Section 15: Security in the Cloud Flashcards

1
Q

What is AWS Directory Service?

A

Also known as AWS Managed Microsoft Active Directory, AWS Directory Service is a managed implementation of Microsft Active Directory running on Windows Server.

What is Active Directory?
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.

The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS Simple Active Directory

A

Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes.

Small - Supports up to 500 users (approximately 2,000 objects including users, groups, and computers).

Large - Supports up to 5,000 users (approximately 20,000 objects including users, groups, and computers).

Simple AD provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO). However, note that Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Federated user?

A

A federated identity is a user who can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) -compatible IdP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is IAM Identity Center

A

AWS IAM (Identity Access Management) Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is AWS Cognito?

A

AWS Cognito primary purpose is to allows for sign-in and sign-up functionality on web and mobile apps.

It has two types of pools:
* User Pools: a directory for managing sign-in and sign-up for mobile apps (create user). Identities can come from a Cognity user pool.
* Identify Pools - used to obtain temporary, limited-privilage credentials for AWS services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Encryption in Transit vs at Rest

A

Encryption in transit - data is protected by SSL/TLS in transit (as its being transferred over the network). E.g. HTTPS connection.

Encryption at rest - encrypted at source/destination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Asymmetric vs symmetric encryption

A

Asymmetric encryption - uses two keys, public for encryption and private for decryption.

Symmetric encryption - uses one key to encrypt and decrypt data.

Asymmetric encryption is stronger type of encryption of the two.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS Key Management Services (KMS)

A
  • create and manage symmetric and asymmetric encryption keys
  • keys are protected by HSM (hardware security modules)
  • automatic key rotation (usually every 365 days)
  • use alias for the key to save having to change code

Key rotation - https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS Cloud HSM

A
  • AWS Cloud HSM (hardware security modules)
  • generate and use your own encryption key on AWS Cloud
  • CloudHSM runs in your own Amazon VPC

AWS CloudHSM is a cryptographic service for creating and maintaining hardware security modules (HSMs) in your AWS environment. HSMs are computing devices that process cryptographic operations and provide secure storage for cryptographic keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AWS Certificate Manager (ACM)

A
  • Create, store and renew SSL/TLS x.509 certificates
  • integrates with several AWS services (load balancing, CloudFront, Beanstalk, CloudFormation)
  • import certs from 3rd party providers
  • public and private certs can be generates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ACM vs KMS

A

Encryption in Transit = AWS Certificate Manager (ACM)
Encryption at Rest = AWS Key Management Service (KMS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS WAF (Web Application Firewall)

A
  • web app firewall
  • lets your create rules to filter web traffice based on conditions such as IP address, HTTP headers and body, custom URI’s, geolocation, rate limiting
  • protects common web exploits such as SQL injection, XSS attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Amazon Inspector

A

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Amazon Macie

A

Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.

This applies to data in Amazon S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS GuardDuty

A

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Continuous monitoring for events across:
* CloudTrail management events
* CloudTrail S3 data events
* VPC Flow Logs
* DNS Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Shield

A

AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards applications running on AWS.

17
Q

Which AWS service is designed to protect against web exploits and is integrated with Amazon CloudFront?

A

AWS Web Application Firewall (WAF)

AWS WAF is a web application firewall service that helps protect your web apps from common exploits and is integrated with CloudFront.

18
Q

Which multi-tenant cryptographic key management service uses tamper-resistant hardware devices for master keys?

A

AWS Key Management Service (KMS)

AWS KMS is multi-tenant and uses hardware security modules for storage of master keys.

Note: AWS CloudHSM is single-tenant and uses hardware security modules.

19
Q

Which service can be used to add social login capabilities to mobile apps?

A

Amazon Cognito

Amazon Cognito lets you add user sign-up, sign-in, and access control to web and mobile apps.

20
Q

Which type of AWS Active Directory would you use for a new directory with more than 5000 users?

A

AWS Managed Microsoft AD

21
Q

Which Cognito feature would you use to manage sign-in and sign-ups for mobile applications?

A

User Pools

22
Q

AWS Certificate Manager does NOT integrate with which of the following services?

A

Route 53

23
Q

Which AWS security service would you use for DDoS Protection?

A

AWS Shield

24
Q

A company has a mobile app that requires authorized access to AWS services. Users will authenticate using social IdPs. Which service would you recommend the company use?

A

Amazon Cognito

25
Q

Cheat sheets

A
  • WAF & Shield - https://digitalcloud.training/aws-waf-shield/
  • Cloud HSM - https://digitalcloud.training/aws-cloudhsm/
  • KMS - https://digitalcloud.training/aws-kms/
  • AWS Directory Services - https://digitalcloud.training/aws-directory-services/
  • Amazon Cognito - https://digitalcloud.training/amazon-cognito/
  • AWS IAM - https://digitalcloud.training/aws-iam/