Gotchas/Distractors from Publicly Available Security Questions

Question 1

Can Route53 do DNS query logging? Public or private zones? Non Route53?

Answer 1

Route53 can log DNS queries that resolver sends to R53, for public hosted zones only

Logs contain domain, time, record type (A/CNAME), R53 edge location that responded, response code

Question 2

What are the different types of STS AssumeRole?

Answer 2

AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
GetFederationToken
GetSessionToken

Question 3

What is AssumeRole? And what policies

Answer 3

• for temp access to services in own or other accounts. Default 1 hr, min 15 min, max 12 hrs
  * to access other accounts, need that account listed in trust policy of the role when created
  * for user to AssumeRole in another account, needs ARN of the role in their allowed policy

Question 4

What is AssumeRoleWithSAML?

Answer 4

• for users authenticated using SAML like AD, do not need AWS-specific credentials
  * user identity is verified by key in metadata document provided by SAML

Question 5

What is AssumeRoleWithWebIdentity

Answer 5

• for users authenticated using a web identity provider like FB, Google, Cognito, OpenID
  * user identity is verified by token from web identity provider

Question 6

What is GetFederationToken

Answer 6

returns access key, secret key and token for federated user- used by applications within network

Question 7

What is GetSessionToken

Answer 7

returns access key, secret key and token, typically used when MFA is used to protect API calls

Question 8

Does OAuth identity provider work with IAM?

Answer 8

OAuth is a standard authorization protocol. Cognito user pools supports OAuth based authorization

Lambda authorizers for APIGW REST APIs, APIGW HTTP APIs, Amplify Framework support OAuth

Question 9

How do you set up AD users to access AWS?

Answer 9

1) Create identity provider of type SAML in IAM and upload FederationMetadata XML file from your ADFS server 2) Create IAM roles that federated users can assume

Question 10

What is login flow for AD users to access AWS?

Answer 10

• 1) user signs in to ADFS with corp login
  * 2) ADFS sends a SAML token to AWS sign-in page
  * 3) AWS Sign-in calls STS AssumeRoleWithSAML API to get a temp token
  * 4) User is sent a redirect link to AWS console

Question 11

Does EC2 port 25 throttle?

Answer 11

Port 25 is restricted by default. Can request AWS to remove it- need to provide a DNS record that will be used to send/receive email/SMTP traffic over port 25 OR use port 587 which is not throttled.

Question 12

Does NATGW go in public or private subnet?

Answer 12

NATGW is in public subnet, needs an EIP, and update route tables associated with private subnet to send traffic to NATGW for outbound

Question 13

For Penetration testing, what services don’t need approval?

Answer 13

EC2, RDS, Aurora, Cloudfront, APIGW, Lambda, Lightsail, Beanstalk

Question 14

What does StringEquals: s3:x-amz-server-side-encryption: aws:s3 do?

Answer 14

Only two specification values are possible: AES256 used to specify SSE-S3, aws:kms to specify KMS encryption

Question 15

Are there Cloudwatch logs agent for EC2?

Answer 15

CW Agent can be installed on Linux or Windows EC2, or on-prem servers. Logs are stored in CW logs and metrics are billed as custom metrics

Question 16

Is Elasticache encrypted?

Answer 16

Memcached No. Redis Yes

Question 17

What is IAM credential report?

Answer 17

lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices eg: password last used, last changed, next rotation, MFA active, access key last used, X.509 cert active, last rotated

Question 18

What all can CW Events trigger directly?

Answer 18

EC2, Lambda, Kinesis streams, Firehose, CW logs, ECS tasks, systems manager, Batch jobs, Step functions, CodePipeline, CodeBuild, Inspector, SNS, SQS. Target receives JSON event

Question 19

How to avoid TLS certificates from being stolen by would-be spoofers?

Answer 19

Use AWS-provided encryption certificates- SSE-S3, EBS encrypted volumes, ACM for TLS certs

Question 20

What does Cloudwatch Logs log?

Answer 20

EC2 logs, Cloudtrail specific API activities (you can create), R53 DNS queries
CW Log Group can have many Log Streams, each of which is a collection of Log Events
Metric Filters are applied at Log Group level and applies to all Streams within it

Question 21

What all threats can Guardduty detect?

Answer 21

Monitors Cloudtrail events, Cloudtrail S3 data events, VPC flow logs, DNS logs
detects unusual API calls, suspicious outbound communications to known malicious IP, possible data theft using DNS queries, access of AWS resources from an unusual geo-location, attempts to disable CloudTrail logging, taking snapshots of a database from a malicious IP, intra-VPC port scanning, unusual patterns of failed login requests, unblocked port probing from a known bad IP, cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound DoS activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary EC2 credentials used by external IP, data exfiltration using DNS, API calls from anonymizing proxy, unusual instance launches, deployments in unusual region, unusual data access pattern for S3, S3 API activity from remote host, API calls to retrieve data in S3 buckets from user that had no prior history

Question 22

What is the difference between Inspector vs Config checks?

Answer 22

Inspector assesses applications on EC2 for exposure, vulnerabilities, deviations from best practices, unintended network accessibility vulnerabilities, remote root login enabled, vulnerable software versions installed. Inspector finds applications by querying the package manager or software installation system on OS, so software installed via apt, yum, or Microsoft Installer will be assessed by Inspector

Config continuously monitors and records your AWS resource configurations, evaluates them against desired configurations, review changes in configurations, relationships between AWS resources, resource configuration histories, determine your overall compliance against the configurations specified in your internal guidelines

Config record software configuration changes within EC2 and servers running on-premises, visibility into OS configurations, system-level updates, installed applications, network configuration, history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2

Question 23

Ephemeral ports for NACL and SG - why do you need them?

Answer 23

third party will not reply using the same port, instead it will use ephemeral ports

Question 24

Port scanning- do any of our services track it?

Answer 24

GuardDuty can, since it is unusual activity

Question 25

Can Config trigger Lambda? In what cases?

Answer 25

When Config rules you define for a resource are violated, can trigger CW event to Lambda. Can choose to create a CW event for API calls to Config itself, Config item change, Config rule compliance change, snapshot or config history delivered

Config can send all events to SNS from where you can filter what you need into SQS

Question 26

KMS different type of keys - which ones can be rotated when?

Answer 26

AWS owned CMK: not in your account, AWS manages everything eg: SSE-S3

AWS managed CMK: auto-rotates every 1 years, not configurable, used by services on your behalf

Customer managed CMK: can set auto-rotate 1 year or manually anytime, you manage, can disable

CMK with imported material: only manual rotation, you are responsible for availability/durability of key

Data keys generated by KMS can be symmetric (one key) or asymmetric (public-private)

CMK by default are symmetric and AWS services integrated with KMS all use that. Can get asymmetric CMK if needed- download the public key and use outside KMS if you want

Question 27

Pen testing on EC2 - what is not allowed?

Answer 27

DNS zone walking, DDoS simulation, port flooding, protocol flooding, request flooding

Question 28

Systems Manager Patch Manager what all does it do?

Answer 28

scan instances and report compliance, and install available patches - on a schedule or on demand

Question 29

Who can add grant to object ACL? Other accounts?

Answer 29

ACLs can only grant read/write permissions to other accounts, not users in your own account. Can only allow using grant, not explicit deny.

Question 30

Can CW events trigger CLI command?

Answer 30

No. CW Event targets can be EC2, Lambda, Kinesis, CW log groups, ECS tasks, Batch, Step Functions, SNS, SQS, CodeBuild, CodePipeline

Question 31

What is the difference between IAM service role, resource policy, Lambda execution role?

Answer 31

Service role= IAM role a service assumes to do things
Lambda resource-based /function policy = used to give other accounts or services permission to trigger Lambda
Lambda execution role = give permission to Lambda to access other services

Question 32

SSM Parameter store with KMS CMK - what all IAM roles does it need?

Answer 32

Service calling the SSM string (eg EC2) needs IAM permission to decrypt KMS (Allow kms:decrypt). SSM will NOT decrypt the string, the calling service will after GetParameter returns it

Question 33

Is DX always encrypted in transit?

Answer 33

No!

Question 34

Trust policies for cross account access - what does it do?

Answer 34

Trust policy is a resource-policy in IAM role that allows principals in other accounts to assume that role

For cross-account access, requester AccountA needs identity-based policy that allows making request to resource in AccountB AND AccountB needs resource-based policy allowing requester from AccountA to access that resource (trust policy)