AWS Security & Monitoring Flashcards
What type of keys do AWS services integrated with KMS use, symmetric or asymmetric?
Symmetric (AES-256)
How do asymmetric keys work?
A public key encrypts the data and a private key decrypts the data
True or false: The same KMS key can live in two regions
False. We can however, use KMS Multi-Region Keys, which creates replicas in different regions
We would like global client-side encryption for our AWS Service/s implemented. What could we use?
KMS Multi-Region keys. We can use the same encryption/decryption across regions because we are using replica keys
True or False: Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
True
Which service allows you to force rotation of secrets every X days, Secrets Manager or Parameter Store?
Secrets Manager
Which service allows seamless integration with RDS: Secrets Manager or Parameter Store?
Secrets Manager
We want to protect our application from DDoS attacks? What service can we use?
AWS Shield
What is a metric and dimension in CloudWatch?
A metric is a time-ordered series of data points. Could be the CPU usage of EC2 or IO of EBS
A dimension is a name/value pair that is part of the identity of a metric. For example, we can use the InstanceId dimension to filter down to specific instance metrics in EC2, or the timestamp of the data point
How long can CloudWatch log data take to be available for export?
Up to 12 hours
We want to stream logs from CloudWatch logs to other services, what can we use?
CloudWatch subscriptions. We create the receiving resource and then define a CloudWatch subscription filter to filter which logs get delivered
We want to log to CloudWatch from EC2. What do we need?
CloudWatch Unified Agent
What is the difference between the CloudWatch Logs Agent and the Unified Agent?
The Unified Agent can collect more details on the system it runs on, such as CPU, memory, processes
What are the three main targets of CloudWatch alarms?
EC2, ASG and SNS
We want to monitor multiple CloudWatch alarms. What can we use?
CloudWatch Composite Alarms. CloudWatch Alarms are on a single metric
True or False: CloudWatch Alarms can trigger an EC2 restart?
True. We can define what actions to take for an EC2 instance when we define the alarm like stop, recover, reboot or terminate
We want to schedule a service action (Lambda function) every hour. What service can we use?
EventBridge
What is the EventBridge schema registry?
The schema registry defines default and custom schemas for events that allow services receiving events to understand the event structure
We want to collect logs to send to CloudWatch from container services. What can we use?
CloudWatch Container Insights
How does the CloudWatch Container Insights work?
CloudWatch uses a containerized version of the CloudWatch Agent to discover containers
We want to see which AWS services are impacting system performance the most. What can we use?
CloudWatch Contributor Insights. They use the standard CloudWatch logs to understand usage by different services
We want to figure out which AWS services are the heaviest network users. What can we use?
CloudWatch Contributor Insights
We want to monitor history of events and API calls made within an AWS Account. What can we use?
AWS CloudTrail
True or False: A CloudTrail trail can only be used within a single region
False. It can be all regions or a single
We want to detect unusual activity in our AWS account/s. What can we use?
CloudTrail Insights
How long are events stored in CloudTrail?
90 days
What is AWS Config?
AWS Config will track the configurations of all your AWS services over its history. From creation to any changes that were made
True or False: We can use AWS Config to prevent AWS resource actions from happening
False. We can create rules to trigger actions, but not prevent them
We want to automatically revoke unused IAM user credentials after a certain period of time. What AWS resource can we use?
AWS Config remediation rules
For an Elastic Load Balancer, we want to ensure that an SSL certificate is always assigned to the Load Balancer. What service can we use?
AWS Config
We want to monitor ELB incoming connection metrics, would we use CloudWatch or CloudTrail?
CloudWatch
We want to see who made changes to our ELB with terminal commands, what AWS service can we use?
AWS CloudTrail
You have an RDS DB instance that’s configured to push its database logs to CloudWatch. You want to create a CloudWatch alarm if there’s an Error found in the logs. How would you do that?
Create a CloudWatch Logs Metric Filter that filter the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter
We want to set a CloudWatch alarm for only a certain grouping of metrics. What can we use to do this?
We can create a CloudWatch Logs metric filter
How would you monitor your EC2 instance memory usage in CloudWatch?
Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch
You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use, CloudWatch or CloudTrail?
CloudWatch. We want to measure performance change, not who made the change or when, which we would use CloudTrail for
Someone has terminated an EC2 instance in your AWS account last week, which was hosting a critical database that contains sensitive data. Which AWS service helps you find who did that and when?
CloudTrail
You have CloudTrail enabled for your AWS Account in all AWS Regions. What should you use to detect unusual activity in your AWS Account?
CloudTrail Insights. Insights help identify and respond to unusual activity associated with API calls and API error rates by analyzing CloudTrail management events
One of your teammates terminated an EC2 instance 4 months ago which has critical data. You don’t know who made this so you are going to review all API calls within this period using CloudTrail. You already have CloudTrail set up and configured to send logs to the S3 bucket. What should you do to find out who made this?
Analyze CloudTrail logs in S3 bucket using Amazon Athena. CloudTrail records delete after 90 days, so we must go to the S3 bucket to analyze the logs
You have enabled AWS Config to monitor Security Groups if there’s unrestricted SSH access to any of your EC2 instances. Which AWS Config feature can you use to automatically re-configure your Security Groups to their correct state?
AWS Config Remediations
You are running a critical website on a set of EC2 instances with a tightened Security Group that has restricted SSH access. You have enabled AWS Config in your AWS Region and you want to be notified via email when someone modified your EC2 instances’ Security Group. Which AWS Config feature helps you do this?
AWS Config Notifications
A DevOps engineer is working for a company and managing its infrastructure and resources on AWS. There was a sudden spike in traffic for the main application for the company which was not normal in this period of the year. The application is hosted on a couple of EC2 instances in private subnets and is fronted by an Application Load Balancer in a public subnet. To detect if this is normal traffic or an attack, the DevOps engineer enabled the VPC Flow Logs for the subnets and stored those logs in CloudWatch Log Group. The DevOps wants to analyze those logs and find out the top IP addresses making requests against the website to check if there is an attack. Which of the following can help the DevOps engineer to analyze those logs?
CloudWatch Contributor Insights
A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later?
Use EventBridge Archive and Replay feature
How can we audit our usage of AWS Key usage?
CloudTrail
What are data keys in KMS?
Data keys are symmetric keys that you use to encrypt and decrypt data outside of KMS
You request data keys from KMS, and receive encrypted (that you can keep) data keys and plain text (that you use to encrypt/decrypt) data keys
What is the automatic key rotation duration for AWS managed KMS keys?
1 year
We want to control who can access our KMS keys. What can we use?
A Custom KMS Key Policy
We want to authorize cross-account access to an EBS snapshot encrypted with a KMS key. What do we need?
Attach a custom KMS Key Policy that allows cross-account access
True or False: if you import a TSL certificate outside ACM and import it, ACM will automatically renew the certificate for you.
False. We must renew the certificate ourselves. ACM will notify us of the expiration however through EventBridge
What can we deploy AWS WAF to?
ALB, API Gateway, CloudFront, AppSync GraphQL API, Cognito User Pool
True or False: WAF can be put on a Network Load Balancer
False
You want to manage common sets of security rules across all your accounts, what can you use?
Firewall Manager. Rules are automatically applied to new resources as they are created across your organization
What is AWS GuardDuty
GuardDuty runs ML algorithims to detect potential security threats inside your AWS accounts and workloads
Cannot also specifically protect against CryptoCurrency attacks with a dedicated finding
What is AWS Inspector?
Allows you to run automated security assessment on EC2 instances, ECR and Lambda Functions
Can be used to scan package vulnerabilities
What is Amazon Macie?
Uses machine learning and pattern maching to find sensitive data in S3 buckets and emits notifications
True or False: You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS
False. you can use the AWS Managed Service keys in KMS
When you enable Automatic Rotation on your KMS Key, the backing key is rotated every
Year
You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can’t use it. How would you solve this problem?
You need to share the KMS CMK used to encrypt the AMI with the other AWS accound
What should you use to control access to your KMS CMKs?
KMS Key Policies
You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?
SSM Parameter Store; SSM PS has built-in tracking capability; each time you edit the value of a parameter, SSM PS creates a new version of the parameter and retains the previous version
Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?
AWS Shield Advanced
True or False: AWS GuardDuty monitors CloudWatch logs
False, it will look through CloutTrail event logs, VPC Flow Logs, DNS logs and Kubernetes Audit Logs
Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?
AWS Firewall Manager
