KMS, Encryption SDK, SSM Parameter Store Flashcards

1
Q

help with encryption (HTTPS)

A

SSL certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does KMS stand for?

A

Key Management Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  • Anytime you hear “encryption” for an AWS service
  • AWS manages encryption keys for us
  • Fully integrated with IAM for authorization
  • Easy way to control access to your data
A

KMS (Key Management Service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Able to audit KMS Key usage using _________?

A

CloudTrail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

KMS Key Encryption also available through ________?

A

API calls (SDK, CLI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Encrypted secrets can be stored in the ________?

A

code / environment variables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

KMS KeysTypes -
* Single encryption key that is used to Encrypt and Decrypt
* AWS services that are integrated with KMS use Symmetric CMKs
* You never get access to the KMS Key unencrypted (must call KMS API to use)

A

Symmetric (AES-256 keys)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

KMS KeysTypes -
* Public (Encrypt) and Private Key (Decrypt) pair
* Used for Encrypt/Decrypt, or Sign/Verify operations
* The public key is downloadable, but you can’t access the Private Key unencrypted
* Use case: encryption outside of AWS by users who can’t call the KMS API

A

Asymmetric (RSA & ECC key pairs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  • AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
  • AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
  • Customer managed keys created in KMS: $1 / month
  • Customer managed keys imported (must be symmetric key): $1 / month
    • pay for API call to KMS ($0.03 / 10000 calls)
A

Types of KMS Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  • AWS-managed KMS Key: automatic every 1 year
  • Customer-managed KMS Key: (must be enabled) automatic every 1 year
  • Imported KMS Key: only manual rotation possible using alias
A

Automatic Key rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  • Created if you don’t provide a specific KMS Key Policy
  • Complete access to the key to the root user = entire AWS account
A

Default KMS Key Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  • Define users, roles that can access the KMS key
  • Define who can administer the key
  • Useful for cross-account access of your KMS key
A

Custom KMS Key Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

5 Steps to Copying Snapshots across accounts

A
  1. Create a Snapshot, encr ypted with your own KMS Key (Customer Managed Key)
  2. Attach a KMS Key Policy to authorize cross-account access
  3. Share the encr ypted snapshot
  4. (in target) Create a copy of the Snapshot, encrypt it with a CMK in your account
  5. Create a volume from the snapshot
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • Identical KMS keys in different AWS Regions that can be used interchangeably
  • They have the same key ID, key material, automatic rotation…
A

KMS Multi-Region Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • Encrypt in one Region and decrypt in other Regions
  • No need to re-encrypt or making cross-Region API calls
A

KMS Multi-Region Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  • They are NOT global (Primary + Replicas)
  • Each one is managed independently
A

KMS Multi-Region Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

global client-side encryption, encryption on Global DynamoDB, Global Aurora

A

KMS Multi-Region Keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

We can encrypt specific attributes client-side in our DynamoDB table using the ___________?

A

Amazon DynamoDB Encryption Client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

READ EVERYTHING
* Combined with Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the DynamoDB Global table, then clients in these regions can use low- latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key

A

DynamoDB Global Tables and KMS Multi- Region Keys Client-Side encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

READ EVERYTHING
* We can encrypt specific attributes client-side in our Aurora table using the AWS Encryption SDK
* Combined with Aurora Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the Global Aurora DB, then clients in these regions can use low-latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key, we can protect specific fields even from database admins

A

Global Aurora and KMS Multi-Region Keys Client-Side encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

READ EVERYTHING

  • Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
  • Objects encrypted with SSE-C (customer provided key) are never replicated
  • For objects encrypted with SSE-KMS, you need to enable the option
    • Specify which KMS Key to encrypt the objects within the target
      bucket
    • Adapt the KMS Key Policy for the target key
    • An IAM Role with kms:Decrypt for the source KMS Key and
      kms:Encrypt for the target KMS Key
    • You might get KMS throttling errors, in which case you can ask
      for a Service Quotas increase
  • You can use multi-region AWS KMS Keys, but they are currently treated as independent keys by Amazon S3 (the object will still be decrypted and then encr ypted)
A

S3 Replication
Encryption Considerations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. AMI in Source Account is encrypted with KMS Key from Source Account
  2. Must modify the image attribute to add a Launch Permission which corresponds to the specified target AWS account
  3. Must share the KMS Keys used to encrypted the snapshot the AMI references with the target account / IAM Role
  4. The IAM Role/User in the target account must have the permissions to DescribeKey, ReEncrypted, CreateGrant, Decrypt
  5. When launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volumes
A

AMI Sharing Process Encrypted via KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  • Secure storage for configuration and secrets
  • Optional Seamless Encryption using KMS
  • Serverless, scalable, durable, easy SDK
  • Version tracking of configurations / secrets
  • Security through IAM
  • Notifications with Amazon EventBridge
  • Integration with CloudFormatio
A

SSM Parameter Store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the 2 types of parameter tiers?

A

Standard
Advanced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Total number of parameters allowed (per AWS account and
Region)

A

Standard - 10,000
Advanced - 100,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Maximum size of a parameter value

A

Standard - 4KB
Advanced - 8KB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Parameter policies available

A

Standard - No
Advanced - Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Cost

A

Standard - No additional charge
Advanced - Charges Apply

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Storage Pricing

A

Standard - Free
Advanced - $0.05 per advanced parameter per month

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  • Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords
  • Can assign multiple policies at a time
A

Parameters Policies (for advanced parameters)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  • Newer service, meant for storing secrets
  • Capability to force rotation of secrets every X days
  • Automate generation of secrets on rotation (uses Lambda)
  • Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
  • Secrets are encrypted using KMS
  • Mostly meant for RDS integration
A

AWS Secrets Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  • Replicate Secrets across multiple AWS Regions
  • Secrets Manager keeps read replicas in sync with the primary Secret
  • Ability to promote a read replica Secret to a standalone Secret
A

AWS Secrets Manager – Multi-Region Secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

multi-region apps, disaster recovery strategies, multi-region DB…

A

AWS Secrets Manager – Multi-Region Secrets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Easily provision, manage, and deploy TLS Certificates

A

AWS Certificate Manager (ACM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Provide in-flight encryption for websites (HTTPS)

A

AWS Certificate Manager (ACM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Supports both public and privateTLS certificates

A

AWS Certificate Manager (ACM)

37
Q

Free of charge for publicTLS certificates

A

AWS Certificate Manager (ACM)

38
Q

AutomaticTLS certificate renewal

A

AWS Certificate Manager (ACM)

39
Q

Integrations with (loadTLS certificates on)
* ElasticLoadBalancers(CLB,ALB,NLB)
* CloudFront Distributions
* APIs on API Gateway

A

AWS Certificate Manager (ACM)

40
Q

Can you use ACM with EC2?

A

NO

41
Q

What does ACM stand for?

A

AWS Certificate Manager

42
Q

4 steps to ACM – Requesting Public Certificates?

A
  1. List domain names to be included in the certificate
    * Fully Qualified Domain Name (FQDN): corp.example.com
    * WildcardDomain:*.example.com
  2. Select Validation Method: DNS Validation or Email validation
    * DNS Validation is preferred for automation purposes
    * Email validation will send emails to contact addresses in the WHOIS database
    * DNS Validation will leverage a CNAME record to DNS config (ex: Route 53)
  3. It will take a few hours to get verified
  4. The Public Certificate will be enrolled for automatic renewal
    * ACM automatically renews ACM-generated certificates 60 days before expiry
43
Q

With ACM – Importing Public Certificates, what is the policy with renewals?

A

No automatic renewal, must import a new certificate before expiry

44
Q

ACM sends daily expiration events starting _________ prior to expiration

A

45 days

45
Q

With ACM sending out daily expiration events, can you configure the number of days?

A

YES

46
Q

Where fo ACM sending out daily expiration events appear?

A

EventBridge

47
Q

___________ has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)

A

AWS Config

48
Q
  • Protects your web applications from common web exploits (Layer 7)
  • Layer 7 is HTTP (vs Layer 4 is TCP/UDP)
  • Deploy on
    • Application Load Balancer
    • API Gateway
    • CloudFront
    • AppSync GraphQL API
    • Cognito User Pool
A

AWS WAF – Web Application Firewall

49
Q
  • Define Web ACL (Web Access Control List) Rules:
    • IP Set: up to 10,000 IP addresses – use multiple Rules for more
      IPs
    • HTTP headers, HTTP body, or URI strings Protects from common
      attack - SQL injection and Cross-Site Scripting (XSS)
    • Size constraints, geo-match (block countries)
    • Rate-based rules (to count occurrences of events) – for DDoS
      protection
  • Web ACL are Regional except for CloudFront
  • A rule group is a reusable set of rules that you can add to a web ACL
A

AWS WAF – Web Application Firewall

50
Q

WAF _________ support the Network Load Balancer (Layer 4)

A

does not

51
Q

We can use _____________ for fixed IP and WAF on the ALB

A

Global Accelerator

52
Q

Distributed Denial of Service – many requests at the same time

A

DDoS

53
Q
  • Free service that is activated for every AWS customer
  • Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks
A

AWS Shield Standard

54
Q
  • Optional DDoS mitigation service ($3,000 per month per organization)
  • Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
  • 24/7 access to AWS DDoS response team (DRP)
  • Protect against higher fees during usage spikes due to DDoS
  • The automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks
A

AWS Shield Advanced:

55
Q
  • Manage rules in all accounts of an AWS Organization
  • Security policy: common set of security rules
    • WAF rules (Application Load Balancer, API Gateways, CloudFront)
    • AWS Shield Advanced (ALB, CLB, NLB, Elastic IP, CloudFront)
    • Security Groups for EC2, Application Load BAlancer and ENI
      resources in VPC
    • AWS Network Firewall (VPC Level)
    • Amazon Route 53 Resolver DNS Firewall
    • Policies are created at the region level
  • Rules are applied to new resources as they are created (good for compliance) across all and future accounts in your Organization
A

AWS Firewall Manager

56
Q

are used together for comprehensive protection

A

WAF
Shield
Firewall Manager

57
Q

Define your _________ rules in WAF

A

Web ACL

58
Q

For granular protection of your resources, ___________ alone is the correct choice

A

WAF

59
Q

If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use _______________

A

Firewall Manager with AWS WAF

60
Q

adds additional features on top of AWS WAF, such as dedicated support from the Shield ResponseTeam (SRT) and advanced reporting.

A

Shield Advanced

61
Q

If you’re prone to frequent DDoS attacks, consider purchasing _________________

A

Shield Advanced

62
Q
  • Web Application delivery at the edge
  • Protect from DDoS Common Attacks (SYN floods, UDP reflection…)
A

BP1 – CloudFront

63
Q
  • Access your application from the edge
  • Integration with Shield for DDoS protection
  • Helpful if your backend is not compatible with CloudFront
A

BP1 – Global Accelerator

64
Q
  • Domain Name Resolution atthe edge
  • DDoS Protection mechanism
A

BP3 – Route 53

65
Q
  • Protect Amazon EC2 against high traffic
  • That includes using Global Accelerator, Route 53, CloudFront, Elastic Load Balancing
A

Infrastructure layer defense (BP1, BP3, BP6)

66
Q

Helps scale in case of sudden traffic surges including a flash crowd or a DDoS attack

A

Amazon EC2 with Auto Scaling (BP7)

67
Q

Elastic Load Balancing scales with the traffic increases and will distribute the traffic to many EC2 instances

A

Elastic Load Balancing (BP6)

68
Q
  • CloudFront cache static content and serve it from edge locations, protecting your backend
  • AWS WAF is used on top of CloudFront and Application Load Balancer to filter and block requests based on request signatures
  • WAF rate-based rules can automatically block the IPs of bad actors
  • Use managed rules on WAF to block attacks based on IP reputation, or block anonymous Ips
  • CloudFront can block specific geographies
A

Detect and filter malicious web requests (BP1, BP2)

69
Q

Shield Advanced automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

A

ShieldAdvanced(BP1,BP2,BP6)

70
Q

Using CloudFront, API Gateway, Elastic Load Balancing to hide your backend resources (Lambda functions, EC2 instances)

A

Obfuscating AWS resources (BP1, BP4, BP6)

71
Q
  • Use security groups and NACLs to filter traffic based on specific IP at the subnet or ENI-level
  • Elastic IP are protected by AWS Shield Advanced
A

Security groups and Network ACLs (BP5)

72
Q
  • Hide EC2, Lambda, elsewhere
  • Edge-optimized mode, or CloudFront + regional mode (more control for DDoS)
  • WAF + API Gateway: burst limits, headers filtering, use API keys
A

Protecting API endpoints (BP4)

73
Q

AWS Best Practices for DDoS Resiliency Edge Location Mitigation (BP1, BP3)

A

BP1 – CloudFront
BP1 – Global Accelerator
BP3 – Route 53

74
Q

AWS Best Practices for DDoS Resiliency Best practices for DDoS mitigation

A

Infrastructure layer defense (BP1, BP3, BP6)
Amazon EC2 with Auto Scaling (BP7)
Elastic Load Balancing (BP6)

75
Q

AWS Best Practices for DDoS Resiliency Application Layer Defense

A

Detect and filter malicious web requests (BP1, BP2)
ShieldAdvanced(BP1,BP2,BP6)

76
Q

AWS Best Practices for DDoS Resiliency Attack surface reduction

A

Obfuscating AWS resources (BP1, BP4, BP6)

77
Q

Intelligent Threat discover y to protect your AWS Account

A

Amazon GuardDuty

78
Q

Uses Machine Learning algorithms, anomaly detection, 3rd party data

A

Amazon GuardDuty

79
Q

One click to enable (30 days trial), no need to install software

A

Amazon GuardDuty

80
Q
  • Input data includes:
    • CloudTrail Events Logs – unusual API calls, unauthorized
      deployments
      * CloudTrailManagementEvents–createVPCsubnet,createtrail,…
      * CloudTrailS3DataEvents–getobject,listobjects,deleteobject,…
    • VPC Flow Logs – unusual internal traffic, unusual IP address
    • DNS Logs – compromised EC2 instances sending encoded data
      within DNS queries
    • Optional Features – EKS Audit Logs, RDS & Aurora, EBS, Lambda,
      S3 Data Events…
A

Amazon GuardDuty

81
Q

Can setup EventBridge rules to be notified in case of findings

A

Amazon GuardDuty

82
Q

EventBridge rules can target AWS Lambda or SNS

A

Amazon GuardDuty

83
Q

Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)

A

Amazon GuardDuty

84
Q
  • Automated Security Assessments
  • For EC2 instances
    • Leveraging the AWS System Manager (SSM) agent
    • Analyze against unintended network accessibility
    • Analyze the running OS against known vulnerabilities
  • For Container Images push to Amazon ECR
    • Assessment of Container Images as they are pushed
  • For Lambda Functions
    • Identifies software vulnerabilities in function code and package
      dependencies
    • Assessment of functions as they are deployed
  • Reporting & integration with AWS Security Hub
  • Send findings to Amazon Event Bridge
A

Amazon Inspector

85
Q

Amazon Inspector evaluates only ………

A

EC2 instances
Container Images
Lambda functions

86
Q

Amazon Inspector, continuous scanning of the infrastructure, only ___________

A

when needed

87
Q

is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

A

AWS Macie

87
Q

helps identify and alert you to sensitive data, such as personally identifiable information (PII)

A

AWS Macie

88
Q
A