Domain 2: Security

Question 1

What is IAM?

Answer 1

Identity Access Management

Question 2

What are the IAM Identities and how are each of them used?

Answer 2

Users: Represents a person or service who uses IAM to interact with AWS

Groups: A collection of IAM users

Roles: An identity with permission policies that determine what the identity can and cannot do in AWS. Can be assumed by a user, federated user or a service.

Question 3

What are the AWS policy types?

Answer 3

AWS Managed Policy - AWS managed policies that are designed to provide permissions for many common use cases

AWS Customer Managed Policy - Customer managed policies that can be assigned to a user/group/role

Inline policies - A policy that’s embedded in an IAM user, group or role

Question 4

What is the format of an IAM Policy document?

Answer 4

JSON

Question 5

How is access managed on an EC2 level?

Answer 5

Security Groups - A stateful “virtual” firewall for incoming and outgoing traffic

Question 6

What is the default behaviour of Security Group rules?

Answer 6

All outbound traffic permitted and all inbound traffic is blocked

Question 7

Can you block traffic with Security Groups?

Answer 7

No - Security Group rules are permissive only

Question 8

Security Groups are stateful. What does this mean?

Answer 8

If you send a request from the instance the request and response for that request is permitted regardless of inbound/outbound security rules

Question 9

What is AWS KMS?

Answer 9

AWS Key Management Service - Centralized control of cryptographic keys used to protect your data

Question 10

What is a CMK? (Within KMS)

Answer 10

Customer Master Key - Encrypting/decrypting data up to 4 KB which is used to generate/encrypt/decrypt the data key which is then used to encrypt/decrypt your data

Question 11

How is the CMK used with envelope encryption?

Answer 11

A data key is generated from the CMK, this key is then used to encypt/decrypt your data. The (CMK encrypted) data key can be stored alongside the encrypted file to be used to easily encrypt/decrypt the large files

Question 12

What the the KMS AWS CLI commands?

Answer 12

aws kms encrypt # Encrypt up to 4 kB
aws kms decrypt # Decrypt up to 4 kB
aws kms re-encrypt # Decrypt a file and encrypts it without saving the file to memory, can be used for re-encrypting with a new CMK

aws kms enable-key-rotation # Rotate your CMK on an annual basis

aws kms generate-data-key # Generate data key for encrypt/decrypt for files above 4 kB

Question 13

Can you used AWS CMKs in crypto ops directly?

Answer 13

No - this is managed by AWS

Question 14

Are KMS encryption keys regional or global?

Answer 14

Regional - Keys are only stored in the region in which they are created and used, you cannot transfer CMKs

Question 15

What are NACLs?

Answer 15

Network Access Control List: A layer of security that acts as a firewall for controlling traffic in and out of a subnet

Question 16

What are the NACL default rules?

Answer 16

Allows all inbound and outbound traffic

Question 17

Are NACLs stateful or stateless?

Answer 17

Stateless - Which means responses are allowed to inbound traffic are subject to the rules for outbound traffic

Question 18

Does S3 block public permissions by default?

Answer 18

Yes

Question 19

What is a VPC endpoint?

Answer 19

A logical entity within a VPC that allows connectivity only to S3, it helps prevent traffic traversing the internet and speed up requests

Question 20

What are the different ways S3 bucket access is manged?

Answer 20

IAM Policies: Allow S3 operations at the IAM level

S3 bucket policies: Allows access at the bucket level

Access Control Lists (ACLs): A sub resource that’s attached to every S3 bucket and object - generally a legacy concept

Question 21

What is AWS System Manager Parameter Store?

Answer 21

A secure service to create, store and manage parameters with values, great for storing sensitive data such as passwords

It uses AWS KMS on the backend

Question 22

What is AWS CloudTrail?

Answer 22

A web service that records activity made on your account: IP, when, what resource, how it was changed, whether it was denied or not. Great for auditing.

Question 23

What are CIDR blocks?

Answer 23

An IP addressing scheme which represents a group of IP addresses. Used in subnets, routing tables etc.

10. 0.0.0/32 matches only 10.0.0.0
11. 0.0.0/24 matches 10.0.0.0 - 10.0.0.255
12. 0.0.0/16 matches 10.0.0.0 - 10.0.255.255

Question 24

What is the secure way to share objects with S3?

Answer 24

Granting temporary access with a presigned URL and giving them out to a client

Question 25

How to ensure server-side encryption for all objects stored in a bucket?

Answer 25

Add a bucket policy that denies permissions to upload an object unless the request includes the:
“x-amz-server-side-encryption” header

Question 26

What are the S3 encryption options?

Answer 26

SSE-S3 (Server Side Encryption S3)

SSE-KMS

Question 27

How can you test whether a policy document works?

Answer 27

IAM Policy Simulator

Question 28

What is AWS Cognito?

Answer 28

An AWS Identity broker you to easily allow users to sign-up and sign in to your app

Question 29

What is the Web Identity Federation?

Answer 29

Allows users of your app to sign in using a well-known external provider (Amazon, Google etc)

Question 30

How does AWS Cognito work?

Answer 30

The user authenticates against a “user pool” (or user directory) and once authenticated obtains JWT.

These JWT are then exchanged with the “identity pool” for temporary AWS credentials to access the apps AWS resources.

Question 31

How does AWS Cognito keep data in sync across devices?

Answer 31

Push data is used to sync data across multiple devices

Question 32

What is an AWS User Pool?

Answer 32

User directory in AWS Cognito with sign-in/sign-up functionality which you can authenticate via:

• Web Identity Federation
• Directly with your App
• Other SAML identity providers (like a companies organization)

It is also has other authentication features such as phone verification, MFA etc.

Question 33

What are Identity Pools?

Answer 33

Provide temporary AWS credentials for users who are guests or for users who have a token

Question 34

What is AWS SSO?

Answer 34

AWS Single Sign-On - Easy to centrally manage SSO access to all your AWS accounts and their permissions. Great for leveraging existing corporate identities

Question 35

What is AWS STS?

Answer 35

AWS Security Token Service (STS) enables you to request temporary credentials.

E.g.
aws sts assume-role # Return a set of temporary security credentials that you can use to access AWS resources

Question 36

What do temporary AWS security credentials consist of?

Answer 36

Access Key ID, secret access key and a security token

Question 37

What do AWS security credentials consist of?

Answer 37

Access key ID and a secret access key

Question 38

How does AWS cross-account access work to give access to production resources from a developer account?

Answer 38

1. Create the policy on the production account
2. Create an “Another AWS account” role type with the policy defined above
3. On the developer account add the policy to allow assume role as production account
4. On the developer account you should be able to assume on the production account for the role defined in step 2

Question 39

How can you configure a lambda function to access resources in a VPC?

Answer 39

1. Add AWSLambdaVPCAccessExecutionRole AWS managed policy to the functions execution policy
2. Configure the function to include a security group, subnet and VPC for it to access

Question 40

What are lambda policies?

Answer 40

Resource-policies - Permit other AWS Roles permission to invoke your lambda function

Execution role - Permit your lambda function to access other AWS resources

Question 41

What is CORS & why is it needed?

Answer 41

Cross-Origin Resource Sharing - A way for client-web applications that are loaded from one domain to interact with another domain. The browser will block this kind of resource sharing without configuration.

Common use-cases: Client downloading data from an S3 bucket or another AWS resource directly

Question 42

What is the limit for CMKs?

Answer 42

10000 CMKs per account per region

Question 43

How do IAM roles work securely?

Answer 43

IAM roles are based on temporary security tokens and are rotated automatically

Question 44

If a NACL or Security group is blocking a given request/response, what do you expect to happen?

Answer 44

Timeout error

Question 45

What is AWS Secrets Manager?

Answer 45

Stores key-value secrets and allows for automatic key rotation.

Key rotation can be done natively with AWS services AWS RDS, Redshift but you can also write lambda functions to do this

Question 46

What is AWS Shield?

Answer 46

A managed distributed DDos automatic protection service to safe guard your applications.

It works a layer 3/4 (network layer)

Question 47

What is AWS WAF?

Answer 47

AWS Web Application Firewall - A paid service that blocks specific traffic patterns. Operates at layer 7.

Question 48

What is AWS GuardDuty?

Answer 48

A threat detection service that continuously monitors multiple data sources for malicious activity.

Question 49

AWS Security Group default rules and rule behaviours?

Answer 49

No rule no traffic allowed.

Outbound default has a rule that permits all traffic.

Inbound default has no rules so no traffic permitted.

Can delete the outbound default rule so all outbound traffic blocked.

Question 50

Can you allow users which are not authenticated via aws cognito?

Answer 50

Yes - with authenticated access enabled

Question 51

Is there an aws kms call limit?

Answer 51

Yes

Question 52

What are IAM policy variables?

Answer 52

Use AWS Identity and Access Management (IAM) policy variables as placeholders when you don’t know the exact value of a resource or condition key when you write the policy.

Question 53

How do you decode authorization messages from a failed AWS command?

Answer 53

aws sts decode-authorization-message

Question 54

A customer wants to encrypt data at rest using AWS with it’s own key - what should it use?

Answer 54

AWS KMS and supply it with their own Customer Master Key

Question 55

A Lambda function requires access to an S3 bucket policy? What do you need to do?

Answer 55

Create an IAM role with permissions to access the S3 bucket and assign it the Lambda’s execution role.

Ensure the bucket policy also permits the Lambda function to access it (usually does unless Lambda is in another account).

Question 56

What is the structure of an S3 bucket policy?

Answer 56

Version - Usually a date
Statement - List of statements that contain the following

Effect: “Allow” or “Deny” access
Principle: IAM user/role
Resource: arn:aws:s3:::bucketname/root

Question 57

How to log in via AWS cli to get pull a docker image from ecr?

Answer 57

aws ecr get-login # Login to ecr via aws

docker pull

Question 58

What are the ways of controlling access to the CMK in KMS?

Answer 58

Key policies - Controls who can access the key, can also set IAM policies to allow access to the key

IAM policies - Has to be set within the key policies

Question 59

If an AWS Lambda function requires internet access and access to a private VPC how is this done?

Answer 59

Lambda functions can have access to the internet - however when associated with a VPC by default they no longer has access to the internet by default because they are within the private VPC.

To do this you need to configure an internet & NAT gateway to route traffic from the private VPC to the internet.

Question 60

What is the way of accessing AWS services from another developer machine?

Answer 60

Create a AWS user and with a secret access key and access key

Question 61

If you have an on-premise application outside of an AWS environment what is the best practice for permitting access?

Answer 61

Create an AWS User (a dedicated service account), restrict the source IP range of your clients and distribute the secret access key.

Question 62

If you have client-side code that requires credentials what is the best practice?

Answer 62

Using AWS STS to generate temporary credentials.

Question 63

How to encrypt messages at rest in SQS?

Answer 63

SSE encrypts messages at rest as soon as SQS receives them, the messages are only decrypted once they are sent to an authorized consumer.

This is done with AWS KMS.

Encryption must be enabled on the queue.

Question 64

What are IAM Policy conditions used for?

Answer 64

To specify the conditions when the given policy is in affect.

Question 65

What is AWS Systems Manager?

Answer 65

Allows one to visibly control your infrastructure on AWS.

Question 66

What is AWS API Gateway Lambda authorizer?

Answer 66

A Lambda function that you provide to control access to your API.

Great for third party authentication systems.

Question 67

Which security credentials can only be created by the AWS root user?

Answer 67

CloudFront Key Pairs

Question 68

Which security credentials can only be created by the AWS root user?

Answer 68

CloudFront Key Pairs

Question 69

What is SSE-S3?

Answer 69

Server-Side Encryption with Amazon S3-Managed Keys with AES-256

Question 70

What is SSE-KMS?

Answer 70

Server-Side Encryption with with CMKs stored in SSE-KMS but with some additional charges for extra features. E.g. an audit trail for when your CMK was used & by whom.

Question 71

What is SSE-C?

Answer 71

Server-Side Encryption with Customer-Provided Keys (SSE-C). The customer manages the encryption.

Question 72

What is the IAM Access Analyzer?

Answer 72

Helps you identify the resources that are shared with an external entity - it lets you identify unintended access to your resources/data.

Question 73

What are dedicated instances?

Answer 73

EC2 instances that run on h/w that’s dedicated to a single customer. Instances may share h/w with other instances of the same account but never other accounts.

Question 74

What are dedicated hosts?

Answer 74

Physical server that’s dedicated for your use. Costlier than the dedicated instances option.

Question 75

What AWS services can be used to deploy SSL/TLS server certificates?

Answer 75

AWS Certificate Manager & IAM

Question 76

What policy types only limit permissions but cannot grant permissions?

Answer 76

AWS Organizations Service Control Policy (SCP)
- Limits permissions that users/roles within the account but do not grant permissions

Permissions boundary
- Defines the maximum permissions that the IAM entity can grant to another user but does not grant.

Question 77

What are the 3 credential types supported by IAM for CodeCommit?

Answer 77

Git credentials, SSH Keys, AWS access keys

Question 78

What is a Trust Policy?

Answer 78

Defines the IAM principles that are allowed to assume this role.

Question 79

What MFA is not permitted for use with the root account?

Answer 79

SMS MFA

Question 80

Can Cognito authentication be used with CloudFront?

Answer 80

No, not directly you have to create a separate Lambda@edge function to accomplish this.

Question 81

What is the Access Adviser feature?

Answer 81

Helps you identify unused roles.

Question 82

What is Amazon Inspector?

Answer 82

an automated security assessment service.

Question 83

What is the difference between Cognito User pools and Cognito Identity pools?

Answer 83

Cognito User pools authenticates a given user (can be third party, defined user directory or SAML providers).

Cognito Identity pools defines how those users can obtain temporary AWS credentials to access AWS services.

Question 84

How do you prevent an unauthorized domain from using your content?

Answer 84

Only enable CORS for selected domains.

Question 85

index.html on bucket A refers to load.html on bucket B.

Which bucket must cors be enabled on to allow the resource to be loaded?

Answer 85

Bucket B

Question 86

Can you delegate access across accounts from different account partitions?

Answer 86

No

Question 87

You have two policies on a user - one allowing access the other denying? What is the result?

Answer 87

Access is denied.

Question 88

What is SAML?

Answer 88

Cognito can be used with SAML to configure an identity pool that can define the role assumed by the user.

Question 89

What encryption method will get rejected if it is not using HTTPS?

Answer 89

SSE-C Because it requires the customer to send the key with the request which will be considered compromised over HTTP

Question 90

What is the x-amz-server-side-encryption header for sse-kms and sse-s3?

Answer 90

sse-s3 is ‘AES256’

SSE-KMS is ‘aws:kms’

Question 91

How is aws CodeCommit encrypted?

Answer 91

With aws kms on the backend