Gotchas/Distractors from Publicly Available Security Questions Flashcards
Can Route53 do DNS query logging? Public or private zones? Non Route53?
Route53 can log DNS queries that resolver sends to R53, for public hosted zones only
Logs contain domain, time, record type (A/CNAME), R53 edge location that responded, response code
What are the different types of STS AssumeRole?
AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
GetFederationToken
GetSessionToken
What is AssumeRole? And what policies
- for temp access to services in own or other accounts. Default 1 hr, min 15 min, max 12 hrs
* to access other accounts, need that account listed in trust policy of the role when created
* for user to AssumeRole in another account, needs ARN of the role in their allowed policy
What is AssumeRoleWithSAML?
- for users authenticated using SAML like AD, do not need AWS-specific credentials
* user identity is verified by key in metadata document provided by SAML
What is AssumeRoleWithWebIdentity
- for users authenticated using a web identity provider like FB, Google, Cognito, OpenID
* user identity is verified by token from web identity provider
What is GetFederationToken
returns access key, secret key and token for federated user- used by applications within network
What is GetSessionToken
returns access key, secret key and token, typically used when MFA is used to protect API calls
Does OAuth identity provider work with IAM?
OAuth is a standard authorization protocol. Cognito user pools supports OAuth based authorization
Lambda authorizers for APIGW REST APIs, APIGW HTTP APIs, Amplify Framework support OAuth
How do you set up AD users to access AWS?
1) Create identity provider of type SAML in IAM and upload FederationMetadata XML file from your ADFS server 2) Create IAM roles that federated users can assume
What is login flow for AD users to access AWS?
- 1) user signs in to ADFS with corp login
* 2) ADFS sends a SAML token to AWS sign-in page
* 3) AWS Sign-in calls STS AssumeRoleWithSAML API to get a temp token
* 4) User is sent a redirect link to AWS console
Does EC2 port 25 throttle?
Port 25 is restricted by default. Can request AWS to remove it- need to provide a DNS record that will be used to send/receive email/SMTP traffic over port 25 OR use port 587 which is not throttled.
Does NATGW go in public or private subnet?
NATGW is in public subnet, needs an EIP, and update route tables associated with private subnet to send traffic to NATGW for outbound
For Penetration testing, what services don’t need approval?
EC2, RDS, Aurora, Cloudfront, APIGW, Lambda, Lightsail, Beanstalk
What does StringEquals: s3:x-amz-server-side-encryption: aws:s3 do?
Only two specification values are possible: AES256 used to specify SSE-S3, aws:kms to specify KMS encryption
Are there Cloudwatch logs agent for EC2?
CW Agent can be installed on Linux or Windows EC2, or on-prem servers. Logs are stored in CW logs and metrics are billed as custom metrics
Is Elasticache encrypted?
Memcached No. Redis Yes
What is IAM credential report?
lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices eg: password last used, last changed, next rotation, MFA active, access key last used, X.509 cert active, last rotated
What all can CW Events trigger directly?
EC2, Lambda, Kinesis streams, Firehose, CW logs, ECS tasks, systems manager, Batch jobs, Step functions, CodePipeline, CodeBuild, Inspector, SNS, SQS. Target receives JSON event
How to avoid TLS certificates from being stolen by would-be spoofers?
Use AWS-provided encryption certificates- SSE-S3, EBS encrypted volumes, ACM for TLS certs
What does Cloudwatch Logs log?
EC2 logs, Cloudtrail specific API activities (you can create), R53 DNS queries
CW Log Group can have many Log Streams, each of which is a collection of Log Events
Metric Filters are applied at Log Group level and applies to all Streams within it
What all threats can Guardduty detect?
Monitors Cloudtrail events, Cloudtrail S3 data events, VPC flow logs, DNS logs
detects unusual API calls, suspicious outbound communications to known malicious IP, possible data theft using DNS queries, access of AWS resources from an unusual geo-location, attempts to disable CloudTrail logging, taking snapshots of a database from a malicious IP, intra-VPC port scanning, unusual patterns of failed login requests, unblocked port probing from a known bad IP, cryptocurrency mining, backdoor command and control (C&C) activity, malware using domain generation algorithms (DGA), outbound DoS activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary EC2 credentials used by external IP, data exfiltration using DNS, API calls from anonymizing proxy, unusual instance launches, deployments in unusual region, unusual data access pattern for S3, S3 API activity from remote host, API calls to retrieve data in S3 buckets from user that had no prior history
What is the difference between Inspector vs Config checks?
Inspector assesses applications on EC2 for exposure, vulnerabilities, deviations from best practices, unintended network accessibility vulnerabilities, remote root login enabled, vulnerable software versions installed. Inspector finds applications by querying the package manager or software installation system on OS, so software installed via apt, yum, or Microsoft Installer will be assessed by Inspector
Config continuously monitors and records your AWS resource configurations, evaluates them against desired configurations, review changes in configurations, relationships between AWS resources, resource configuration histories, determine your overall compliance against the configurations specified in your internal guidelines
Config record software configuration changes within EC2 and servers running on-premises, visibility into OS configurations, system-level updates, installed applications, network configuration, history of OS and system-level configuration changes alongside infrastructure configuration changes recorded for EC2
Ephemeral ports for NACL and SG - why do you need them?
third party will not reply using the same port, instead it will use ephemeral ports
Port scanning- do any of our services track it?
GuardDuty can, since it is unusual activity
Can Config trigger Lambda? In what cases?
When Config rules you define for a resource are violated, can trigger CW event to Lambda. Can choose to create a CW event for API calls to Config itself, Config item change, Config rule compliance change, snapshot or config history delivered
Config can send all events to SNS from where you can filter what you need into SQS
KMS different type of keys - which ones can be rotated when?
AWS owned CMK: not in your account, AWS manages everything eg: SSE-S3
AWS managed CMK: auto-rotates every 1 years, not configurable, used by services on your behalf
Customer managed CMK: can set auto-rotate 1 year or manually anytime, you manage, can disable
CMK with imported material: only manual rotation, you are responsible for availability/durability of key
Data keys generated by KMS can be symmetric (one key) or asymmetric (public-private)
CMK by default are symmetric and AWS services integrated with KMS all use that. Can get asymmetric CMK if needed- download the public key and use outside KMS if you want
Pen testing on EC2 - what is not allowed?
DNS zone walking, DDoS simulation, port flooding, protocol flooding, request flooding
Systems Manager Patch Manager what all does it do?
scan instances and report compliance, and install available patches - on a schedule or on demand
Who can add grant to object ACL? Other accounts?
ACLs can only grant read/write permissions to other accounts, not users in your own account. Can only allow using grant, not explicit deny.
Can CW events trigger CLI command?
No. CW Event targets can be EC2, Lambda, Kinesis, CW log groups, ECS tasks, Batch, Step Functions, SNS, SQS, CodeBuild, CodePipeline
What is the difference between IAM service role, resource policy, Lambda execution role?
Service role= IAM role a service assumes to do things
Lambda resource-based /function policy = used to give other accounts or services permission to trigger Lambda
Lambda execution role = give permission to Lambda to access other services
SSM Parameter store with KMS CMK - what all IAM roles does it need?
Service calling the SSM string (eg EC2) needs IAM permission to decrypt KMS (Allow kms:decrypt). SSM will NOT decrypt the string, the calling service will after GetParameter returns it
Is DX always encrypted in transit?
No!
Trust policies for cross account access - what does it do?
Trust policy is a resource-policy in IAM role that allows principals in other accounts to assume that role
For cross-account access, requester AccountA needs identity-based policy that allows making request to resource in AccountB AND AccountB needs resource-based policy allowing requester from AccountA to access that resource (trust policy)
