Domain 6: Security Flashcards
What kind of attack does Encryption in Flight prevent?
Man in the middle (MITM) attack
When does the server decrypt a Client Side encrypted object?
Never
What is the encryption type for S3-SSE?
AES-256
What is the HTTP/S header for for S3-SSE?
“x-amz-server-side-encryption”: “AES256”
What are the advantages of S3-KMS over S3-SSE?
User control, audit trail, rotation of keys
What is the HTTP/S header for S3-KMS?
“x-amz-server-side-encryption”: “aws:kms”
What must be included in the header for an SSE-CS request?
Data Key
When is data encrypted during an SSE-CS request?
On S3, then the Data Key is discarded
What is another term for Encryption in Flight?
SSL / TLS
What are the encryption options in the web S3 UI?
None, S3-SSE, S3-KMS
When can the Customer Master Key be retrieved by the User in KMS?
Never
What is the maximum data size that be encrypted via KMS per call?
4KB
What should be used if more than 4KB of data needs to be encrypted in a KMS call?
Envelope encryption
What must be done to give someone access to KMS?
Make sure Key Policy allows the user, make sure IAM policy allows API calls
What are the three types of KMS Customer Master Keys?
AWS Managed Default (Free); User Keys in KMS ($1/month); User Imported Keys ($1/month) must be 256 symmetric
How are KMS API calls charged?
3 cents per 10,000 calls
What is the only service in AWS that allows in-place encryption?
S3
Who manages the encryption keys when using an HSM?
Customer
What level of compliance does CloudHSM offer?
FIPS 140-2 Level 3
Is CloudHSM multi-AZ?
Yes
Is Free Tier available for CloudHSM?
No
How many days does CloudTrail hold logs?
90
Which API calls are tracked by CloudTrail by default?
Create, Modify, Delete
Can CloudTrail Trails be Global or Region-specific?
Either
What is the format of CloudTrail Trail event exports?
JSON
Which services are Gateway VPC endpoints used for?
DynamoDB and S3
Which type of VPC endpoint is used for all services except DynamoDB and S3?
Interface endpoint
Which encryption service offers asymmetric encryptiop?
CloudHSM
How is Kinesis Data Streams encrypted in flight?
SSL / HTTPS
What restriction is there when using client-side encryption in Kinesis Data Streams?
You must provide your own encryption libraries
Does Kinesis Data Streams support VPC endpoints?
Yes, interface endpoints
What additional access is needed when using KCL with Kinesis Data Streams?
DynamoDB access?
What is an additional security level for SQS beyond IAM roles?
SQS queue access policies
What are the two options for what you can attach IoT policies to?
X.509 certificates or Cognito Identities
What language are IoT policies written in?
JSON
Should you attach IAM roles to IoT Rules Engine?
Yes
What does WORM stand for in Glacier?
Write Once Read Many
How is data encrypted in flight in DynamoDB?
TLS / HTTPS
Can KMS encryption be used on secondary indexes in DynamoDB?
Yes
How do you encrypt an unencrypted table in DynamoDB?
Create a new encrypted table and migrate the data from the unencrypted table
Do DynamoDB Streams support encryption?
No
What do IAM policies provide protection for in the context of RDS?
RDS APIs
Which two RDS technologies support IAM authentication?
PostgreSQL and MySQL
Where are user permissions managed in RDS?
Within the database itself, NOT through IAM
Which two RDS technologies support Transparent Data Encryption (TDE)?
Microsoft SQL and Oracle
Which two database APIs are compatible with Aurora?
PostgreSQL and MySQL
How can Lamba functions be configured to access resources within a VPC?
Deploy the Lamba function within the VPC
How should Glue be configured to securely access data sources?
JDBC through SSL
In addition to KMS encryption, what else can be used to secure Glue Data Catalog resources?
Resource policies (similar to S3 bucket policies)
How are Glue connection passwords encrypted?
KMS
What Glue data output destinations offer encryption?
S3, CloudWatch, Job bookmarks
