KMS, Encryption SDK, SSM Parameter Store

Question 1

help with encryption (HTTPS)

Answer 1

SSL certificates

Question 2

What does KMS stand for?

Answer 2

Key Management Service

Question 3

• Anytime you hear “encryption” for an AWS service
• AWS manages encryption keys for us
• Fully integrated with IAM for authorization
• Easy way to control access to your data

Answer 3

KMS (Key Management Service)

Question 4

Able to audit KMS Key usage using _________?

Answer 4

CloudTrail

Question 5

KMS Key Encryption also available through ________?

Answer 5

API calls (SDK, CLI)

Question 6

Encrypted secrets can be stored in the ________?

Answer 6

code / environment variables

Question 7

KMS KeysTypes -
* Single encryption key that is used to Encrypt and Decrypt
* AWS services that are integrated with KMS use Symmetric CMKs
* You never get access to the KMS Key unencrypted (must call KMS API to use)

Answer 7

Symmetric (AES-256 keys)

Question 8

KMS KeysTypes -
* Public (Encrypt) and Private Key (Decrypt) pair
* Used for Encrypt/Decrypt, or Sign/Verify operations
* The public key is downloadable, but you can’t access the Private Key unencrypted
* Use case: encryption outside of AWS by users who can’t call the KMS API

Answer 8

Asymmetric (RSA & ECC key pairs)

Question 9

• AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
• AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
• Customer managed keys created in KMS: $1 / month
• Customer managed keys imported (must be symmetric key): $1 / month
• • pay for API call to KMS ($0.03 / 10000 calls)

Answer 9

Types of KMS Keys

Question 10

• AWS-managed KMS Key: automatic every 1 year
• Customer-managed KMS Key: (must be enabled) automatic every 1 year
• Imported KMS Key: only manual rotation possible using alias

Answer 10

Automatic Key rotation

Question 11

• Created if you don’t provide a specific KMS Key Policy
• Complete access to the key to the root user = entire AWS account

Answer 11

Default KMS Key Policy

Question 12

• Define users, roles that can access the KMS key
• Define who can administer the key
• Useful for cross-account access of your KMS key

Answer 12

Custom KMS Key Policy

Question 13

5 Steps to Copying Snapshots across accounts

Answer 13

1. Create a Snapshot, encr ypted with your own KMS Key (Customer Managed Key)
2. Attach a KMS Key Policy to authorize cross-account access
3. Share the encr ypted snapshot
4. (in target) Create a copy of the Snapshot, encrypt it with a CMK in your account
5. Create a volume from the snapshot

Question 14

• Identical KMS keys in different AWS Regions that can be used interchangeably
• They have the same key ID, key material, automatic rotation…

Answer 14

KMS Multi-Region Keys

Question 15

• Encrypt in one Region and decrypt in other Regions
• No need to re-encrypt or making cross-Region API calls

Answer 15

KMS Multi-Region Keys

Question 16

• They are NOT global (Primary + Replicas)
• Each one is managed independently

Answer 16

KMS Multi-Region Keys

Question 17

global client-side encryption, encryption on Global DynamoDB, Global Aurora

Answer 17

KMS Multi-Region Keys

Question 18

We can encrypt specific attributes client-side in our DynamoDB table using the ___________?

Answer 18

Amazon DynamoDB Encryption Client

Question 19

READ EVERYTHING
* Combined with Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the DynamoDB Global table, then clients in these regions can use low- latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key

Answer 19

DynamoDB Global Tables and KMS Multi- Region Keys Client-Side encryption

Question 20

READ EVERYTHING
* We can encrypt specific attributes client-side in our Aurora table using the AWS Encryption SDK
* Combined with Aurora Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the Global Aurora DB, then clients in these regions can use low-latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key, we can protect specific fields even from database admins

Answer 20

Global Aurora and KMS Multi-Region Keys Client-Side encryption

Question 21

READ EVERYTHING

• Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
• Objects encrypted with SSE-C (customer provided key) are never replicated
• For objects encrypted with SSE-KMS, you need to enable the option
  
  • Specify which KMS Key to encrypt the objects within the target
    bucket
  • Adapt the KMS Key Policy for the target key
  • An IAM Role with kms:Decrypt for the source KMS Key and
    kms:Encrypt for the target KMS Key
  • You might get KMS throttling errors, in which case you can ask
    for a Service Quotas increase
• You can use multi-region AWS KMS Keys, but they are currently treated as independent keys by Amazon S3 (the object will still be decrypted and then encr ypted)

Answer 21

S3 Replication
Encryption Considerations

Question 22

1. AMI in Source Account is encrypted with KMS Key from Source Account
2. Must modify the image attribute to add a Launch Permission which corresponds to the specified target AWS account
3. Must share the KMS Keys used to encrypted the snapshot the AMI references with the target account / IAM Role
4. The IAM Role/User in the target account must have the permissions to DescribeKey, ReEncrypted, CreateGrant, Decrypt
5. When launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volumes

Answer 22

AMI Sharing Process Encrypted via KMS

Question 23

• Secure storage for configuration and secrets
• Optional Seamless Encryption using KMS
• Serverless, scalable, durable, easy SDK
• Version tracking of configurations / secrets
• Security through IAM
• Notifications with Amazon EventBridge
• Integration with CloudFormatio

Answer 23

SSM Parameter Store

Question 24

What are the 2 types of parameter tiers?

Answer 24

Standard
Advanced

Question 25

Total number of parameters allowed (per AWS account and
Region)

Answer 25

Standard - 10,000
Advanced - 100,000

Question 26

Maximum size of a parameter value

Answer 26

Standard - 4KB
Advanced - 8KB

Question 27

Parameter policies available

Answer 27

Standard - No
Advanced - Yes

Question 28

Cost

Answer 28

Standard - No additional charge
Advanced - Charges Apply

Question 29

Storage Pricing

Answer 29

Standard - Free
Advanced - $0.05 per advanced parameter per month

Question 30

• Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
• Can assign multiple policies at a time

Answer 30

Parameters Policies (for advanced parameters)

Question 31

• Newer service, meant for storing secrets
• Capability to force rotation of secrets every X days
• Automate generation of secrets on rotation (uses Lambda)
• Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
• Secrets are encrypted using KMS
• Mostly meant for RDS integration

Answer 31

AWS Secrets Manager

Question 32

• Replicate Secrets across multiple AWS Regions
• Secrets Manager keeps read replicas in sync with the primary Secret
• Ability to promote a read replica Secret to a standalone Secret

Answer 32

AWS Secrets Manager – Multi-Region Secrets

Question 33

multi-region apps, disaster recovery strategies, multi-region DB…

Answer 33

AWS Secrets Manager – Multi-Region Secrets

Question 34

Easily provision, manage, and deploy TLS Certificates

Answer 34

AWS Certificate Manager (ACM)

Question 35

Provide in-flight encryption for websites (HTTPS)

Answer 35

AWS Certificate Manager (ACM)

Question 36

Supports both public and privateTLS certificates

Answer 36

AWS Certificate Manager (ACM)

Question 37

Free of charge for publicTLS certificates

Answer 37

AWS Certificate Manager (ACM)

Question 38

AutomaticTLS certificate renewal

Answer 38

AWS Certificate Manager (ACM)

Question 39

Integrations with (loadTLS certificates on)
* ElasticLoadBalancers(CLB,ALB,NLB)
* CloudFront Distributions
* APIs on API Gateway

Answer 39

AWS Certificate Manager (ACM)

Question 40

Can you use ACM with EC2?

Answer 40

NO

Question 41

What does ACM stand for?

Answer 41

AWS Certificate Manager

Question 42

4 steps to ACM – Requesting Public Certificates?

Answer 42

1. List domain names to be included in the certificate
   * Fully Qualified Domain Name (FQDN): corp.example.com
   * WildcardDomain:*.example.com
2. Select Validation Method: DNS Validation or Email validation
   * DNS Validation is preferred for automation purposes
   * Email validation will send emails to contact addresses in the WHOIS database
   * DNS Validation will leverage a CNAME record to DNS config (ex: Route 53)
3. It will take a few hours to get verified
4. The Public Certificate will be enrolled for automatic renewal
   * ACM automatically renews ACM-generated certificates 60 days before expiry

Question 43

With ACM – Importing Public Certificates, what is the policy with renewals?

Answer 43

No automatic renewal, must import a new certificate before expiry

Question 44

ACM sends daily expiration events starting _________ prior to expiration

Answer 44

45 days

Question 45

With ACM sending out daily expiration events, can you configure the number of days?

Answer 45

YES

Question 46

Where fo ACM sending out daily expiration events appear?

Answer 46

EventBridge

Question 47

___________ has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)

Answer 47

AWS Config

Question 48

• Protects your web applications from common web exploits (Layer 7)
• Layer 7 is HTTP (vs Layer 4 is TCP/UDP)
• Deploy on
  
  • Application Load Balancer
  • API Gateway
  • CloudFront
  • AppSync GraphQL API
  • Cognito User Pool

Answer 48

AWS WAF – Web Application Firewall

Question 49

• Define Web ACL (Web Access Control List) Rules:
  
  • IP Set: up to 10,000 IP addresses – use multiple Rules for more
    IPs
  • HTTP headers, HTTP body, or URI strings Protects from common
    attack - SQL injection and Cross-Site Scripting (XSS)
  • Size constraints, geo-match (block countries)
  • Rate-based rules (to count occurrences of events) – for DDoS
    protection
• Web ACL are Regional except for CloudFront
• A rule group is a reusable set of rules that you can add to a web ACL

Answer 49

AWS WAF – Web Application Firewall

Question 50

WAF _________ support the Network Load Balancer (Layer 4)

Answer 50

does not

Question 51

We can use _____________ for fixed IP and WAF on the ALB

Answer 51

Global Accelerator

Question 52

Distributed Denial of Service – many requests at the same time

Answer 52

DDoS

Question 53

• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks

Answer 53

AWS Shield Standard

Question 54

• Optional DDoS mitigation service ($3,000 per month per organization)
• Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
• 24/7 access to AWS DDoS response team (DRP)
• Protect against higher fees during usage spikes due to DDoS
• The automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

Answer 54

AWS Shield Advanced:

Question 55

• Manage rules in all accounts of an AWS Organization
• Security policy: common set of security rules
  
  • WAF rules (Application Load Balancer, API Gateways, CloudFront)
  • AWS Shield Advanced (ALB, CLB, NLB, Elastic IP, CloudFront)
  • Security Groups for EC2, Application Load BAlancer and ENI
    resources in VPC
  • AWS Network Firewall (VPC Level)
  • Amazon Route 53 Resolver DNS Firewall
  • Policies are created at the region level
• Rules are applied to new resources as they are created (good for compliance) across all and future accounts in your Organization

Answer 55

AWS Firewall Manager

Question 56

are used together for comprehensive protection

Answer 56

WAF
Shield
Firewall Manager

Question 57

Define your _________ rules in WAF

Answer 57

Web ACL

Question 58

For granular protection of your resources, ___________ alone is the correct choice

Answer 58

WAF

Question 59

If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use _______________

Answer 59

Firewall Manager with AWS WAF

Question 60

adds additional features on top of AWS WAF, such as dedicated support from the Shield ResponseTeam (SRT) and advanced reporting.

Answer 60

Shield Advanced

Question 61

If you’re prone to frequent DDoS attacks, consider purchasing _________________

Answer 61

Shield Advanced

Question 62

• Web Application delivery at the edge
• Protect from DDoS Common Attacks (SYN floods, UDP reflection…)

Answer 62

BP1 – CloudFront

Question 63

• Access your application from the edge
• Integration with Shield for DDoS protection
• Helpful if your backend is not compatible with CloudFront

Answer 63

BP1 – Global Accelerator

Question 64

• Domain Name Resolution atthe edge
• DDoS Protection mechanism

Answer 64

BP3 – Route 53

Question 65

• Protect Amazon EC2 against high traffic
• That includes using Global Accelerator, Route 53, CloudFront, Elastic Load Balancing

Answer 65

Infrastructure layer defense (BP1, BP3, BP6)

Question 66

Helps scale in case of sudden traffic surges including a flash crowd or a DDoS attack

Answer 66

Amazon EC2 with Auto Scaling (BP7)

Question 67

Elastic Load Balancing scales with the traffic increases and will distribute the traffic to many EC2 instances

Answer 67

Elastic Load Balancing (BP6)

Question 68

• CloudFront cache static content and serve it from edge locations, protecting your backend
• AWS WAF is used on top of CloudFront and Application Load Balancer to filter and block requests based on request signatures
• WAF rate-based rules can automatically block the IPs of bad actors
• Use managed rules on WAF to block attacks based on IP reputation, or block anonymous Ips
• CloudFront can block specific geographies

Answer 68

Detect and filter malicious web requests (BP1, BP2)

Question 69

Shield Advanced automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

Answer 69

ShieldAdvanced(BP1,BP2,BP6)

Question 70

Using CloudFront, API Gateway, Elastic Load Balancing to hide your backend resources (Lambda functions, EC2 instances)

Answer 70

Obfuscating AWS resources (BP1, BP4, BP6)

Question 71

• Use security groups and NACLs to filter traffic based on specific IP at the subnet or ENI-level
• Elastic IP are protected by AWS Shield Advanced

Answer 71

Security groups and Network ACLs (BP5)

Question 72

• Hide EC2, Lambda, elsewhere
• Edge-optimized mode, or CloudFront + regional mode (more control for DDoS)
• WAF + API Gateway: burst limits, headers filtering, use API keys

Answer 72

Protecting API endpoints (BP4)

Question 73

AWS Best Practices for DDoS Resiliency Edge Location Mitigation (BP1, BP3)

Answer 73

BP1 – CloudFront
BP1 – Global Accelerator
BP3 – Route 53

Question 74

AWS Best Practices for DDoS Resiliency Best practices for DDoS mitigation

Answer 74

Infrastructure layer defense (BP1, BP3, BP6)
Amazon EC2 with Auto Scaling (BP7)
Elastic Load Balancing (BP6)

Question 75

AWS Best Practices for DDoS Resiliency Application Layer Defense

Answer 75

Detect and filter malicious web requests (BP1, BP2)
ShieldAdvanced(BP1,BP2,BP6)

Question 76

AWS Best Practices for DDoS Resiliency Attack surface reduction

Answer 76

Obfuscating AWS resources (BP1, BP4, BP6)

Question 77

Intelligent Threat discover y to protect your AWS Account

Answer 77

Amazon GuardDuty

Question 78

Uses Machine Learning algorithms, anomaly detection, 3rd party data

Answer 78

Amazon GuardDuty

Question 79

One click to enable (30 days trial), no need to install software

Answer 79

Amazon GuardDuty

Question 80

• Input data includes:
  
  • CloudTrail Events Logs – unusual API calls, unauthorized
    deployments
    * CloudTrailManagementEvents–createVPCsubnet,createtrail,…
    * CloudTrailS3DataEvents–getobject,listobjects,deleteobject,…
  • VPC Flow Logs – unusual internal traffic, unusual IP address
  • DNS Logs – compromised EC2 instances sending encoded data
    within DNS queries
  • Optional Features – EKS Audit Logs, RDS & Aurora, EBS, Lambda,
    S3 Data Events…

Answer 80

Amazon GuardDuty

Question 81

Can setup EventBridge rules to be notified in case of findings

Answer 81

Amazon GuardDuty

Question 82

EventBridge rules can target AWS Lambda or SNS

Answer 82

Amazon GuardDuty

Question 83

Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)

Answer 83

Amazon GuardDuty

Question 84

• Automated Security Assessments
• For EC2 instances
  
  • Leveraging the AWS System Manager (SSM) agent
  • Analyze against unintended network accessibility
  • Analyze the running OS against known vulnerabilities
• For Container Images push to Amazon ECR
  
  • Assessment of Container Images as they are pushed
• For Lambda Functions
  
  • Identifies software vulnerabilities in function code and package
    dependencies
  • Assessment of functions as they are deployed
• Reporting & integration with AWS Security Hub
• Send findings to Amazon Event Bridge

Answer 84

Amazon Inspector

Question 85

Amazon Inspector evaluates only ………

Answer 85

EC2 instances
Container Images
Lambda functions

Question 86

Amazon Inspector, continuous scanning of the infrastructure, only ___________

Answer 86

when needed

Question 87

is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

Answer 87

AWS Macie

Question 87

helps identify and alert you to sensitive data, such as personally identifiable information (PII)

Answer 87

AWS Macie