Gotchas/Distractors from Publicly Available Security Questions Flashcards

1
Q

Can Route53 do DNS query logging? Public or private zones? Non Route53?

A

Route53 can log DNS queries that resolver sends to R53, for public hosted zones only

Logs contain domain, time, record type (A/CNAME), R53 edge location that responded, response code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the different types of STS AssumeRole?

A

AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
GetFederationToken
GetSessionToken

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is AssumeRole? And what policies

A
  • for temp access to services in own or other accounts. Default 1 hr, min 15 min, max 12 hrs
    * to access other accounts, need that account listed in trust policy of the role when created
    * for user to AssumeRole in another account, needs ARN of the role in their allowed policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is AssumeRoleWithSAML?

A
  • for users authenticated using SAML like AD, do not need AWS-specific credentials
    * user identity is verified by key in metadata document provided by SAML
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is AssumeRoleWithWebIdentity

A
  • for users authenticated using a web identity provider like FB, Google, Cognito, OpenID
    * user identity is verified by token from web identity provider
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is GetFederationToken

A

returns access key, secret key and token for federated user- used by applications within network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is GetSessionToken

A

returns access key, secret key and token, typically used when MFA is used to protect API calls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Does OAuth identity provider work with IAM?

A

OAuth is a standard authorization protocol. Cognito user pools supports OAuth based authorization

Lambda authorizers for APIGW REST APIs, APIGW HTTP APIs, Amplify Framework support OAuth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you set up AD users to access AWS?

A

1) Create identity provider of type SAML in IAM and upload FederationMetadata XML file from your ADFS server 2) Create IAM roles that federated users can assume

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is login flow for AD users to access AWS?

A
  • 1) user signs in to ADFS with corp login
    * 2) ADFS sends a SAML token to AWS sign-in page
    * 3) AWS Sign-in calls STS AssumeRoleWithSAML API to get a temp token
    * 4) User is sent a redirect link to AWS console
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Does EC2 port 25 throttle?

A

Port 25 is restricted by default. Can request AWS to remove it- need to provide a DNS record that will be used to send/receive email/SMTP traffic over port 25 OR use port 587 which is not throttled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Does NATGW go in public or private subnet?

A

NATGW is in public subnet, needs an EIP, and update route tables associated with private subnet to send traffic to NATGW for outbound

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

For Penetration testing, what services don’t need approval?

A

EC2, RDS, Aurora, Cloudfront, APIGW, Lambda, Lightsail, Beanstalk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does StringEquals: s3:x-amz-server-side-encryption: aws:s3 do?

A

Only two specification values are possible: AES256 used to specify SSE-S3, aws:kms to specify KMS encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Are there Cloudwatch logs agent for EC2?

A

CW Agent can be installed on Linux or Windows EC2, or on-prem servers. Logs are stored in CW logs and metrics are billed as custom metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Is Elasticache encrypted?

A

Memcached No. Redis Yes

17
Q

What is IAM credential report?

A

lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices eg: password last used, last changed, next rotation, MFA active, access key last used, X.509 cert active, last rotated

18
Q

What all can CW Events trigger directly?

A

EC2, Lambda, Kinesis streams, Firehose, CW logs, ECS tasks, systems manager, Batch jobs, Step functions, CodePipeline, CodeBuild, Inspector, SNS, SQS. Target receives JSON event

19
Q

How to avoid TLS certificates from being stolen by would-be spoofers?

A

Use AWS-provided encryption certificates- SSE-S3, EBS encrypted volumes, ACM for TLS certs

20
Q

What does Cloudwatch Logs log?

A

EC2 logs, Cloudtrail specific API activities (you can create), R53 DNS queries
CW Log Group can have many Log Streams, each of which is a collection of Log Events
Metric Filters are applied at Log Group level and applies to all Streams within it

21
Q

What all threats can Guardduty detect?

A

Monitors Cloudtrail events, Cloudtrail S3 data events, VPC flow logs, DNS logs
detects unusual API calls, suspicious outbound communications to known malicious IP, possible data theft using DNS queries, access of AWS resources from an unusual geo-location, attempts to disable CloudTrail logging, taking snapshots of a database from a malicious IP, intra-VPC port scanning, unusual patterns of failed login requests, unblocked port probing from a known bad IP, cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound DoS activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary EC2 credentials used by external IP, data exfiltration using DNS, API calls from anonymizing proxy, unusual instance launches, deployments in unusual region, unusual data access pattern for S3, S3 API activity from remote host, API calls to retrieve data in S3 buckets from user that had no prior history

22
Q

What is the difference between Inspector vs Config checks?

A

Inspector assesses applications on EC2 for exposure, vulnerabilities, deviations from best practices, unintended network accessibility vulnerabilities, remote root login enabled, vulnerable software versions installed. Inspector finds applications by querying the package manager or software installation system on OS, so software installed via apt, yum, or Microsoft Installer will be assessed by Inspector

Config continuously monitors and records your AWS resource configurations, evaluates them against desired configurations, review changes in configurations, relationships between AWS resources, resource configuration histories, determine your overall compliance against the configurations specified in your internal guidelines

Config record software configuration changes within EC2 and servers running on-premises, visibility into OS configurations, system-level updates, installed applications, network configuration, history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2

23
Q

Ephemeral ports for NACL and SG - why do you need them?

A

third party will not reply using the same port, instead it will use ephemeral ports

24
Q

Port scanning- do any of our services track it?

A

GuardDuty can, since it is unusual activity

25
Q

Can Config trigger Lambda? In what cases?

A

When Config rules you define for a resource are violated, can trigger CW event to Lambda. Can choose to create a CW event for API calls to Config itself, Config item change, Config rule compliance change, snapshot or config history delivered

Config can send all events to SNS from where you can filter what you need into SQS

26
Q

KMS different type of keys - which ones can be rotated when?

A

AWS owned CMK: not in your account, AWS manages everything eg: SSE-S3

AWS managed CMK: auto-rotates every 1 years, not configurable, used by services on your behalf

Customer managed CMK: can set auto-rotate 1 year or manually anytime, you manage, can disable

CMK with imported material: only manual rotation, you are responsible for availability/durability of key

Data keys generated by KMS can be symmetric (one key) or asymmetric (public-private)

CMK by default are symmetric and AWS services integrated with KMS all use that. Can get asymmetric CMK if needed- download the public key and use outside KMS if you want

27
Q

Pen testing on EC2 - what is not allowed?

A

DNS zone walking, DDoS simulation, port flooding, protocol flooding, request flooding

28
Q

Systems Manager Patch Manager what all does it do?

A

scan instances and report compliance, and install available patches - on a schedule or on demand

29
Q

Who can add grant to object ACL? Other accounts?

A

ACLs can only grant read/write permissions to other accounts, not users in your own account. Can only allow using grant, not explicit deny.

30
Q

Can CW events trigger CLI command?

A

No. CW Event targets can be EC2, Lambda, Kinesis, CW log groups, ECS tasks, Batch, Step Functions, SNS, SQS, CodeBuild, CodePipeline

31
Q

What is the difference between IAM service role, resource policy, Lambda execution role?

A

Service role= IAM role a service assumes to do things
Lambda resource-based /function policy = used to give other accounts or services permission to trigger Lambda
Lambda execution role = give permission to Lambda to access other services

32
Q

SSM Parameter store with KMS CMK - what all IAM roles does it need?

A

Service calling the SSM string (eg EC2) needs IAM permission to decrypt KMS (Allow kms:decrypt). SSM will NOT decrypt the string, the calling service will after GetParameter returns it

33
Q

Is DX always encrypted in transit?

A

No!

34
Q

Trust policies for cross account access - what does it do?

A

Trust policy is a resource-policy in IAM role that allows principals in other accounts to assume that role

For cross-account access, requester AccountA needs identity-based policy that allows making request to resource in AccountB AND AccountB needs resource-based policy allowing requester from AccountA to access that resource (trust policy)