Misc Good to Remember for Exam Flashcards

1
Q

Which certificates do NOT auto-renew?

A

ACM certificates for imported certs and Route 53 Private zones. All others do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the conditions for public ACM certs to auto-renew?

A

Must be in use and use DNS validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where can ACM certs be used for termination?

A

CloudFront or ALB only. Works with Elastic Beanstalk and API Gateway. EC2 for Nitro Enclaves supports ACM. No EC2, no non-AWS services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

With what is ACM private key encrypted?

A

KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are used to access the private key when attaching ACM certificate to ELB and CloudFront?

A

Grants

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What to do if ACM is not available in your region?

A

SSL certificates can be stored in IAM Certificate Store as workaround

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Use ACM Private Certificate Authority (ACM-PCA) for your own root or intermediate CA and issuing private ACM certs for internal infrastructure and clients

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Perfect Forward Secrecy?

A

If key is compromised, adversary cannot decrypt future traffic. To have PFS on ALB, need to add security policies that include ECDHE-* ciphers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can APIGW cache?

A

APIGW has optional API caching, can cache an API request at endpoint for default 300sec, max 3600sec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What can systems manager parameter store do?

A

store confidential parameters (passwords etc) encrypted using your KMS key, called SecureString parameters. EC2 instances accessing such parameters must also have KMS decryption permissions on their IAM role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Systems Manager Run Command

A

automate common tasks like applying patches, joining instances to Windows domain etc at scale without having to log in to EC2 instances. Also called Simple Systems Manager (SSM). Need to attach IAM role for SSM to all EC2s to manage AND need SSM agent on instances (Amazon AMI has it preinstalled)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Deep packet inspection is NOT offered by any native AWS service

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What allows you to check container images for vulnerabilities?

A

Amazon Elastic Container Registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does Elastic Container Service prevent traffic from going to internet?

A

It offers Endpoint (like S3 Endpoint) for traffic from VPC to go to other AWS services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How to identify API activity in the last 90 days by a specific IAM access key. What for older than 90 days

A

Use CloudTrail event history. Older > 90 days you can use Athena to query CloudTrail logs from S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

If web servers are behind ALB, no need to keep them in public subnet, can put them in private subnet with SG open to ALB in public subnet only

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Can KMS keys created with imported key material be auto-rotated?

A

KMS keys created with imported key material cannot be auto-rotated so if you need annual rotation, create a new CMK, import new key material into it, and point the key alias to the new CMK so the existing keys can use new CMK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Can CMK aliases be used within policies?

A

No, This is because the mapping of aliases to keys can be manipulated outside the policy, which would allow for an escalation of privilege. Therefore, key IDs must be used in KMS key policies, IAM policies, and KMS grants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What to do If Cloudwatch agent deployed on EC2 is unable to deliver logs to Cloudwatch

A

use aws run command to verify “awslogs” service is running on the instance, and that the permissions used by the agent allow creation of log groups/streams and to put log events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is required in order to attach a CMK encrypted EBS volume to a new instance?

A

The IAM user/role policy needs a kms:CreateGrant permission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which type of logs cannot be sent to Cloudwatch logs?

A

S3 access logs. DNS query logs, VPC flow logs, Cloudtrail can be sent

22
Q

When Cognito receives a SAML assertion, it needs to be able to map SAML attributes to user pool attributes. When configuring Cognito to receive SAML assertions from an identity provider, you need ensure that the identity provider is configured to have Cognito as a relying party. API Gateway will need to be able to understand the authorization being passed from Amazon Cognito, which is a configuration step

A
23
Q

What are basic Lambda permissions that are required to log to CloudWatch Logs?

A

CreateLogGroup, CreateLogStream, and PutLogEvents.

24
Q

What does AWS Config do?

A

generates an event when the configuration of a resource changes, and maintains historical records of the configuration items of your resources from the time you start the configuration recorder

25
Q

What to do if you suspect your account is compromised?

A

Change your AWS account root user password.
Delete or rotate all root and IAM access keys.
Delete any potentially compromised IAM users, and change the password for all other IAM users (don’t delete ALL users).
Delete any resources on your account which you didn’t create

26
Q

How To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it

A

you can use CloudTrail log file integrity validation

27
Q

With the accounts in an AWS Organization, you can create a single CloudTrail trail that covers all accounts

A
28
Q

What can be used in combination with Cloudtrail to analyze the API activity in your AWS account?

A

Athena (not GuardDuty) can be used with CloudTrail to analyze the API activity in your AWS account and have the ability to isolate activity by attributes, such as source IP address and user

29
Q

How to check for insecure protocols in CloudWatch Events?

A

Can configure Amazon Inspector as a target for CloudWatch Events. The runtime behavior package checks for insecure protocols like Telnet, FTP, HTTP, IMAP, rlogin etc. Neither the AWS Config restricted-common-ports check or Trusted Advisor will give you this information

30
Q

What can detect if any of your EC2 instances are exhibiting unusual behavior, for example if an EC2 instance is trying to connect to multiple ports over a short period of time, then it might be engaged in a possible port scan attack

A

GuardDuty

31
Q

What enables continuous monitoring of your AWS resources. If it finds a policy violation, it can trigger a CloudWatch Event to trigger a Lambda to corrects the S3 bucket ACL, or notify you via SNS

A

AWS Config

32
Q

What can be used to to define your ideal configuration settings and monitor continuously

A

Use AWS Config rules. If a configuration change makes a resource non-compliant, Config will flag the rule and trigger a CW event to trigger Lambda to notify/remediate

33
Q

What do you need to do when using NACLs for an HTTP connection to be successful?

A

you need to allow port 80 inbound and allow the ephemeral ports outbound (not just 80 outbound)

34
Q

What uses Machine Learning to detect unusual behavior on your account including unusual API activity and it can be used to report on evidence of compromised instances

A

GuardDuty

35
Q

What is difference between GuardDuty and CloudTrail?

A

Guardduty: detect unusual behavior on your account including unusual API activity and it can be used to report on evidence of compromised instances

Cloudtrail: only logs API calls but it does not know if they are maliciosus or not

36
Q

How to perform a security assessment on all EC2 instances to find vulns and best practice deviations?

A

Inspector + System manager is a better solution than Trusted Advisor + Config. Inspector will identify vulnerabilities, weaknesses, as well as departures from established best practices.

Systems Manager can be used to automate the installation of Inspector agents on hundreds of EC2 instances, thereby mitigating time-critical operations. TA provides checks, such as open ports in security groups, and service limits, but does not perform EC2 security assessments

37
Q

How can each API call be required to need MFA?

A

By adding MFA requirement in IAM policy that is used to make that call

38
Q

Difference between public and private AMIs to login?

A

Public always need a key pair to login
Private can choose other means to login

39
Q

Who can create CloudFront key pairs?

A

Rot account only, not IAM users

40
Q

How are X509 certificates used in EC2?

A

AWS can generate X509 certs, or you create it and attach to IAM or upload to EC2

41
Q

Can EBS volumes be accessed by other accounts?

A

No. You can create snapshots and share those though

42
Q

What should be provided for auto scaling instances?

A

permissions should be listed in IAM role so that new instances get it on creation, stored in Instance metadata

43
Q

What does Enabling Server Order Preference on ELB allow?

A

allows ELB to pick which cipher set to use for SSL rather than client. ELB supports Perfect Forward Secrecy

44
Q

S3 ACL gives access by account level, not user level, to specific objects

A
45
Q

What is the thing about S3 encryption?

A

The objects are encrypted, its metadata is not encrypted

46
Q

What are Glacier upload limits?

A

Single limit is 4GB, multipart is 40kGB

47
Q

What is storage gateway?

A

Uploads contents to S3 as EBS snapshot format

48
Q

What does using EFS in VPC require?

A

Creating one mount target per AZ

49
Q

How is EFS data replicated?

A

EFS data is synchronously replicated to multiple AZ on write

50
Q

Access of root users is not bounded by IAM policies.

A