Other Security Aspects Flashcards
To fill gaps between ACG training, and new exam topics that have come up.
Are security groups stateful, or stateless?
Stateful.
What does it mean when we talk about stateful, vs stateless when it comes to network traffic?
Stateful means responses to inbound traffic are allowed regardless of SG rules. Responses to outbound requests are allowed regardless of SG rules.
Stateless requires responses to be allowed explicitly by having the ports open for them.
If you have a security group that allows traffic in from a given port, from a source of 0.0.0.0/0, who has access to the instance?
Everyone. 0.0.0.0/0 is the CIDR address equivalent of everyone.
You create a Bastion host to only allow ssh instances from there. If you examine your logs to find that there are ssh sessions from IP addresses that are not the Bastion host, what could be the problem?
Check your security groups to ensure you didn’t allow ingress from another security group over 0.0.0.0/0
you need to review your CloudTrail logs for unauthorized API calls. You noticed that there are enormous amounts of logs to review. Which AWS service should you use to query the logs and find what you need automatically?
AWS Athena
What is AWS Artifact?
It provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, PCI, and SOC reports.
Can you use AWS Artifact to upload your security and compliance documents to your auditors and regulators to demonstrate the security and compliance of your AWS infrastructure?
Yes
True or False: You should let SysOps examination questions about security compliance confuse you through red herring questions that make you confuse AWS artifact/Trusted Advisor/ or Inspector?
False. Make sure you understand the differences between Artifact, Trusted Advisor, and Inspector.
True or false: AWS Artifact provides audit reports of your AWS infrastructure?
False. Artifact is for downloading compliance documentation, and to upload reports for auditors and regulators.
True or false: AWS Artifact is more than just a place to download compliance documentation and a place to upload your audit and regulation reports?
False: It’s just a place to upload and download documents. Don’t confuse it with other security services such as Trusted Advisor or Inspector.
True or False: CloudHSM is a single tenancy service?
True: It is dedicated hardware for use with only your AWS account.
Is KMS single or multi tenancy?
KMS is a multi-tenancy shared service.
True or False: With CloudHSM, you are responsible for scaling and availability, patching, etc.
False, AWS provides all maintanence operations including scaling and HA.
Who has key control in CloudHSM, you or AWS?
You
Who has key control in KMS, you or AWS?
You and AWS - Kind of a trick question I guess.