Misc Exam Tips and Security Best Practices Flashcards
Directory Service AD Connector
vs
Simple AD
Simple AD is cheap AD compatible service with commons directory features
AD Connector lets you connect local AD to AWS
How do you create Cross-Account access with IAM?
create an IAM role with two policies attached
permissions policy grants user of the role permissions to carry out tasks on the resource
Trust policy specifies which trusted accounts are allowed to grant its users permissions for the role
Trust policy on the role in the trusting account is 1/2 of the permissions. Other half is a permissions policy attached to the user in the trusted account allowing that user to switch to or assume the role
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
Have a good understanding of how Route53 supports all of the different DNS record types, and when you would use certain ones over others.
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
Know when Elastic IP’s are free or not
If you add EIP’s to an instance you are charged for each of them per hour.
Even charged when these addresses are associated with stopped instance or unattached interface. to encourage people to use them efficiently
High level areas that Trusted Advisor covers
https://aws.amazon.com/premiumsupport/trustedadvisor/
Cost Optimization Fault Tolerance Performance Security Service Limits
How to troubleshoot timeout error when connecting to instance in a VPC
Need a security group allowing inbound traffic from public IP on proper port
Need a route sending outbound traffic to the internet gateway for the VPC
Network ACL’s must allow inbound, outbound traffic
How to troubleshoot timeout error when connecting to instance in a VPC
Need a security group allowing inbound traffic from public IP on proper port
Need a route sending outbound traffic to the internet gateway for the VPC
Network ACL’s must allow inbound, outbound traffic
Know some use cases for Simple Workflow Services
https://aws.amazon.com/swf/faqs/
Amazon SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts.
Know how to setup consolidated billing and cross-account access so department resources are isolated from each other but accounting can oversee it all
http://jayendrapatil.com/aws-consolidated-billing/
Know how to make changes to AutoScaling Group
Know what you can, can’t change
Can specify only one launch configuration for ASG at a time
Cannot modify launch config after creating it
If you need to change it, create a new one and update your ASG with the new one. Existing instances aren’t affected but new ones use the new config
How do DynamoDB, Elasticache, S3 compare to each other for durability and latency
DynamoDB - durable, can pay for strong consistency
Elasticache - great speed, not so durable
S3 - eventual consistency, lower latency
https://d0.awsstatic.com/whitepapers/AWS%20Storage%20Services%20Whitepaper-v9.pdf
Compare bucket policies, IAM policies, ACLS for use in S3 and examples of when to use each
IAM Policies
grants users fine granular control to S3 bucket or objects while retaining control over what users do
Bucket Policies
rules apply broadly to all S3 resources
Can restrict access access based on IP address, HTTP referrer
ACLs
Grant specific permissions (read, write, full control) to specific users for individual bucket or object
When and how to encrypt snapshots
public snapshots of encrypted volumes NOT supported
can share encrypted snapshot with specific accounts
How to use ELB cross-zone load balancing to evenly distribute traffic to EC2 instances in multiple AZ’s
http://jayendrapatil.com/tag/elastic-load-balancer/
Autoscaling Lifecycle Hooks
Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. For example, while your newly launched instance is paused, you could install or configure software on it.
Each Auto Scaling group can have multiple lifecycle hooks. However, there is a limit on the number of hooks per Auto Scaling group.
Where does bastion host (jump server) reside
public subnet
How do you establish cross-account access?
In the trusting account (A) create IAM policy that grants trusted account (B) access to the resources.
Account B can delegate that access to its IAM users
Account B cannot delegate more access to its users than it has been granted by account A
Steps for Identity Federation
Enterprise user access identity broker application
identity broker authenticates users against corporate identity store
identity broker has permission to access AWS security token service to request temporary credentials
Enterprise users can get a temporary URL that gives them access to API’s or Management Console.
Describe EC2 key usage for AWS Linux AMI
When new linux instance is created, EC2 asymmetric key pairs are generated. Or you can create your own
When instance is launched, public key is appended to local user’s ~/.ssh/authorized_keys file
User authenticates using the private key on their computer
Describe EC2 key usage for AWS Windows AMI
When new Windows instance launched the EC2CONFIG service creates random Windows Administrator password and encrypts it with the EC2 Public Key
User gets the password from the AWS Console or CLI and providing the correct EC2 Private Key to decrypt it
The password authenticates to Windows
Describe a Resource Policy
Where the user creates resources and then wants to allow other users to access them.
The policy is attached to the resource and describes who can do what with it
The user is control of the resource
Describe a Capability policy (AKA user-based permissions in the IAM documentation)?
Used to enforce company-wide access policies
Assigned to IAM users directly or through an IAM Group
Can be assigned to a role that’s assumed at run time
Define what capabilities the user is allowed or denied tt perform
they can override resource based policies by explicit denying them
Can IAM policies restrict access to a specific source IP address range, or certain days and times?
Yes
Are resource and capability policies cumulative?
Yes
A user’s effective permissions are the union of a resource policy and the capability permissions granted directly or through group membership
What is AWS Cloud HSM?
Amazon’s tamper-proof Hardware Security Modules in the cloud for storing & managing encryption keys
Gives you dedicated single-tenant access to a CloudHSM appliance(s)
You manage the cryptographic domain, not AWS
You can have it in multiple AZ’s with replication for HA
6 ways to protect data at rest on S3
(PVR-BEE) Permissions Versioning Replication Backup Encryption Server-Side (AWS managed) Encryption Client-Side (Customer managed)
8 ways to protect data at rest on EBS
Replication (in addition to auto replication for HW failure) Backup Encryption: Microsoft Windows EFS Encryption: Microsoft Windows Bitlocker (only with password, not TPM) Encryption: Linux dm-crypt Encryption: Truecrypt Encryption: Safenet
Describe EBS (Elastic Block Store) (Security best practices.pdf 2016)
AWS Abstract block storage service
You get an EBS volume raw, unformatted like a new HD
You partition it, create software RAID arrays, format partitions with any file system you choose and protect the volume
These actions are all opaque to AWS operations
Protecting data at rest on Amazon RDS
RDS uses same secure infrastructure as EC2
Can encrypt data at rest at the application layer using built-in encryption function and keys.
Can encrypt at the platform layer using MySQL crypto functions
3 Ways of protecting data in RDS
My SQL crypto functions
Oracle transparent data encryption if you bring your own license
Microsoft Transact-SQL data protections
How is data on Glacier encrypted?
All data is encrypted automatically
Each glacier archive has a unique key and the archive is encrypted with AES-256
The key is also encrypted with a master key which is rotated regularly
Can encrypt your data before uploading for extra protection
How do you protect data at rest with DynamoDB?
same as RDS
How do you protect data at rest with EMR?
Hadoop cluster
Store data in S3 and use server side encryption
Store data in S3 and use client side encryption
Encrypt at at the application level, entire file
Encrypt at at the application level, individual fields
Hybrid mix of the above
AWS Recommendations to secure operating systems
Disable root API access keys and secret key
Restrict access to limited IP ranges using Security Groups
Password protect .pem files on user computers
Delete keys from ~/.ssh/authorized_keys file when no longer needed
Rotate credentials
Regularly run least privilege checks with IAM User Access Advisor and IAM user Last Used Access Keys
Use bastion hosts
What can you bootstrap AMI’s with?
Chef, Puppet, Capistrano, Cloud-init, Cfn-init
Powershell, Bash scripts
Access Control Methods to Build Network Segments
Use VPC to define isolated network for each workload or organizational entity
Use Security Groups (stateful firewalls) to manage access to instances with similar functions
Use NACLS (stateless firewalls) for granular control of IP protocols and per-source/destination addresses. These can work with Security Groups and act before them
Use host-based firewalls
Create threat-protection layer and force all traffic through it
Apply ACL’s at other layers (applications and services)
6 Guidelines for securing DNS
Separate admin level access. Separate roles
monitoring, alerting, audit trail
network layer access control. Restrict access to only those that need it
Latest stable software with patches
continuous security testing
all other security controls in place
6 Potential layers of AWS security
VPC firewall rules at hypervisor layer NACLs Security Groups host-based firewalls IDS/IPS
VPC Features that support threat protection layer technologies
Support for multiple layers of load balancers
use external and internal load balancers for threat management and HA
Support for multiple IP adresses on single network interface
Support for multiple Elastic Network Interfaces
ENI’s allow multiple network interfaces on several instance types, for multi-zone security features
If you can’t use inline threat management devices because of latency or other reasons, what two alternatives can you use?
Distributed threat protection system
Agents installed on individual instances with central threat management server
Overlay network threat protection solution
build an overlay network on top of your VPC with things like GRE tunnels, VTUN interfaces or forwarding traffic on another ENI for centralized network traffic analysis and IDS
How can Cloudfront help against a DOS/DDOS attack?
A cloud front edge location sits in front of the back end server and receives most of what an attacker is likely to send, absorbing the extra requests.
There are more charges as you get more traffic, but weigh them against your other options and the costs the attacker may have
What’s a privilege escalation gateway
Instead of directly making calls to the AWS infrastructure all requests are performed by proxy systems that are trusted intermediaries.
They can improve logging, audit trails, password management, etc.
What’s the maximum response time for business level premium support case?
1 hour
Can you force a failover for any RDS that has multi-AZ configured?
yes.
rebooted one in the lab
with new RDS Db instances, automated backups are enabled by default. True or False?
true
when using a Custom VPC and putting EC2 instance into a public subnet, it will be automatically internet accessible? True or false
False
RDS doesn’t support increasing storage on an active ________ instance?
SQL Server
Is it possible to perform actions on an existing Amazon EBS Snapshot?
Yes, through the AWS APIs, CLI, and AWS Console.
What’s the maximum retention period for RDS Backups?
35 days
Can you move a reserved instance from one region to another?
No
When creating a new Security Group, all inbound traffic is allowed by default. True or False?
False
When I create a new security group, all outbound traffic is allowed by default. True or False?
True
Which set of RDS database engines is currently available?
Oracle, SQL, MySQL, Postgres
If an EBS Volume is an additional partition (not root) can you detach it without stopping the instance?
Yes
In RDS What’s the max size for a MS SQL instance running SQL Express?
300Gb for the instance
SQL Express database limited to 10Gb
If you want your application to check RDS for an error, have it look for an ______ node in the response from RDS API
Error
not exit, not abort, not incorrect
In RDS changes to backup windows take effect when?
immediately
How many copies of your data does Aurora store by default?
6
What are the types of conditions you can allow/block with the Web Application Firewall?
cross-site scripting
ip match
geographic match
size constraint
sql injection
string match
regex (regular expression)
Describe the Auto Scaling Group default termination policy
If instances in multiple AZ’s, select AZ with most instances and at least one instance not protected from scale-in. If more than one AZ with this number of instances, select the one with instances using older launch configuration
Determine which unprotected instances in the selected AZ use the oldest launch configuration. If there is one, terminate it
If multiple instances use the oldest launch configuration, determine which unprotected instances are closest to next billing hour. If there is one, terminate it.
If there is one more than one unprotected instance closest to next billing hour, select one at random
