Encryption

Question 1

Symetric Encryption for data in transit

Answer 1

Symmetric encryption can be used for encryption in transit, but it requires careful key management to ensure security. One common approach is to use symmetric encryption to encrypt the data itself and then use asymmetric encryption to securely exchange the symmetric key.

Question 2

Config rules

Answer 2

Custom rules use Lambda to evaluate whatever rule you have coded.

It also integrates with Events Bridge , SNS and SSM(to remediate compute configurations)

Question 3

Roles in AWS organization

Answer 3

New accounts created into an organization comes with a new role(which can be role switched into), invited accounts have to be issued a role manually

Question 4

AWS Organization New account

Answer 4

when you create a new account within aws organization, the only way to access the new account is by switching role into that account.

Answer 5

You can role-swith into an invited account, however, you would have to first create the role manually

Answer 6

Since management account can’t be restricted by SCP, its best practice not to use the management account for normal activities.

Question 7

Contro; Tower Initialized

Answer 7

By default, control tower management account comes-built-in with Three components and TWO OUs:

Contol Tower
SSo
AWS Organization:
- SanBox/Custom OU
- Security/Foundational

Question 8

Control Tower Account Factory

Answer 8

Automated Account Provisioning
* . cloud admins or end users (with appropriate permissions)
* Guardrails - automatically added
* Account admin given to a named user (IAM Identity Center)
* Account & network standard configuration

Question 9

AWS RAM

Answer 9

it’s very practical to share resources within a subnet with other Principlas in separate account, either via individual or organizatio account.

Shared Services are read only

Question 10

CFN-Signal

Answer 10

This is an agent inside an instance

Question 11

Notes on AWS RAM

Answer 11

• VPCs can be created which provide shared infrastructure services to other AWS accounts
• VPC Owners create and manage the VPC & Subnets and can share to participants
• VPC Owners cannot delete or modify resources created by participant VPCs
• Some resources can be shared with ANY account, some only with AWS ORG accounts
• Participants can provision services into the shared subnets, read and reference network objects but not modify or delete them

Question 12

Inline vs Managed Policy

Answer 12

One Policy to many Users

In-line Policy - each user to a unique set of permissions. eg, for special or exceptional access or denies.

Question 13

IAM ROLES LIMITS

Answer 13

IAM Roles does not have limit. It can be used by millions of identities in and outside of aws.

Roles are temporary

Question 14

IAM ROLES USE CASE

Answer 14

1. Emergency
2. Lambda functions, where number of functions can not be determined
3. > = 500 identities needed
   none aws identity(SAML 2.0, Facebook, Google, etc)
4. Privilege escalation

Question 15

Service Linked Role

Answer 15

eg, Lambda, or Cloudwatch role for EC2

Question 16

IAM PassRole

Answer 16

grants a user the ability to use or issue a service linked role

AWS: To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user’s IAM user, role, or group.

Question 17

IAM Trust policy

Answer 17

Not every random identity can use a created IAM role, Trust policy specifies identities that can assume the Role.

AWS: The trust policy defines which principals can assume the role, and under which conditions. A trust policy is a specific type of resource-based policy for IAM roles.

Question 18

STS

Answer 18

STS generates temporary credentials which can access AWS Resources until expiration. They authorise access based on the permissions policy.

After analysing the permissions Policy and trust policy, credentials are returned to the identity requesting them. Another sts:AssumeRole* is required when the credentials expire

Question 19

Ec2Metadata

Answer 19

IAM Role credentials are always stored in the metadata of the instance for any application on the instance to access. As long as the credentials are in the instance metadata, they are always automatically renewed before they expire, hence they are always up to date:

***iam/security-credentials/role-name

Question 20

Risk of storing sensitive data on Instance metadata

Answer 20

All CLI tools within an instance have access to stored instance credentials in metadata

Question 21

IAM POLICY Variable

Answer 21

“Version”: “2012-10-17”,
“Statement”: [{
“Action”: [“iam:AccessKey”],
“Effect”: “Allow”,
“Resource”: [“arn: aws: iam: : account-id:user/${aws: username} “]

the ${aws:username} is replaced by the active user using the role

Question 22

Instance profile

Answer 22

If you create an iam role using the console, an instance profile is created, but using CLF, you would have to create them separately.

Question 23

IAM Role with External ID

Answer 23

Randomly generated ID issued along with an IAM Role as an extra layer of security over an IAM role, which can be assumed by anyone with the ARN