Cantrill Questions Flashcards
Generates temporary credentials (sts:AssumeRole)
Security Token Service
____ expire and do not belong to the IAM identity
Security Token Service (STS) generated credentials (they are temporary!)
Security Token Service (STS) temporary credentials are requested by?
AWS (IAM role) or external (web identity federation)
Each Region has a default AWS Service Quota although some services can be ____
per account
You should use SAML 2.0 when you currently use an Enterprise ID like MS AD or if the directory is ___ compatible?
SAML 2.0
Single Source of Truth or > 5000 users
SAML 2.0
NACL’s are stateful or stateless?
STATELESS. Request and Response are seen differently
What network security mechanism only impacts data crossing a subnet boundary?
NACL
What network security mechanism can ALLOW or DENY network traffic based on IP address?
NACL
Each subnet can only have one NACL (default or custom) however, NACL can be associated with many ______?
subnets
What security mechanism is STATEFUL and detects requests and response traffic automatically?
VPC Security Groups
What security mechanism features no ability to explicitly DENY?
VPC Security Groups
What are VPC Security Groups attached to? Subnets, EC2 instances, or ENI’s?
ENI
Using this service, connections enter at the Edge, essentially moving the AWS network closer, using Anycast IP’s
Global Accelerator
An AWS site to site VPN can be HA, if
you design it that way
What are the two ends of an AWS site to site VPN?
Virtual Private Gateway (VGW) and Customer Gateway (CGW)
What is the max speed for an AWS site to site VPN?
1.25 GBps
subnets can be associated to one _____ only
route table (default or custom)
DX (Direct Connect) physical connection port can only be used with what type of cable?
single mode fiber
What are the proper port settings for the DX (Direct Connect) physical connection port?
Auto-Negotiation DISABLED, port speed and FULL DUPLEX
What routing protocol (and auth) does the customer DX router need to support for DX (Direct Connect) connections?
BGP and BGP MD5
Private VIF are used to access how many VPC’s?
1
1 Private VIF = how many VPC’s and how many VGW’s?
1 VPC and 1 VGW in the same region as the DX
How many private prefixes can you advertise over a private VIF?
100
______ provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network
AWS PrivateLink
What needs to be done in order to make AWS PrivateLink HA?
Deploy multiple endpoints in each AZ
Does AWS PrivateLink use iPv6?
Nope
Can you access AWS PrivateLink via Direct Connect, VPC peering and/or site to site VPN?
Yeahhhh
____ provides access to public AWS resources such as S3 and DynamoDB from within a private subnet
gateway endpoint
Are gateway endpoints HA across AZ’s?
Yes no config needed
If you access a resource via a gateway endpoint, what mechanism controls your level of access?
the endpoint policy, such as an s3 bucket policy
are gateway endpoints regional only?
yes, no cross regional services
Are interface endpoints HA?
no you need one interface endpoint per VPC
can you use network security groups with interface endpoints?
yes
What services can be accessed using a VPC Gateway Endpoint?
S3 & DynamoDB
How to add encryption over a DX (Direct Connect)?
via a PUBLIC VIF
Is PrivateDNS used with interface endpoints or gateway endpoints?
interface endpoints
What type of directory can aws workspaces integrate with?
Simple AD, Microsoft AD, and AD Connector
If you want to utilize Workspaces and have a security regulatory restriction and can not have any directory information stored within AWS, what type of directory should you run in AWS?
Directory Connector
What configures the role of credentials from federated to AWS using IAM roles
Cognito identity pool
What type of file system should you use if users need to be able to use VSS for self or user driven file restores?
FSx
What is a native file system accessible over SMB?
FSx
What is a native file system accessible over NFS?
EFS
Does FSx support NTFS permissions and DFS?
Yes
What is a high performance windows file system, also good for POSIX
FSx for Lustre
What file system mounts on linux and is shared across many EC2 instances?
EFS
S3 server-side encryption with customer-provided encryption keys
(SSE-C)
S3 server-side encryption with Amazon S3-managed encryption keys
(SSE-S3)
S3 server-side encryption with customer master encryption keys (CMK) stored in AWS key management service
SSE-KMS
Can a NAT gatewy tolerate the failure of an AZ?
Nope
Can an Internet Gateway (IGW) withstand the failure of many AZ’s in a region?
Yes
What is AWS’s SIEM product?
GuardDuty
What is an AWS service that monitors configurations?
AWS Config
What AWS service is used for scanning EC2 and EC2 instance OS for vulnerabilities?
AWS Inspector
AWS Inspector host assessment is agentless or requires an agent?
agent
AWS Inspector network assessment is agentless or requires an agent?
agentless
KMS is a regional and public or private service?
Public
Keys never leave KMS, KMS provides ______ level of FIPS
FIPS 140-2 (L2)
What provides a true single tenant hardware security module?
Cloud HSM
What security standard does Cloud HSM meet?
FIPS 140-2 Level 3
If you see, PKCS#11, JCE (java cryptography extensions) and CryptoNG (CNG) libraries, think ____?
CloudHSM
Does CloudHSM integrate nativley with AWS services?
No
Can CloudHSM be used to offload SSL/TLS prociessing tasks from web servers?
Yes
What security service should be used to enable transparent data encrytion (TDE) for Oracle DB’s?
CloudHSM
What security service should be used to protect private keys for an issuing CA?
CloudHSM
ACM (Certificate Manager) can generate or import certs, if generated, the cert will ____, if imported, customer is responsible for the _____
Auto-renew, Renewing the certs
ACM issued certs can be depoyed for supported services only (not EC2), name two:
CloudFront & ALB
True/False: ACM is a regional service and certs cannot leave their region?
True
One exception to the rule of deploying ACM certs regionally, is this AWS service ____. When configuring ACM for this service, you must choose this particular AZ _____
CloudFront, AWS-EAST-1
AWS Secrets Manager supports automatic rotation, what service performs this rotation?
Lambda
Does Secrets Manager autoamtically inegrate with some AWS services like RDS?
Yes
VPC flow logs are used for packet capture?
No, they capture packet metadata
Name two destinations where VPC flow logs can be sent?
S3 or CloudWatch
Service provides DDOS protections
AWS Shield
What are two services that Shield Standard (free) protects?
Route53 & CloudFront
How much does AWS Shield Advanced cost?
3k/month
What additonal services can Shield Advaned protect outside of CloudFront and R53?
EC2, ELB & Global Accelerator
What AWS Shield service level provides for insurance and a DDOS repsonse team from AWS?
Shield advanced
What service protects against SQL injections and cross site scripting?
WAF
When creating a WAF, you first create a Web Access ____ _____ which can integrate with:
Control List (WEBACL), integrates with ALB, API Gateway and cloudfront
Can CMK’s and KMS be used to encrypt data?
Yes, 4KB
Do AWS managed CMK’s support key rotation?
Yes, once every 3 years, cannot be changed or disabled
Do customer managed CMK’s support key rotation?
Yes, can be enabled for 1 year
Can CMK’s be migrated between regions?
No
Can imported CMK’s be rotated?
No
When evaluating permissions in AWS, does it matter if an ALLOW or DENY comes from an inline or managed policy?
No
Is a Master Account affected by SCP’s?
No
What happens to the source data in Athena when used for adhoc querying?
Nothing
What S3 related setting defines a way for client web applications that are loaded in one domain to interact with resources in a different domain?
CORS cross origin resource sharing
What security mechanism are atached to ENI’s, can explictly ALLOW and are stateful?
Security Groups
What security mechanism can explictly ALLOW and DENY and can be attached to subnets?
NACL
If you need the apex of a domain to point to an ALB, what type of R53 record?
A Alias
What are Configured to have one subnet in each AZ in the region by default?
VPC
What are Configured to have one subnet in each AZ in the region by default?
VPC
