AWS Security Services

Question 1

Assign True or False to the following statements:
- Amazon GuardDuty is a service that uses ML to detect anomalies such as suspect API calls or unauthorized deployments
-Amazon GuardDuty is compatible with CloudTrail event logs, VPC flow logs, DNS logs and others
-Has a target functionality to detect crypto mining attacks
-Can setup EventBridge rules targeting Lambda, SNS or SQS in case of findings
- A management account of an organization can determine an organization account to be a GuardDuty Delegated Administrator, having full GuardDuty permissions for all accounts on the organization, with the exception of the organization account

Answer 1

-True
-True
-True
-False, can’t target SQS
-False, has unlimited permissions for all accounts of the organization

Question 2

Explain the service AWS Trusted Advisor

Answer 2

Trusted Advisor is an AWS service that inspects an AWS Account and makes recommendations to it based on best practices.

Question 3

Trusted Advisor can generate recommendations for what areas?

Answer 3

-Cost Optimization
-Performance
-Service Limits
-Security
-Operational Excelence
-Fault Tolerance

Question 4

What advantages does the Full Trusted Advisor offer compared to the standard one?

Answer 4

• Allows you to set alarms for service limits
• Grants Programmatic Access using AWS Support API

Question 5

Assign True or False to the following statements:
- Trusted Advisor can check if a bucket and any individual object inside it are public
- AWS limits can only be monitored in Trusted advisor, not changed

Answer 5

• False, Trusted Advisro can check if a Bucket is public, but not its objects. To do that you must use EventBridge/S3 events/AWS Config
  -True

Question 6

What are the kinds of existing flow logs?

Answer 6

• VPC FLow Logs
• Subnet Flow Logs
• ENI (Elastic Network Interface) Flow Logs

Question 7

What are the possible destinations for Flow Logs?

Answer 7

-S3
-Kinesis
-Cloudwatch Logs

Question 8

Assign True or False to the following statements:
- You can query Flow Logs on Athena or CloudWatch Logs Insights
- Flow logs can be use to evaluate information such as destination IP, source IP, account id, destination id and action taken
- If you have a NAT Gateway inside a VPC ant the VPC tries to receive inbound traffic, since the NAT Gateway automatically drops inbound traffic, the action on the log will be REJECT

Answer 8

-True
-True
-False, the VPC can ACCEPT the action, the one that will drop it is the NAT Gateway

Question 9

What is AWS Security Hub?

Answer 9

It’s a service that allows you to manage security and automate security checks accross multiple AWS accounts

Question 10

What is AWS Config?

Answer 10

AWS Config is a compliance monitoring service. It is able to record the configuration of your AWS resources and configurations over time for auditing reasons.

Question 11

Assign True or False to the following statements:
-AWS Config Rules allow you to set conditions to be followed by your resources, with any non-compliant action being denied
-AWS Config allows you to send SNS noticiations for any changes performed
-AWS Config allows you to create custom rules using AWS Lambda
-AWS Config can check for rule violations whenever there is a config change or periodically, and can trigger Amazon Eventbridge if any configuration is non compliant
-Any non-compliant ule can be treated through SSM Automations

Answer 11

-False, you cannot deny actions of being performed using AWS Config
-True
-True
-True
-True

Question 12

What is AWS System Manager (SSM)?

Answer 12

System Manager is an instance management service for both EC2 and on-prem. It allows you to automate patching, execute commands or run scripts automatically and on multiple instances at the same time.

Question 13

Assign True or False to the following statements regarding AWS System Manager:
- Works only for Linux OS
- It bills you for each instance integrated with it
- Integrated with both CloudWatch metrics/dashboards and AWS Config
- Needs SSM Agent installed on systems for it to work. This is true by default on EC2 instances
- System Manager can run commands on múltiple instances at the same time without the need for SSH

Answer 13

• False, works for both Linux OS and Windows
• False, it has no costs
• True
• False, it only comes installed on Amazon Linux AMI and some Ubuntu AMIs
• True

Question 14

AWS System Manager can be used to run commands on instances before they are scaled down by an Autoscaling Group (ASG). Explain how this process works

Answer 14

To do what is described, you must first create a life cycle hook that puts the scaling down instance on the Terminating:Wait state. Then you must configure EventBridge to monitor the Terminating:Wait and trigger the SSM Automation Document to perform the actions on the instance before termination.

Question 15

What is SSM Session Manager?

Answer 15

Session Manager is a System Manager functionality that allows you to star a secure shell on your EC2 or on-prem instance. The access can be performed through the AWS Console, AWS CLI or Session Manager SDK and it does not need SSH Access, SSH keys or Bastion Hosts. Works for Linux, MacOS and Windows

Question 16

What is SSM OpsCenter?

Answer 16

OpsCenter is a System Manager functionality that helps you resolve operational events (events, alarms and issues) by aggregating informations on the event from sources such as CloudTrail Logs, CloudWatch alarms, AWS Config changes and relationships and CloudFormation stack information. Also allows you to automate responses using Automation Runbooks.

Question 17

Describe what AWS Firewall Manager does

Answer 17

Firewall manager allows you to manage security rules in all accounts of an organization. Some common rules managed by firewall manager Security Policies are:
-Security Groups
-WAF Rules
-AWS Shield Advanced
-AWS Network Firewall
-Amazon Route 53 Resolver DNS Firewall
The Security Policies are created regionally, and are applied to all new resources created inside your organization.

Question 18

What is Amazon Inspector?

Answer 18

Amazon Inspector is an AWS Service that inspects your EC2 instances, Lambda Functions and Container images for vulnerabilities. All identified vulnerabilities in regarding packages and reachability are associated with a risk score, and can be analysed in Security Hub or EventBridge

Question 19

What is AWS Certificate Manager?

Answer 19

It an AWS service that helps with the management of security certificates. It automatically loads the certificate on Load Balancer, CloudFront and API Gateway, and it can be use to create public or private certificates and renew certificates. ACM is a regional service, and you can’t use it to copy certificate between regions.

Question 19

What is AWS CloudHSM (Hardware Security Module)? What is a good use case for it?

Answer 19

CloudHSM is a service that offers harware focused on processing security software. It allow you to store, generate, import, export and manage cryptographic keys, and can only be accessed the CloudHSM Client Software. Good for cases where SSE-C encryption is used.

Question 20

What is AWS Macie?

Answer 20

Macie is a service that uses ML to automatically detect sensitive data and report it to the account owner. It also provides a dashboard informing how this data is being used and transfered.

Question 21

What are the differences between AWS Shield Standard and AWS Shield Premium?

Answer 21

-Shield Standard is free and working by default on AWS, while Premium is optional and paid ($3,000 per month per organization)
- Shield Standard provides from common layer 3/4 attacks such as SYN/UDP Flood and Reflection attacks, while Premium also protects against more sophisticated attacks on services such as EC2, ELB, Cloudfront, Route 53 and AWS Global Accelerator
- AWS Premium also grants access to a 24/7 DDoS response team and prtoects against fee spikes due to DDoS

Question 22

What is AWS WAF?

Answer 22

AWS WAF, or Web Application Firewall, is a service that protects your application from common layer 7 exploits

Question 23

Assign True or False to the following statements regarding AWS WAF:
- AWS WAF can to no services other than CloudFront, ELB (Application Load Balancer) and API Gateway
- WAF provides no help against a DDoS attack
- WAF access control is done through Web ACLs, which can be use to perform only Allow and Block actions
-Some of the filters that can be applied to Web ACLs include IP Adresses, HTTP Headers, HTTP Body or URI strings
-WAF can block common attacks such as SQL injection and cross-site scripting (XSS)

Answer 23

-False, it can also be applied to AppSync
-True
-False, WAF can perform Allow, Block, Count, CAPTCHA or Challenge actions
-True
-True

Question 24

Aside from Web ACLs, WAF also implement Managed Rules implemented by AWS and marketplace sellers. What are some rule groups for those rules?

Answer 24

• Baseline Rule Groups: General protection from common threats.
• Use-Case Specific Rule Groups: Protection from common WAF use cases. Ex: AWSManagedRulesSQLiRuleSet
• IP Reputation Rule Groups: Block requests based on source (ex: Malicious IPs)
• Bot Control Managed Rule Group: Block and manage requests from bots

Question 25

Where can WAF logs be sent to?

Answer 25

-S3 Bucket (5 min intervals)
-Kinesis Data Firehose (limited by Firehose quotas)
- CloudWatch Logs Log Group (5MB/s)

Question 26

What must be done so EC2 can send metrics to CloudWatch?

Answer 26

The CloudWatch agent must be installed inside the EC2 instance/on-prem server

Question 27

What are the 4 main Cloudwatch functionalities?

Answer 27

-Metrics
-Alarms
-Logs
-EventBridge

Question 28

On an EC2 instance, there are some network metrics that have a maximum value allowed so EC2 runs properly. What are those metrics?

Answer 28

-Bandwidth capability
-Link local service access
-Packets-per-second (PPS) performance
-Connections tracked

Question 29

Cloudwatch Logs possess Log Events, Log Streams and Log Groups. Explain the difference between them.

Answer 29

• Log events are singular events that are logged inside a Log Stream.
• A Log Stream is a sequence of Log Events coming from the same source.
• A Log Groups are groups of log streams that share the same retention, monitoring, and access control settings

Question 30

True or false: Logs stored in Cloudwatch Logs cannot be deleted without deleting the log group.

Answer 30

False, it is possible to configure log groups so logs are deleted or exported to s3 after a certain period of time.

Question 31

What kinds of Cloudwatch alarms are there?

Answer 31

-Metric alarm: Watches the value of a single metric and generates an alarm if it goes outside the configured thresholds
-Composite alarm: Uses rules to chek the states of multiple alarms and only goes off if all rules are met.

Question 32

In what states can a CloudWatch alarm be in?

Answer 32

-OK: Metric is within the defined threshold
-Alarm: Metric is outside the defined threshold
-INSUFFICIENT_DATA: not enough information has been gathered to determine whether the metric is within or outside of the threshold range.

Question 33

What are the 3 aspects you can configure that control when a Cloudwatch alarm changes state?

Answer 33

-Period: The frequency in which the data points being evaluated by the alarm are created
-Evaluation period: The number of data points (interval of time) to be evaluated when deciding to change the alarm status
-Datapoint to alarm: The number of points within the interval that must be on the ALARM threshold before the alarm changes state

Question 34

In what status can alarm data points be in?

Answer 34

• Breaching: Breaching the alarm threshold
• Not breeching: Within the alarm threshold
• Missing: Data point is missing

Question 35

Where can VPC Flow Logs be stored?

Answer 35

S3, CloudWatch Logs or Kinesis Firehose

Question 36

What is the capture windows for data captured for VPC Flow Logs?

Answer 36

The capture window is approximately 10min long

Question 37

Complete the statement regarding VPC Flow Logs:
If you store your VPC flow logs on CloudWatch logs, you can query them using ___________, meanwhile, if you store them on S3, you can use _____________.

Answer 37

-Cloudwatch Logs Insights
-Amazon Athena

Question 38

What is the retention period for Amazon CloudWatch metrics ?

Answer 38

Data points with a 1-minute period are available for 15 days.

Question 39

Complete the statement rearding AWS Private Link:
An AWS Private Link connection is composed of a _________ on the service side and an ________ on the customer side.

Answer 39

• Network Load Balancer
• ENI

Question 40

AWS Firewall Manager can manage resources on multiple accounts of an organization. What are the pre-requisites needed to enable that?

Answer 40

• Enable AWS Organization Full Features
• Enable AWS Config on all accounts
• Enable AWS Resource Access Manager
• Designate an account as Firewall Manager Admin

Question 41

Where can AWS WAF be deployed?

Answer 41

-CloudFront
-API Gateway
-Application Load Balancer
-AppSync

Question 42

Where are AWS WAF logs sent to?

Answer 42

Kinesis Firehose, where they are then redirected somewhere else

Question 43

What are the 4 main goals of cryptography?

Answer 43

-Confidentiality: Keep your data secret
-Integrity: Ensure data has not been manipulated
-Authentication: Confirm user identity
-Non-repudiation: Prevent user from denying prior commitments or actions

Question 44

The most common service on AWS for encrypting data at rest is ___________

Answer 44

KMS

Question 45

Explain the steps taken by AWS to encrypt an object uploaded to an s3 bucket with the S3-KMS security option

Answer 45

S3 requests a data key to encrypt the uploaded object then uses the wrapping key configured at the ecnryption setup to encrypt the data key and store both it and the object together

Question 46

Every KMS key has a ___________ associated with it, which determines who has permission to use the key and how.

Answer 46

Key policy

Question 47

What is a KMS grant?

Answer 47

It’s a temporary permission policy that allows aws principals to use KMS keys for specific actions.

Question 48

AWS KMS offers both customer managed key (CMK) and AWS managed keys (AMK). What are the difference between them?

Answer 48

-Key policy: AMK policies are amanaged by AWS while CMKs’ are managed by the customer
-Key Rotation: AMK have to be rotated every year, while CMK rotation is optional
- Import custom key material: not allowed by AMKs
- Costs: both are billed by api calls, but CMKs cost an additional 1 USD per month

Question 49

True or False: Whenever you use an AWS service integration with KMS you use a symmetric key

Answer 49

True

Question 50

What are the possible key material origins that can be used to create a new key on KMS?

Answer 50

-KMS
-External
-Custom Key Store (ex: Cloud HSM cluster)

Question 51

True or false: An external key brought into KMS must be 1024 bits symmetrical key and cannot be automatically rotated

Answer 51

False, must have 256 bits

Question 52

What are KMS multi-region keys?

Answer 52

They are sets of identical keys located in multiple regions that can be used interchangeably

Question 53

True or False: CloudHSM is single AZ by default

Answer 53

True, but you can set-up multi-AZ for increased availability

Question 54

True or False: CloudHSM can be used to perform SSL

Answer 54

True

Question 55

When you need more security when storing your encryption key, a good option is ____________

Answer 55

CloudHSM

Question 56

What are the 2 ways to prove key ownership to AWS Certificate Manager

Answer 56

• DNS Validation
• Email Validation

Question 57

What are the 3 main services offered by AWS to perform application level encryption?

Answer 57

• AWS Encryption SDK
• AWS Database Encryption SDK
• Amazon S3 Encryption Client

Question 58

Does AWS Firewall Manager need AWS Organizations to work?

Answer 58

Yes

Question 59

How many Devices can you have on a CloudHSM cluster?

Answer 59

Up to 28

Question 60

True or False: Secrets from Secrets Manager cannot be shared accross accounts

Answer 60

False, Secrets can be shared

Question 61

What are the differences between Secrets Manager and SSM Parameter Store

Answer 61

-Secrets Manager is more expensive
-Secrets Manager encryption is mandatory, in parameter store it’s optional
-Parameter Store cannot rotate secrets

Question 62

True or False: SSM Parameter Store can pull a Secrets Manager Secret using the SSM Parameter Store API

Answer 62

True

Question 63

How is SSM Parameter Store Hierarchy structured? Give examples.

Answer 63

It is structured path style. Ex: /aws/example/example_secret

Question 64

SSM Parameter store has 2 tiers, Standard and Advanced. Explain the differences between them.

Answer 64

-Standard allows you to have only 10.000 parameters per account and region, Advanced allow 100.000
-Max parameter size on Standard is 4KB, on Advanced its 8KB
-Advanced costs $0.05 per advanced parameter per month, while standard is free
-Advanced parameters have access to parameter policies

Question 65

What kinds of SSM Parameter Store Policies can be configured to force parameter rotation after a set amount of time? Explain each one.

Answer 65

-Expiration: After a set amount of time the parameter is deleted
-ExpirationNotification: Notifies EventBridge the time left before a parameter expires
-NoChangeNotification: Notifies EventBridge that a parameter hasn’t been changed since a set amount of time.

Question 66

True or False: Secrets Manager does not allow secret versioning

Answer 66

False, it implements it by default

Question 67

True or False: Envelope Encryption uses assymetric KMS keys

Answer 67

False, it uses symetric keys

Question 68

In KMS, what are AWS Owned Keys?

Answer 68

They are keys created and managed by AWS used to protect your resources. They can’t be viewed, used, tracked or audited

Question 69

What are common types of DDoS attacks on AWS?

Answer 69

-SYN Flood (Layer 4): Sends too many TCP requests
-UDP Reflection (Layer 4): Get other servers to send many large UDP requests
-DNS flood attack: Overload the DNS so legitimate users can’t find the site
-Slow Loris attack: A lot of HTTP connections are opened and mantained

Question 70

What is Amazon Detective?

Answer 70

It is a service that receives secuirty alarms and treis to perform a detailed inspection to determine the cause of those alarms.

Question 71

What data sources can Amazon Detective inspect?

Answer 71

-CloudTrail
-VPC Flow Logs
-Guard Duty

Question 72

What is CloudWatch Synthetics Canary?

Answer 72

It is a CloudWatch functionality that allows you to setup a Script to run on your achitecture to try to find issues before customers

Question 73

In what languages can the CloudWatch Synthetics Canary be in?

Answer 73

Python or Node.js

Question 74

What are the default CloudWatch Synthetics Canary blueprints?

Answer 74

• Heartbeat Monitor – load URL, store screenshot and an HTTP archive file
• API Canary – test basic read and write functions of REST APIs
• Broken Link Checker – check all links inside the URL that you are testing
• Visual Monitoring – compare a screenshot taken during a canary run with a
  baseline screenshot
• Canary Recorder – used with CloudWatch Synthetics Recorder (record your
  actions on a website and automatically generates a script for that)
• GUI Workflow Builder – verifies that actions can be taken on your webpage (e.g.,
  test a webpage with a login form)

Question 75

Where can CloudWatch send logs to?

Answer 75

-S3
-Kinesis Data Streams
-Kinesis Firehose
-Lambda
-ElasticSearch

Question 76

True or False: CloudWatch Logs can be exported to S3, but to do so the destination bucket must be encrypted (SSE-C) and the process might take up to 24 hours

Answer 76

False, the bucket must be encrypted using SSE-S3 or SSE-KMS and the process might take up to 12 hours

Question 77

True or False: EventBridge Event Buses cannot be accessed by other AWS Accounts

Answer 77

False, they can be accessed using resource policies

Question 78

What does AWS X-Ray do?

Answer 78

It allows you to track requests between components of your microservices architecture

Question 79

What AWS Services are compatible with AWS X-Ray?

Answer 79

-EC2 (install X-Ray agent)
-ECS (install X-Ray agentor contained)
-Elastic Beanstalk (Enabled by Default)
-API Gateway
-Lambda

Question 80

What is CloudTrail Log File Integrity validation?

Answer 80

It is a CloudTrail feature you can enable that generates a hash of the logs of a specific trail that can be used to detect if the logs are being altered somehow

Question 81

To deliver Cloudwatch Logs to S3 in real-time, on must use ____________

Answer 81

Cloudwatch Logs Subscription