Other Security Services Relevant to Security Exam Flashcards

1
Q

What does Macie do?

A

identifies PII in S3, can also be used to analyze Cloudtrail logs to audit who is accessing sensitive data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does Maci classify data?

A

1) content type 2) file extensions 3) themes (eg: AmEx, Visa) 4) keywords or regex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What IAM permissions does Macie need?

A

IAM permissions for S3 and Cloudtrail, and need to explicitly click Integration and Start Analyzing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does GuardDuty do?

A

monitors unusual API calls, disable Cloudtrail logging, unauthorized deployments, compromised instances, port scanning, failed logins. Can monitor across multiple accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

To what two places does GuardDuty send alerts to?

A

It’s own console and CloudWatch events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How long does GuardDuty need to establish baseline?

A

7-14 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can applications retrieve credentials?

A

By making API calls to Secret manager to programmatically retrieve credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the difference between Secrets Manager vs Parameter store?

A

Secrets Manager has built-in encryption for RDS, auto-rotate RDS secrets, everything is KMS encrypted, built-in integration with RDS (MySQL, PostgreSQL, Aurora), replicate secrets to other regions, PAID

SSM Parameter Store stores all user-defined parameters, can be plaintext or encrypted, no replication of parameters to other regions but is free

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the thing about secrets in Secrets Manager?

A

Have a waiting period of min 7 days to delete a secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Can SM secrets be replicated to another region, and what happens if you do?

A

Secrets can be replicated to another region for multi-region apps and DR. Replicated secret cannot be edited but can be promoted to a standalone secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is secrets resource policy handy for?

A

Cross-account access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What do secrets have attached?

A

Versions and labels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is AD Federation?

A

Allows logging into AWS using existing corporate logins and SSO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is SAML?

A

Security Assertion Markup Language - enables SSO for AWS accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the AD Federation steps?

A
  1. In AWS, ADFS is added as a trusted provider
  2. In ADFS< AWS is configured as Relying Party Trust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is AD Federation login process?

A
  1. User sings into ADFS with corp login
  2. ADFS sends a SAML token to AWS sign-in page
  3. AWS Sign-in calls STS AssumeRoleWithSAML API to get a temp token
  4. User is sent a redirect link to AWS console
17
Q

If you already have on-prem AD, what’s easiest way to give everyone access to AWS?

A

Configure Active Directory Federation Services (ADFS) in the on-premises data center and configure a two way trust. This is called AWS Federated Authentication

18
Q

What is AWS Security Hub?

A

Centralized place to aggregate and manage alerts from other security services: GuardDuty, Macie, Inspector, IAM Access Analyzer, Firewall Manager, 3rd party tools. NO Config or CloudTrail!

19
Q

How can Security Hub be used?

A

Send violations to CloudWatch Events - trigger Lambda/SNS for remediations

20
Q

What needs to be enabled before security hub works?

A

AWS Config