Misc Good to Remember for Exam Flashcards
Which certificates do NOT auto-renew?
ACM certificates for imported certs and Route 53 Private zones. All others do
What are the conditions for public ACM certs to auto-renew?
Must be in use and use DNS validation
Where can ACM certs be used for termination?
CloudFront or ALB only. Works with Elastic Beanstalk and API Gateway. EC2 for Nitro Enclaves supports ACM. No EC2, no non-AWS services
With what is ACM private key encrypted?
KMS
What are used to access the private key when attaching ACM certificate to ELB and CloudFront?
Grants
What to do if ACM is not available in your region?
SSL certificates can be stored in IAM Certificate Store as workaround
Use ACM Private Certificate Authority (ACM-PCA) for your own root or intermediate CA and issuing private ACM certs for internal infrastructure and clients
What is Perfect Forward Secrecy?
If key is compromised, adversary cannot decrypt future traffic. To have PFS on ALB, need to add security policies that include ECDHE-* ciphers
Can APIGW cache?
APIGW has optional API caching, can cache an API request at endpoint for default 300sec, max 3600sec
What can systems manager parameter store do?
store confidential parameters (passwords etc) encrypted using your KMS key, called SecureString parameters. EC2 instances accessing such parameters must also have KMS decryption permissions on their IAM role.
What is Systems Manager Run Command
automate common tasks like applying patches, joining instances to Windows domain etc at scale without having to log in to EC2 instances. Also called Simple Systems Manager (SSM). Need to attach IAM role for SSM to all EC2s to manage AND need SSM agent on instances (Amazon AMI has it preinstalled)
Deep packet inspection is NOT offered by any native AWS service
What allows you to check container images for vulnerabilities?
Amazon Elastic Container Registry
How does Elastic Container Service prevent traffic from going to internet?
It offers Endpoint (like S3 Endpoint) for traffic from VPC to go to other AWS services
How to identify API activity in the last 90 days by a specific IAM access key. What for older than 90 days
Use CloudTrail event history. Older > 90 days you can use Athena to query CloudTrail logs from S3
If web servers are behind ALB, no need to keep them in public subnet, can put them in private subnet with SG open to ALB in public subnet only
Can KMS keys created with imported key material be auto-rotated?
KMS keys created with imported key material cannot be auto-rotated so if you need annual rotation, create a new CMK, import new key material into it, and point the key alias to the new CMK so the existing keys can use new CMK
Can CMK aliases be used within policies?
No, This is because the mapping of aliases to keys can be manipulated outside the policy, which would allow for an escalation of privilege. Therefore, key IDs must be used in KMS key policies, IAM policies, and KMS grants.
What to do If Cloudwatch agent deployed on EC2 is unable to deliver logs to Cloudwatch
use aws run command to verify “awslogs” service is running on the instance, and that the permissions used by the agent allow creation of log groups/streams and to put log events
What is required in order to attach a CMK encrypted EBS volume to a new instance?
The IAM user/role policy needs a kms:CreateGrant permission