Domain 2: Security Flashcards
What is IAM?
Identity Access Management
What are the IAM Identities and how are each of them used?
Users: Represents a person or service who uses IAM to interact with AWS
Groups: A collection of IAM users
Roles: An identity with permission policies that determine what the identity can and cannot do in AWS. Can be assumed by a user, federated user or a service.
What are the AWS policy types?
AWS Managed Policy - AWS managed policies that are designed to provide permissions for many common use cases
AWS Customer Managed Policy - Customer managed policies that can be assigned to a user/group/role
Inline policies - A policy that’s embedded in an IAM user, group or role
What is the format of an IAM Policy document?
JSON
How is access managed on an EC2 level?
Security Groups - A stateful “virtual” firewall for incoming and outgoing traffic
What is the default behaviour of Security Group rules?
All outbound traffic permitted and all inbound traffic is blocked
Can you block traffic with Security Groups?
No - Security Group rules are permissive only
Security Groups are stateful. What does this mean?
If you send a request from the instance the request and response for that request is permitted regardless of inbound/outbound security rules
What is AWS KMS?
AWS Key Management Service - Centralized control of cryptographic keys used to protect your data
What is a CMK? (Within KMS)
Customer Master Key - Encrypting/decrypting data up to 4 KB which is used to generate/encrypt/decrypt the data key which is then used to encrypt/decrypt your data
How is the CMK used with envelope encryption?
A data key is generated from the CMK, this key is then used to encypt/decrypt your data. The (CMK encrypted) data key can be stored alongside the encrypted file to be used to easily encrypt/decrypt the large files
What the the KMS AWS CLI commands?
aws kms encrypt # Encrypt up to 4 kB
aws kms decrypt # Decrypt up to 4 kB
aws kms re-encrypt # Decrypt a file and encrypts it without saving the file to memory, can be used for re-encrypting with a new CMK
aws kms enable-key-rotation # Rotate your CMK on an annual basis
aws kms generate-data-key # Generate data key for encrypt/decrypt for files above 4 kB
Can you used AWS CMKs in crypto ops directly?
No - this is managed by AWS
Are KMS encryption keys regional or global?
Regional - Keys are only stored in the region in which they are created and used, you cannot transfer CMKs
What are NACLs?
Network Access Control List: A layer of security that acts as a firewall for controlling traffic in and out of a subnet
What are the NACL default rules?
Allows all inbound and outbound traffic
Are NACLs stateful or stateless?
Stateless - Which means responses are allowed to inbound traffic are subject to the rules for outbound traffic
Does S3 block public permissions by default?
Yes
What is a VPC endpoint?
A logical entity within a VPC that allows connectivity only to S3, it helps prevent traffic traversing the internet and speed up requests
What are the different ways S3 bucket access is manged?
IAM Policies: Allow S3 operations at the IAM level
S3 bucket policies: Allows access at the bucket level
Access Control Lists (ACLs): A sub resource that’s attached to every S3 bucket and object - generally a legacy concept
What is AWS System Manager Parameter Store?
A secure service to create, store and manage parameters with values, great for storing sensitive data such as passwords
It uses AWS KMS on the backend
What is AWS CloudTrail?
A web service that records activity made on your account: IP, when, what resource, how it was changed, whether it was denied or not. Great for auditing.
What are CIDR blocks?
An IP addressing scheme which represents a group of IP addresses. Used in subnets, routing tables etc.
- 0.0.0/32 matches only 10.0.0.0
- 0.0.0/24 matches 10.0.0.0 - 10.0.0.255
- 0.0.0/16 matches 10.0.0.0 - 10.0.255.255
What is the secure way to share objects with S3?
Granting temporary access with a presigned URL and giving them out to a client
How to ensure server-side encryption for all objects stored in a bucket?
Add a bucket policy that denies permissions to upload an object unless the request includes the:
“x-amz-server-side-encryption” header
What are the S3 encryption options?
SSE-S3 (Server Side Encryption S3)
SSE-KMS
How can you test whether a policy document works?
IAM Policy Simulator
What is AWS Cognito?
An AWS Identity broker you to easily allow users to sign-up and sign in to your app
What is the Web Identity Federation?
Allows users of your app to sign in using a well-known external provider (Amazon, Google etc)
How does AWS Cognito work?
The user authenticates against a “user pool” (or user directory) and once authenticated obtains JWT.
These JWT are then exchanged with the “identity pool” for temporary AWS credentials to access the apps AWS resources.
How does AWS Cognito keep data in sync across devices?
Push data is used to sync data across multiple devices
What is an AWS User Pool?
User directory in AWS Cognito with sign-in/sign-up functionality which you can authenticate via:
- Web Identity Federation
- Directly with your App
- Other SAML identity providers (like a companies organization)
It is also has other authentication features such as phone verification, MFA etc.
What are Identity Pools?
Provide temporary AWS credentials for users who are guests or for users who have a token
What is AWS SSO?
AWS Single Sign-On - Easy to centrally manage SSO access to all your AWS accounts and their permissions. Great for leveraging existing corporate identities
What is AWS STS?
AWS Security Token Service (STS) enables you to request temporary credentials.
E.g.
aws sts assume-role # Return a set of temporary security credentials that you can use to access AWS resources
What do temporary AWS security credentials consist of?
Access Key ID, secret access key and a security token
What do AWS security credentials consist of?
Access key ID and a secret access key
How does AWS cross-account access work to give access to production resources from a developer account?
- Create the policy on the production account
- Create an “Another AWS account” role type with the policy defined above
- On the developer account add the policy to allow assume role as production account
- On the developer account you should be able to assume on the production account for the role defined in step 2
How can you configure a lambda function to access resources in a VPC?
- Add AWSLambdaVPCAccessExecutionRole AWS managed policy to the functions execution policy
- Configure the function to include a security group, subnet and VPC for it to access
What are lambda policies?
Resource-policies - Permit other AWS Roles permission to invoke your lambda function
Execution role - Permit your lambda function to access other AWS resources
What is CORS & why is it needed?
Cross-Origin Resource Sharing - A way for client-web applications that are loaded from one domain to interact with another domain. The browser will block this kind of resource sharing without configuration.
Common use-cases: Client downloading data from an S3 bucket or another AWS resource directly
What is the limit for CMKs?
10000 CMKs per account per region
How do IAM roles work securely?
IAM roles are based on temporary security tokens and are rotated automatically
If a NACL or Security group is blocking a given request/response, what do you expect to happen?
Timeout error
What is AWS Secrets Manager?
Stores key-value secrets and allows for automatic key rotation.
Key rotation can be done natively with AWS services AWS RDS, Redshift but you can also write lambda functions to do this
What is AWS Shield?
A managed distributed DDos automatic protection service to safe guard your applications.
It works a layer 3/4 (network layer)
What is AWS WAF?
AWS Web Application Firewall - A paid service that blocks specific traffic patterns. Operates at layer 7.
What is AWS GuardDuty?
A threat detection service that continuously monitors multiple data sources for malicious activity.
AWS Security Group default rules and rule behaviours?
No rule no traffic allowed.
Outbound default has a rule that permits all traffic.
Inbound default has no rules so no traffic permitted.
Can delete the outbound default rule so all outbound traffic blocked.
Can you allow users which are not authenticated via aws cognito?
Yes - with authenticated access enabled
Is there an aws kms call limit?
Yes
What are IAM policy variables?
Use AWS Identity and Access Management (IAM) policy variables as placeholders when you don’t know the exact value of a resource or condition key when you write the policy.
How do you decode authorization messages from a failed AWS command?
aws sts decode-authorization-message
A customer wants to encrypt data at rest using AWS with it’s own key - what should it use?
AWS KMS and supply it with their own Customer Master Key
A Lambda function requires access to an S3 bucket policy? What do you need to do?
Create an IAM role with permissions to access the S3 bucket and assign it the Lambda’s execution role.
Ensure the bucket policy also permits the Lambda function to access it (usually does unless Lambda is in another account).
What is the structure of an S3 bucket policy?
Version - Usually a date
Statement - List of statements that contain the following
Effect: “Allow” or “Deny” access
Principle: IAM user/role
Resource: arn:aws:s3:::bucketname/root
How to log in via AWS cli to get pull a docker image from ecr?
aws ecr get-login # Login to ecr via aws
docker pull
What are the ways of controlling access to the CMK in KMS?
Key policies - Controls who can access the key, can also set IAM policies to allow access to the key
IAM policies - Has to be set within the key policies
If an AWS Lambda function requires internet access and access to a private VPC how is this done?
Lambda functions can have access to the internet - however when associated with a VPC by default they no longer has access to the internet by default because they are within the private VPC.
To do this you need to configure an internet & NAT gateway to route traffic from the private VPC to the internet.
What is the way of accessing AWS services from another developer machine?
Create a AWS user and with a secret access key and access key
If you have an on-premise application outside of an AWS environment what is the best practice for permitting access?
Create an AWS User (a dedicated service account), restrict the source IP range of your clients and distribute the secret access key.
If you have client-side code that requires credentials what is the best practice?
Using AWS STS to generate temporary credentials.
How to encrypt messages at rest in SQS?
SSE encrypts messages at rest as soon as SQS receives them, the messages are only decrypted once they are sent to an authorized consumer.
This is done with AWS KMS.
Encryption must be enabled on the queue.
What are IAM Policy conditions used for?
To specify the conditions when the given policy is in affect.
What is AWS Systems Manager?
Allows one to visibly control your infrastructure on AWS.
What is AWS API Gateway Lambda authorizer?
A Lambda function that you provide to control access to your API.
Great for third party authentication systems.
Which security credentials can only be created by the AWS root user?
CloudFront Key Pairs
Which security credentials can only be created by the AWS root user?
CloudFront Key Pairs
What is SSE-S3?
Server-Side Encryption with Amazon S3-Managed Keys with AES-256
What is SSE-KMS?
Server-Side Encryption with with CMKs stored in SSE-KMS but with some additional charges for extra features. E.g. an audit trail for when your CMK was used & by whom.
What is SSE-C?
Server-Side Encryption with Customer-Provided Keys (SSE-C). The customer manages the encryption.
What is the IAM Access Analyzer?
Helps you identify the resources that are shared with an external entity - it lets you identify unintended access to your resources/data.
What are dedicated instances?
EC2 instances that run on h/w that’s dedicated to a single customer. Instances may share h/w with other instances of the same account but never other accounts.
What are dedicated hosts?
Physical server that’s dedicated for your use. Costlier than the dedicated instances option.
What AWS services can be used to deploy SSL/TLS server certificates?
AWS Certificate Manager & IAM
What policy types only limit permissions but cannot grant permissions?
AWS Organizations Service Control Policy (SCP)
- Limits permissions that users/roles within the account but do not grant permissions
Permissions boundary
- Defines the maximum permissions that the IAM entity can grant to another user but does not grant.
What are the 3 credential types supported by IAM for CodeCommit?
Git credentials, SSH Keys, AWS access keys
What is a Trust Policy?
Defines the IAM principles that are allowed to assume this role.
What MFA is not permitted for use with the root account?
SMS MFA
Can Cognito authentication be used with CloudFront?
No, not directly you have to create a separate Lambda@edge function to accomplish this.
What is the Access Adviser feature?
Helps you identify unused roles.
What is Amazon Inspector?
an automated security assessment service.
What is the difference between Cognito User pools and Cognito Identity pools?
Cognito User pools authenticates a given user (can be third party, defined user directory or SAML providers).
Cognito Identity pools defines how those users can obtain temporary AWS credentials to access AWS services.
How do you prevent an unauthorized domain from using your content?
Only enable CORS for selected domains.
index.html on bucket A refers to load.html on bucket B.
Which bucket must cors be enabled on to allow the resource to be loaded?
Bucket B
Can you delegate access across accounts from different account partitions?
No
You have two policies on a user - one allowing access the other denying? What is the result?
Access is denied.
What is SAML?
Cognito can be used with SAML to configure an identity pool that can define the role assumed by the user.
What encryption method will get rejected if it is not using HTTPS?
SSE-C Because it requires the customer to send the key with the request which will be considered compromised over HTTP
What is the x-amz-server-side-encryption header for sse-kms and sse-s3?
sse-s3 is ‘AES256’
SSE-KMS is ‘aws:kms’
How is aws CodeCommit encrypted?
With aws kms on the backend
