Misc Good to Remember for Exam

Question 1

Which certificates do NOT auto-renew?

Answer 1

ACM certificates for imported certs and Route 53 Private zones. All others do

Question 2

What are the conditions for public ACM certs to auto-renew?

Answer 2

Must be in use and use DNS validation

Question 3

Where can ACM certs be used for termination?

Answer 3

CloudFront or ALB only. Works with Elastic Beanstalk and API Gateway. EC2 for Nitro Enclaves supports ACM. No EC2, no non-AWS services

Question 4

With what is ACM private key encrypted?

Answer 4

KMS

Question 5

What are used to access the private key when attaching ACM certificate to ELB and CloudFront?

Answer 5

Grants

Question 6

What to do if ACM is not available in your region?

Answer 6

SSL certificates can be stored in IAM Certificate Store as workaround

Question 7

Use ACM Private Certificate Authority (ACM-PCA) for your own root or intermediate CA and issuing private ACM certs for internal infrastructure and clients

Question 8

What is Perfect Forward Secrecy?

Answer 8

If key is compromised, adversary cannot decrypt future traffic. To have PFS on ALB, need to add security policies that include ECDHE-* ciphers

Question 9

Can APIGW cache?

Answer 9

APIGW has optional API caching, can cache an API request at endpoint for default 300sec, max 3600sec

Question 10

What can systems manager parameter store do?

Answer 10

store confidential parameters (passwords etc) encrypted using your KMS key, called SecureString parameters. EC2 instances accessing such parameters must also have KMS decryption permissions on their IAM role.

Question 11

What is Systems Manager Run Command

Answer 11

automate common tasks like applying patches, joining instances to Windows domain etc at scale without having to log in to EC2 instances. Also called Simple Systems Manager (SSM). Need to attach IAM role for SSM to all EC2s to manage AND need SSM agent on instances (Amazon AMI has it preinstalled)

Question 12

Deep packet inspection is NOT offered by any native AWS service

Question 13

What allows you to check container images for vulnerabilities?

Answer 13

Amazon Elastic Container Registry

Question 14

How does Elastic Container Service prevent traffic from going to internet?

Answer 14

It offers Endpoint (like S3 Endpoint) for traffic from VPC to go to other AWS services

Question 15

How to identify API activity in the last 90 days by a specific IAM access key. What for older than 90 days

Answer 15

Use CloudTrail event history. Older > 90 days you can use Athena to query CloudTrail logs from S3

Question 16

If web servers are behind ALB, no need to keep them in public subnet, can put them in private subnet with SG open to ALB in public subnet only

Question 17

Can KMS keys created with imported key material be auto-rotated?

Answer 17

KMS keys created with imported key material cannot be auto-rotated so if you need annual rotation, create a new CMK, import new key material into it, and point the key alias to the new CMK so the existing keys can use new CMK

Question 18

Can CMK aliases be used within policies?

Answer 18

No, This is because the mapping of aliases to keys can be manipulated outside the policy, which would allow for an escalation of privilege. Therefore, key IDs must be used in KMS key policies, IAM policies, and KMS grants.

Question 19

What to do If Cloudwatch agent deployed on EC2 is unable to deliver logs to Cloudwatch

Answer 19

use aws run command to verify “awslogs” service is running on the instance, and that the permissions used by the agent allow creation of log groups/streams and to put log events

Question 20

What is required in order to attach a CMK encrypted EBS volume to a new instance?

Answer 20

The IAM user/role policy needs a kms:CreateGrant permission

Question 21

Which type of logs cannot be sent to Cloudwatch logs?

Answer 21

S3 access logs. DNS query logs, VPC flow logs, Cloudtrail can be sent

Question 22

When Cognito receives a SAML assertion, it needs to be able to map SAML attributes to user pool attributes. When configuring Cognito to receive SAML assertions from an identity provider, you need ensure that the identity provider is configured to have Cognito as a relying party. API Gateway will need to be able to understand the authorization being passed from Amazon Cognito, which is a configuration step

Question 23

What are basic Lambda permissions that are required to log to CloudWatch Logs?

Answer 23

CreateLogGroup, CreateLogStream, and PutLogEvents.

Question 24

What does AWS Config do?

Answer 24

generates an event when the configuration of a resource changes, and maintains historical records of the configuration items of your resources from the time you start the configuration recorder

Question 25

What to do if you suspect your account is compromised?

Answer 25

Change your AWS account root user password.
Delete or rotate all root and IAM access keys.
Delete any potentially compromised IAM users, and change the password for all other IAM users (don’t delete ALL users).
Delete any resources on your account which you didn’t create

Question 26

How To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it

Answer 26

you can use CloudTrail log file integrity validation

Question 27

With the accounts in an AWS Organization, you can create a single CloudTrail trail that covers all accounts

Question 28

What can be used in combination with Cloudtrail to analyze the API activity in your AWS account?

Answer 28

Athena (not GuardDuty) can be used with CloudTrail to analyze the API activity in your AWS account and have the ability to isolate activity by attributes, such as source IP address and user

Question 29

How to check for insecure protocols in CloudWatch Events?

Answer 29

Can configure Amazon Inspector as a target for CloudWatch Events. The runtime behavior package checks for insecure protocols like Telnet, FTP, HTTP, IMAP, rlogin etc. Neither the AWS Config restricted-common-ports check or Trusted Advisor will give you this information

Question 30

What can detect if any of your EC2 instances are exhibiting unusual behavior, for example if an EC2 instance is trying to connect to multiple ports over a short period of time, then it might be engaged in a possible port scan attack

Answer 30

GuardDuty

Question 31

What enables continuous monitoring of your AWS resources. If it finds a policy violation, it can trigger a CloudWatch Event to trigger a Lambda to corrects the S3 bucket ACL, or notify you via SNS

Answer 31

AWS Config

Question 32

What can be used to to define your ideal configuration settings and monitor continuously

Answer 32

Use AWS Config rules. If a configuration change makes a resource non-compliant, Config will flag the rule and trigger a CW event to trigger Lambda to notify/remediate

Question 33

What do you need to do when using NACLs for an HTTP connection to be successful?

Answer 33

you need to allow port 80 inbound and allow the ephemeral ports outbound (not just 80 outbound)

Question 34

What uses Machine Learning to detect unusual behavior on your account including unusual API activity and it can be used to report on evidence of compromised instances

Answer 34

GuardDuty

Question 35

What is difference between GuardDuty and CloudTrail?

Answer 35

Guardduty: detect unusual behavior on your account including unusual API activity and it can be used to report on evidence of compromised instances

Cloudtrail: only logs API calls but it does not know if they are maliciosus or not

Question 36

How to perform a security assessment on all EC2 instances to find vulns and best practice deviations?

Answer 36

Inspector + System manager is a better solution than Trusted Advisor + Config. Inspector will identify vulnerabilities, weaknesses, as well as departures from established best practices.

Systems Manager can be used to automate the installation of Inspector agents on hundreds of EC2 instances, thereby mitigating time-critical operations. TA provides checks, such as open ports in security groups, and service limits, but does not perform EC2 security assessments

Question 37

How can each API call be required to need MFA?

Answer 37

By adding MFA requirement in IAM policy that is used to make that call

Question 38

Difference between public and private AMIs to login?

Answer 38

Public always need a key pair to login
Private can choose other means to login

Question 39

Who can create CloudFront key pairs?

Answer 39

Rot account only, not IAM users

Question 40

How are X509 certificates used in EC2?

Answer 40

AWS can generate X509 certs, or you create it and attach to IAM or upload to EC2

Question 41

Can EBS volumes be accessed by other accounts?

Answer 41

No. You can create snapshots and share those though

Question 42

What should be provided for auto scaling instances?

Answer 42

permissions should be listed in IAM role so that new instances get it on creation, stored in Instance metadata

Question 43

What does Enabling Server Order Preference on ELB allow?

Answer 43

allows ELB to pick which cipher set to use for SSL rather than client. ELB supports Perfect Forward Secrecy

Question 44

S3 ACL gives access by account level, not user level, to specific objects

Question 45

What is the thing about S3 encryption?

Answer 45

The objects are encrypted, its metadata is not encrypted

Question 46

What are Glacier upload limits?

Answer 46

Single limit is 4GB, multipart is 40kGB

Question 47

What is storage gateway?

Answer 47

Uploads contents to S3 as EBS snapshot format

Question 48

What does using EFS in VPC require?

Answer 48

Creating one mount target per AZ

Question 49

How is EFS data replicated?

Answer 49

EFS data is synchronously replicated to multiple AZ on write

Question 50

Access of root users is not bounded by IAM policies.