Other Security Aspects Flashcards
To fill gaps between ACG training, and new exam topics that have come up.
Are security groups stateful, or stateless?
Stateful.
What does it mean when we talk about stateful, vs stateless when it comes to network traffic?
Stateful means responses to inbound traffic are allowed regardless of SG rules. Responses to outbound requests are allowed regardless of SG rules.
Stateless requires responses to be allowed explicitly by having the ports open for them.
If you have a security group that allows traffic in from a given port, from a source of 0.0.0.0/0, who has access to the instance?
Everyone. 0.0.0.0/0 is the CIDR address equivalent of everyone.
You create a Bastion host to only allow ssh instances from there. If you examine your logs to find that there are ssh sessions from IP addresses that are not the Bastion host, what could be the problem?
Check your security groups to ensure you didn’t allow ingress from another security group over 0.0.0.0/0
you need to review your CloudTrail logs for unauthorized API calls. You noticed that there are enormous amounts of logs to review. Which AWS service should you use to query the logs and find what you need automatically?
AWS Athena
What is AWS Artifact?
It provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, PCI, and SOC reports.
Can you use AWS Artifact to upload your security and compliance documents to your auditors and regulators to demonstrate the security and compliance of your AWS infrastructure?
Yes
True or False: You should let SysOps examination questions about security compliance confuse you through red herring questions that make you confuse AWS artifact/Trusted Advisor/ or Inspector?
False. Make sure you understand the differences between Artifact, Trusted Advisor, and Inspector.
True or false: AWS Artifact provides audit reports of your AWS infrastructure?
False. Artifact is for downloading compliance documentation, and to upload reports for auditors and regulators.
True or false: AWS Artifact is more than just a place to download compliance documentation and a place to upload your audit and regulation reports?
False: It’s just a place to upload and download documents. Don’t confuse it with other security services such as Trusted Advisor or Inspector.
True or False: CloudHSM is a single tenancy service?
True: It is dedicated hardware for use with only your AWS account.
Is KMS single or multi tenancy?
KMS is a multi-tenancy shared service.
True or False: With CloudHSM, you are responsible for scaling and availability, patching, etc.
False, AWS provides all maintanence operations including scaling and HA.
Who has key control in CloudHSM, you or AWS?
You
Who has key control in KMS, you or AWS?
You and AWS - Kind of a trick question I guess.
True or False: If your organization requires asymmetric keys, you should use KMS?
False. You will need CloudHSM
If you need a managed key service that is FIPS 140-2 level 3 overall compliant, would you need CloudHSM or KMS?
CloudHSM
If you need a managed key service that EAL-4 compliant, would you need CloudHSM or KMS?
CloudHSM
True or False: If you just need a cheap, well guarded managed key service, you should choose KMS?
True
True or False: If your organization requires extremely high security compliant managed key services, you should choose CloudHSM?
True
True or false: unencrypted s3 buckets can be encrypted in place?
True: you do not need to create a new encrypted bucket and migrate data to it
Your application currently stores data in an unencrypted DynamoDB cluster. Management is now requiring all data to be encrypted at rest. How can you achieve this?
Create a new encrypted DynamoDB and migrate the old database to the new.
Your application currently stores data in an unencrypted RDS cluster. Management is now requiring all data to be encrypted at rest. How can you achieve this?
Create a new encrypted RDS and migrate the old database to the new.
Your EC2 instance has a mounted EFS that is not encrypted. With the new encryption at rest policy, how can you achieve EFS encryption?
Create a new encrypted EFS and migrate from the old EFS to the new
Your EC2 instance has a mounted EBS that is not encrypted. With the new encryption at rest policy, how can you achieve EBS encryption?
Create a new encrypted EBS volume and migrate from the old EBS to the new.
Which data storage service can be encrypted in place?
S3
Which data storage services do not support encryption in place and require migration from an unencrypted source to an encrypted target.
DynamoDB
RDS
EFS
EBS
True or false: AWS has hinted at adding encryption in place for DynamoDB and you should do your own research on this before you take your exam to ensure you have the right information?
True.
What do we mean by “encrypt in place”?
The ability to encrypt data after provisioning the service.
For more information on KMS compliance, where would you look?
https://aws.amazon.com/kms/features/
Should you read the AWS DDoS Whitepaper?
Yes: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
for more information about CloudHSM, where would you look?
https://aws.amazon.com/cloudhsm/features/
True or False: AWS Shield basic is turned on by default?
True