Cloudfront Flashcards

1
Q

SSL

A

Cloudfront does not use SSL Certificate. It uses ACM for HTTPS.

*.cloudfront.net

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cloudfront TTL

A
  • More frequent cache HITS = lower origin load
  • Default TTL (behaviour) = 24 hours (validity period)
  • You can set Minimum TTL and Maximum TTL values

Cloudfront will apply any of the two that occur first; Max TTL or Expiry date.

Headers
* Origin Header: Cache-Control max-age (seconds)
* Origin Header : Cache-Control s-maxage (seconds)
* Origin Header: Expires (Date & Time)
Custom Origin or S3 (Via object metadata)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Versioned FileNames vs Cache invalidation

A

Versioned filenames is more cost-effective because even if the file is cached in the user’s machine, only the specified version (in the application) will be returned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Using customized Domain name with cloud front

A

Not using the xxxxxxxxxx.cloudfront.com requires an ssl certification if your Domain name is a Https or not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ACM

A

Importing an SSL certificate into cloudfront is done using ACM. Using US-EAST-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Self-Signed vs Public Certificates

A

Cloudfront(as a Public service) does not work with self-signed certificates. therefor, for both Origin and viewer certificates must be a publicly valid certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cloud front SSL

A

*cloudfront.com

Alternate Domain Name feature allows customized Domain name for cloudfront distribution. This has to be updated in the domain’s zone file, and an SSL certificate for the custom domain is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cloudfront Custom Domain

A

Custom domain can be used with Cloudfront as Alternate domain name.

Route 53 has to be updated with the alternate Domain name.

Wether or not HTTPs is needed or not, a valid proof of ownership of the provided domain name has to be established. Hence, SSL certificate has to be generated or imported into ACM

This Certificate must be created or added in US-EAST-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

at what layer does https encryption happens

A

One of the most popular encryption schemes usually associated with the presentation layer is the Secure Socket Layer (SSL) protocol.” HTTPS is the application layer protocol using ssl at layer 6 for encryption purposes. SSL works on OSI layer 6.

HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SNI

A

Server Name Indication, often abbreviated SNI, is an extension to TLS that allows multiple hostnames to be served over HTTPS from the same IP address.

by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SSL for S3

A

S3 inherently has its own Certificate that can neither be modified or created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

EC2 and ELB Certificates

A

Origins need to have certificates issued by a trusted authority (CA) - ALB can use
ACM, others need to use an external generated cert. NO SELF-SIGNED CERTS

EC2 and ELB origin have to also present publicly supported certificateEC2 and Load Balancer certificates, no matter the origin, has to be applied manually because **ACM does not automatically apply their certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Certificates (Both Clients side and Origin side must match the domain name as the target website

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Origin vs Viewer Protocol

A

Are Automatically matched at both sides.No user configuration is required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Lambda at Edge

A

Use Cases
A/B testing - Viewer Request
* Migration Between S3 Origins - Origin Request
* Different Objects Based on Device - Origin Request
* Content By Country - Origin Request

Throughput
128MB/5sec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

OAC

A

Origin Access Control is basically denying all access to S3 except for a specific Cloudfront distribution.

On S3 origins, Helps to control allowed request source. It has three options

  1. Public
  2. Cloudfront
  3. Legacy Identities

Is not allowed in custom origin. However, path control is available for Custom

16
Q

Securing Custom origin

A

This is the creation of a tunnel over HTTP between the source and destination.
This is established by requiring an additional header from Cloudfront, else the request will not be attended to. Meanwhile between the Edge and cloud, a HTTP tunnel is implemented. Alternatively, WAF can be used at the custom source to filter traffic only from the edge Location Sources. WAF knows all AWS edge Location IP Addresses.

17
Q

CloudFront Geo Restriction

A

CloudFront Geo Restriction
1. 3rd Party Geolocation (Customizable)
2. CF - Whitelist or Blacklist - COUNTRY ONLY

CF - GeolP Database 99.8%+ Accurate

18
Q

Signed URL

A

Provides access to one particular object. Used for Legacy RTMP because they cant use signed cookies.

For Legacy Apps that do not accept Signed cookies.

19
Q

Shield Advance Pricing

A

$3,000 per month (per ORG), 1 year lock-in + data (OUT) /m

20
Q

Signed URL vs Signed Cookies

A

Signed URLs:

URL-Based Approach: With signed URLs, access to a resource is granted by generating a special URL containing authentication information. This URL is typically short-lived and has an expiration time.
Time-Limited: Signed URLs often have a limited validity period, meaning they are only valid for a short duration. After the expiration time, the URL becomes invalid.
No Storage on the Client: Signed URLs do not require storage of any tokens or cookies on the client side. The authentication details are entirely contained within the URL.
Usage Examples: Signed URLs are commonly used in cloud storage services like Amazon S3, where you can generate a URL with temporary access to a specific file. Content delivery networks also use this approach.
Signed Cookies:

Cookie-Based Approach: With signed cookies, authentication information is stored as cookies on the client side. These cookies contain a signed token or session identifier.
Persistent Session: Cookies can be persistent, meaning the authentication state can be maintained across multiple visits by the same client, as long as the cookie is not expired.
Storage on the Client: Signed cookies require storage on the client side. This means that a client (e.g., a web browser) needs to maintain and send the cookie on each request.
Usage Examples: Signed cookies are commonly used in web applications to maintain user sessions, such as login state or session data.

21
Q

Layer 7 Firewalls

A

Layer 7 Firewalls keeps all the features of Layers 3,4,5 features and still react to Layer 7 elements.

It understands the protocols and all the nuances of Layer 7.

Data at L7 can be inspected and blocked, replaced or tagged (adult, spam, off topic)

L7 FW can identify normal or abnormal requests
Protocol specific attacks

Able to identify, block & adjust specific applications e.g. Facebook

22
Q

Layer 5 Firewalls

A

stateful Inspection: In the context of security, stateful inspection firewalls utilize the session layer’s ability to maintain session state. These firewalls examine not only individual packets but also the context and state of the entire session. This allows them to make more informed decisions about whether to allow or block traffic based on the established sessions.
Termination: When a session is completed, the session layer manages the graceful termination of the connection, ensuring that all resources are released correctly.
Stateful inspection firewalls, for example, use the information from the session layer to track the state of connections and apply security policies based on the context of the sessions. This allows them to better protect networks against various threats, as they can understand the state of connections and recognize legitimate responses to outbound requests.

23
Q

AWS Shield - Standard

21211

A

Free for AWS customers
* Protection at the perimeter
* Region/VPC or the AWS edge
* Common Network (L3) or Transport (L4) layer attacks
* Best protection using R53, CloudFront, AWS Global Acceleration

24
Q

Shield Advance Pricing

A

$36,000/year
Shield Response Team

25
Q

WEB ACL

A

A configuration Tool used by WAF and other Security tools to filter access rules and patterns for Web applications access.

Features
- AWS Managed Rules
- ALLOW LIST
- DENY LIST
- SOLIniection
- Bot
- Attacker
- IP Reputation
- BOTS

26
Q

WAF

A

Strictly for Web Application (Global or regional)
eg. Cloudfront, API Gateway, Appsynch, ALB

27
Q

AWS Shield

A

Against Ddos attack.
Network Layer DDoS attacks.

DDoS attacks can also target this Network layer (layer 3) or the Transport Layer (Layer 4) of the OSI model, with the goal of consuming the target’s network bandwidth. Network layer DDoS attacks include attacks like ICMP (Internet Control Message Protocol) floods, ARP floods, and IP (Internet Protocol) fragmentation attacks.
Operates on Layers 3&4

28
Q

Shield Advance features

A
  • Protects CF, R53, Global Accelerator, anything associated with EIPs (i.e EC2), ALBs, CLBs, NLBs
  • Not automatic - must be explicitly enabled in Shield
    Advanced or AWS Firewall Manager Shield Advanced policy
  • Cost protection (ie EC2 scaling) for unmitigated attacks
  • Proactive Engagement & AWS Shield Response Team (ST)
29
Q

Shield Advanced Scope

A
  • WAF Integration - includes basic AWS WAF fees for web
    ACLs, rules, and web requests.
  • Application Layer (L7) DDOS protection (uses WAF)
  • Real time visibility of DDOS events and attacks
  • Health-based detection - application specific health checks, used by proactive engagement team
  • Protection groups
30
Q

Cloudfront TTL

A

Optionally, you can configure your origin server to add headers to the files, to indicate how long you want the files to stay in the cache in CloudFront edge locations. By default, each file stays in an edge location for 24 hours before it expires. The minimum expiration time is 0 seconds; there isn’t a maximum expiration time.

31
Q

Cloudfront Preferred domain

A

As you develop your website or application, you use the domain name that CloudFront provides for your URLs. For example, if CloudFront returns d111111abcdef8.cloudfront.net as the domain name for your distribution, the URL for logo.jpg in your Amazon S3 bucket (or in the root directory on an HTTP server) is https://d111111abcdef8.cloudfront.net/logo.jpg.

Or you can set up CloudFront to use your own domain name with your distribution. In that case, the URL might be https://www.example.com/logo.jpg.

32
Q

Cloudfront Field Level Encryption

A

With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it.

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.

33
Q

Field Level Encryption Limits

A

To use field-level encryption, when you configure your CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.)

To set up field-level encryption, you add a public key to CloudFront, and then specify the set of fields that you want to be encrypted with the key.

34
Q

Cloudfront Security

A

The CloudFront managed prefix list contains the IP address ranges of all of CloudFront’s globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront’s origin-facing servers, preventing any non-CloudFront traffic from reaching your origin. CloudFront maintains the managed prefix list so it’s always up to date with the IP addresses of all of CloudFront’s global origin-facing servers. With the CloudFront managed prefix list, you don’t need to read or maintain a list of IP address ranges yourself.

If the instance is in a VPC, you can create a security group rule that allows inbound HTTPS access from the CloudFront managed prefix list. This allows all of CloudFront’s global origin-facing servers to reach the instance. If you remove all other inbound rules from the security group, you prevent any non-CloudFront traffic from reaching the instance.