Gotchas/Distractors from Publicly Available Security Questions Flashcards
Can Route53 do DNS query logging? Public or private zones? Non Route53?
Route53 can log DNS queries that resolver sends to R53, for public hosted zones only
Logs contain domain, time, record type (A/CNAME), R53 edge location that responded, response code
What are the different types of STS AssumeRole?
AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
GetFederationToken
GetSessionToken
What is AssumeRole? And what policies
- for temp access to services in own or other accounts. Default 1 hr, min 15 min, max 12 hrs
* to access other accounts, need that account listed in trust policy of the role when created
* for user to AssumeRole in another account, needs ARN of the role in their allowed policy
What is AssumeRoleWithSAML?
- for users authenticated using SAML like AD, do not need AWS-specific credentials
* user identity is verified by key in metadata document provided by SAML
What is AssumeRoleWithWebIdentity
- for users authenticated using a web identity provider like FB, Google, Cognito, OpenID
* user identity is verified by token from web identity provider
What is GetFederationToken
returns access key, secret key and token for federated user- used by applications within network
What is GetSessionToken
returns access key, secret key and token, typically used when MFA is used to protect API calls
Does OAuth identity provider work with IAM?
OAuth is a standard authorization protocol. Cognito user pools supports OAuth based authorization
Lambda authorizers for APIGW REST APIs, APIGW HTTP APIs, Amplify Framework support OAuth
How do you set up AD users to access AWS?
1) Create identity provider of type SAML in IAM and upload FederationMetadata XML file from your ADFS server 2) Create IAM roles that federated users can assume
What is login flow for AD users to access AWS?
- 1) user signs in to ADFS with corp login
* 2) ADFS sends a SAML token to AWS sign-in page
* 3) AWS Sign-in calls STS AssumeRoleWithSAML API to get a temp token
* 4) User is sent a redirect link to AWS console
Does EC2 port 25 throttle?
Port 25 is restricted by default. Can request AWS to remove it- need to provide a DNS record that will be used to send/receive email/SMTP traffic over port 25 OR use port 587 which is not throttled.
Does NATGW go in public or private subnet?
NATGW is in public subnet, needs an EIP, and update route tables associated with private subnet to send traffic to NATGW for outbound
For Penetration testing, what services don’t need approval?
EC2, RDS, Aurora, Cloudfront, APIGW, Lambda, Lightsail, Beanstalk
What does StringEquals: s3:x-amz-server-side-encryption: aws:s3 do?
Only two specification values are possible: AES256 used to specify SSE-S3, aws:kms to specify KMS encryption
Are there Cloudwatch logs agent for EC2?
CW Agent can be installed on Linux or Windows EC2, or on-prem servers. Logs are stored in CW logs and metrics are billed as custom metrics