve SSL traffic over the same IP address.

Answer 26

1. CloudFront
2. SSL Certificate from ACM
3. Enable Server Name Indication (SNI)

Question 27

Which Oubound Port does Simple Email Service (SES) use to send traffic?

Answer 27

port 587

Question 28

How can you inspect the IAM permissions of a user before and after a security event?

Answer 28

Using Config.

Question 29

How can you detect and delete old access keys?

Answer 29

the ‘GenerateCredentialReport’ API

CloudWatch cannot monitor access key age.

Question 30

Cognito: Is it User Pool or Identity Pool?

Answer 30

Identity Pool, dummy.

Question 31

When adding additional authenticated data to a call to decrypt with KMS, what allows you to require additional information?

Answer 31

‘EncryptionContext’

Question 32

What is the most cost-effective solution for storing 1000s of parameters for individual IoT Devices, while keeping access to these parameters independently auditable?

Answer 32

Systems Manager Parameter Store - Standard Parameters.

Question 33

What provides protection against common attack patterns, such as SQL injection, DDoS or cross-site scripting?

Answer 33

AWS WAF

Question 34

How do you automatically act on a Config finding?

Answer 34

Using a Remediation action.

Question 35

KMS how can you return only the encrypted copy of a unique data key?

Answer 35

GenerateDataKeyWithoutPlaintext

Question 36

What are two methods for doing custom packet inspection on outgoing EC2 traffic? (2)

Answer 36

1. Proxy software on an EC2, and route all traffic through it
2. A host-based agent on each EC2 instance

Question 37

What can be used to bound the maximum policies a principle can grant to another principle?

Answer 37

Permissions Boundaries

Question 38

How long do you have to reverse a Glacier vault lock?

Answer 38

24 hours

Question 39

How do you edit a vault lock policy that was initiated less than 24 hours ago? (2)

Answer 39

1. initiate the ‘abourt-vault-lock’ api
2. ‘initiate-vault-lock’ after editing

Question 40

How do you define a specific cloudfront distro as the principle in your bucket policy?

Answer 40

Principal: ‘cloudfront.amazonaws.com’

Condition:
“StringEquals”: {
“AWS:SourceArn”: “arn:aws:cloudfront::AccountID:distribution/E27LVI50CSW06W”
}