Cloud NGFW for AWS Flashcards
What is the Cloud NGFW Tenant?
instantiation of the Cloud NGFW service associated with an AWS customer account
When is the tenant created?
when an AWS user associated with the AWS customer account subscribes to the Cloud NGFW service
Cloud NGFW designates what as the administrator of the Cloud NGFW tenant?
- subscribing AWS Identity
- Access Management (IAM) user
Cloud NGFW can be deployed in which two different models?
- distributed
- centralized
How is Cloud NGFW deployed in the Distributed Deployment workflow?
Cloud NGFW is deployed into each VPC that requires protection
What are the benefits of Distributed Deployment?
- reduces the possibility of misconfiguration
- limits the scope of impact
- each VPC is protected individually, and the blast radius, or extent of the damage, is reduced through VPC isolation
How is Cloud NGFW deployed in the Centralized Deployment workflow?
- the Cloud NGFW is behind a transit gateway (TGW) with a dedicated security VPC
- the model provides centralized security for all virtual networks and firewalls in central/hub virtual networks protect the application workloads on other spoke virtual networks
What needs to be done on the application VPCs and TGW to redirect traffic to the security VPC for inspection?
configure route rules
What are the use cases for securing traffic with the centralized deployment?
- east-west traffic inspection (VPC to VPC)
- VPC and On-Premises
- Outbound and Inbound
What does FMS stand for?
Firewall Manager Service
What automation tools can be used to deploy Cloud NGFW for AWS?
- Terraform
- CloudFormation Template (CFT)
When onboarding an AWS account, a CloudFormation Template (CFT) is provided to help to enable what?
permissions
When deploying a CFT, what does it create?
a cross-account IAM role in the AWS account
What does the IAM role provide the Cloud NGFW with?
- permissions necessary to read VPC information required to create and manage endpoints
- send logs to logging destinations
- access certificates in the AWS Secrets Manager for traffic decryption
Can you provision resources, such as rules and rule stacks with an AWS CFT?
yes
What are the required conditions a tenant needs to meet in order to be able to provide a programmatic access?
- onboard to console
- enable programmatic access
- create AWS IAM roles
- assume AWS IAM roles
- save credentials
A tenant is onboarded through what?
- AWS Marketplace
- NGFWaaS Console
Where does TenantAdmin enable programmatic access?
from UI
AWS IAM roles are created with what?
AWS IAM principal tags assignd to Roles in customer AWS account
What permissions need to be present for the roles?
APIGatewayInvoke
When adding principle tags to IAM roles, what key-value pairs should be added under tag?
- Key=CloudNGFW, Value=CloudFirewallAdmin
- Key=CloudNGFW, Value=CloudRulestackAdmin
What should be added under Trusted Relationship?
IAM user
Which method produces a set of keys?
sts_client.asume_role(RoleArn=”arn:value”)
Which APIs should be called to get a JWT Token?
- GET:/v1/mgmt/tokens/cloudfirewalladmin
- GET:/v1/mgmt/tokens/cloudrulestackadmin
What needs to be used in the header to be able to do Firewall CRUD APIs or Rulestack APIs?
“Authorization”: “token-id”
What does the NGFW endpoint in your VPC allow access to?
NGFW resources
Which security services are available on the AWS Cloud FW?
- Threat Prevention
- Advanced URL filtering
- Decryption
- App-ID
What is built-in to the AWS Cloud FW?
resiliency, scalability, and life-cycle management
Does NGFW span multiple AWS availability zones?
yes
Is Cloud NGFW an endpoint service?
yes
How does each NGFW endpoint manifest_
as an AWS Elastic Network Interface (ENI) (with a private IP address) in the dedicated subnet that you specify