Section - Security

Question 1

What is a Layer 4 DDos Attack?

Answer 1

• A layer 4 DDos attack is often referred to as a SYN flood. it works at the transport layer(TCP).
• To establish a TCP connection a 3-way handshake takes place.
  
  • The client sends a SYN packet to a server
  • The server replies with a SYN-ACK
  • and the client then responds to that with an ACK
• What should happen?
  
  • After the “3-way handshake” is complete, the TCP connection is established.
  • After this applications begin sending data using Layer 7 (application layer protocol) such as HTTP etc.
• SYN Floods
  
  • A SYN flood uses the built in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and then ignoring the SYN-ACKs returned by the server.
  • This causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client.
• What Can Happen?
  
  • There are only so many concurrent TCP connections that a web application server can have open. so if an attacker sends enough SYN packets to a server, it can easily eat through the allowed number of TCP connections.

Question 2

What is an Amplification Attack?

Answer 2

• Amplification/Reflection attacks can include things such as NTP,SSDP, DNS,CharGen,SNMP attacks etc.
• This is where an attacker may send a thrid-party server (such as an NTP server) a request using a spoofed IP.

Question 3

Amplification Attacks?

Answer 3

• That server will then respond to that request with a greater payload than the initial request (usually within the region of 28-54 times larger than the request) to the spoofed IP address.
• This means that if the attacker sends a packet with a spoofed IP address of 64 bytes, the NTP server would respond with up to 3,456 bytes of Traffic.

Question 4

What is a Layer 7 Attack?

Answer 4

• A layer 7 attack occurs where a web server receives a flood of GET or POST requests, usually from a botnet or a large number of compromised computers.

Question 5

Exam Tips: DDoS ?

Answer 5

• A distributed Denial of Service (DDoS) attack attempts to make your website or application unavailable to your end users.
• Common DDoS attacks include Layer 4 attacks such as SYN floods or NTP amplification attacks.
• Common Layer 7 attacks include floods of GET/POST requests.

Question 6

What is CloudTrail?

Answer 6

• AWS Cloud trail increase visibility into your user and resource activity by recording AWS Management Console actions and API Calls.
• You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
• CloudTrail stores the logs in S3
• What is logged?
  
  • Metadata around API calls
  • The identify of the API caller
  • The time of the API call
  • The source IP address of the API caller
  • The request parameters
  • The response elements returned by the service

Question 7

What is AWS Shield?

Answer 7

• Free DDoS Protection
• Protects all AWS customers on Elastic Load Balancing (ELB), Amazon CloudFront, and Route 53
• Protects against SYN/UDP floods reflection attacks, and other Layer 3 and Layer 4 attacks

Question 8

What is AWS Shied Advanced?

Answer 8

• Provides enhanced protections for your applications running on Elastic Load Balancer (ELB),Amazon CloudFront, and Route 53 against larger and mose sophisticated attacks.
• Offers always-on-flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks.
• Give you 24/7 access to the DDoS Response Team (DRT) to help manage and mitigate application-layer DDoS attacks.
• Protects your AWS Bill against higher fees due to Elastic Load Balancing (ELB), Amazon Cloud Front, and Aamazon Route 53 usage spikes during a DDoS attack.
• Shield Advanced Costs $3,000 USD per month.
• Shield Protects against Layer 3 and Layer 4 only

Question 9

What is AWS WAF?

Answer 9

• AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load balancer.
• AWS WAF also lets you control access to your content.
• You can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for the request to be allowed.
• The Application Load balancer or CloudFront will either allow this content to be received or give an HTTP 403 status code.

Question 10

What is AWS GuardDuty?

Answer 10

• Guard Duty is a threat detection service that uses machine learning to continously monitor for malicious behaviour.
• Unsual API calls, calls from malicios IP
• Attempts to disable CloudTrail logging
• Unauthorized Deployments
• Compromised Instances
• Reconnaissance by the would-be attackers.
• Alerts appear in the guard duty console and CloudWatch events
• Receives feeds from third parties like Proofpoint and CrowdStrike, as well as AWS security, about known malicious domains and IP addresses
• Monitors CloudTrail logs, VPC Flow logs and DNS logs.
• Threat Dectection with AI
  
  • 7-14 days to set a baseline - what is normal behaviour on your account?
  • Once active, you will see findings on the Guard Duty console and in CloudWatch Events only if Guard Duty detects behavior it considers a threat.
• Pricing
  
  • 30 days Free, charges based on:
    
    • Quality of CloudTrail events
    • Volume of DNS and VPC Flow logs

Question 11

What is Amazon Macie?

Answer 11

• Monitors sensitive data on S3 bucket - Personally Identifiable Information (PII)
• Personal data useed to establish individual identity
• This data could be exploited by criminals, used in identity theft and financial fraud
• Home address, Email address, Social security number
• Passport number, dirver’s license number
• Date of birth, phone number, bank account, credit card number
• Automated Analysis of Data
  
  • Macie uses machine learning and pattern matching to discover sensitive data stored on S3.
  • Uses AI to recognize if your S3 objects contain snesitive data, such as PII, PHI (Personal health Information) and financial data
  • Alerts you to uncrypted buckets
  • Alerts you about public buckets
  • Can also alert you about buckets shared with AWS accounts outside of those defined in your AWS organisations

Question 12

AWS Macie Alerts?

Answer 12

• You can filter and search Macie alerts in the AWS console
• Alerts sent to Amazon EventBridge can be integrated with your security incident and event management (SIEM) system
• Can be integrated with AWS security hub for broader analysis of your organisation’s security posture.
• Can also be integrated with other AWS services, such Step Functions to Automatically take remediation actions.

Question 13

What is Amazon Inspector?

Answer 13

• Amazon inspector is an automated security assessment service that helps improve security and compliance of applications deployed on AWS.
• Amazon inspector automatically assesses applications for vulnerabilities or deviations from best practices.
• Assessment Findings
  
  • After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by the level of severity.
  • These findings can be reviewed directly or as part of detailed assessment reports that are available via the Amazon Inspector console or API
• 2 Types of Assessment
  
  • Network Assessments
    
    • Network configuration analysis to checks for ports reachable from outside the VPC
    • Inspector agent is not required
  • Host Assessments
    
    • Vulnerable software (CVE), host hardening (CIS Benchmarks) and security best practices
    • Inspector agent required

Question 14

Amazon Inspector: How does it work?

Answer 14

• Create assessment target
• Install agents on EC2 instances
  
  • AWS will automatically install agent for instances that allow Systems manager Run Command
• Create assessment template
• Perform assessment run
• Review findings against rules

Question 15

What is AWS KMS?

Answer 15

AWS Key Management Service

• Managed
  
  • Managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
• Integrated
  
  • Seamlessly integrated with many AWS services to make encrypting data into those services as easy as checking a box.
• Key Types
  
  • Symmetric
    
    • A single encryption key that is used for both encryption and decrytpion operations
  • Asymmetric
    
    • A public and privae key pair that can be used for encryption and decryption to sign or verify operations
    • Use when doing encryption outside of AWS.
• Regional service

Question 16

AWS KMS Use cases?

Answer 16

Whyen to use KMS:

Whenever you are dealing with sensitive information

• Sensitive data that you want to keep secret
• Customer data
• Financial data
• Database passwords
• Credentials
• Secrets

Question 17

What is a CMK?

Answer 17

• Customer Master Key
  
  • Encrypt / Decrytp data up to 4KB
• What is it used for?
  
  • Generate / Encrypt / Decrypt the Data key.
• Data key
  
  • Used to encrypt / Decrypt your data.
  • The process of encrypting the data key to encrypt your data is called Envelope Encryption.
• Properties
  
  • Alias
    
    • Your application can refer to the alias when using the CMK.
  • Creation Date
    
    • The date and time when the CMK was created
  • Description
    
    • You can add your own descritpion to the describe the CMK
  • Key State
    
    • Enabled, Disabled, pending deletion, unavailable
  • Key Material
    
    • Customer-provided or AWS-provided
  • Stays Inside KMS
    
    • ​Can never be exported

Question 20

What is the difference Between AWS-Managed CMK and Customer-Managed CMK?

Answer 20

• AWS-Managed CMK
  
  • AWS-provided and AWS-managed CMK. Used on your behalf with the AWS services integrated with KMS.
• Customer-Managed CMK
  
  • You create,own and managed yourself.

Question 21

What is Amazon CloudHSM?

Answer 21

Amazon CloudHSM is a hardware security module (HSM) used to generate encryption keys.

• Dedicated hardware for security
• Generate and manage your own encryption keys
• AWS does not have access to your keys

Question 22

What is Amazon CloudHSM in the Real World?

Answer 22

Amazon CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

Question 23

3 ways to generate a CMK?

Answer 23

• AWS creates the CMK for you, The key material for a CMK is generated within Hard Security Modules managed by AWS KMS
• Import key material from your own key management infrastructure and associate it with a CMK.
• Have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS.

Question 24

3 Ways to Control Permissions?

Answer 24

• Use the key policy
  
  • Controlling access this way means the full scope of access to the CMK is defined in a single document (the key policy)
• Use IAM policies in combination with the key policy.
  
  • Controlling access this way enables you to manage all the permissions for your IAM identities in IAM
• Use grants in combination with the key policy
  
  • Controlling access this way enables you to allow access to the CMK in the key policy, as well as allow users to delegate their access to others.

Question 25

KMS Vs. CloudHSM

Answer 25

• KMS
  
  • Shared tenancy of underlying hardware
  • Automatic Key Rotation
  • Automatic Key generation
• CloudHSM
  
  • Dedicated HSM to you
  • Full control of underlying hardware
  • Full control of users, groups, keys etc.
  • No automatic key rotation

Question 26

What is AWS Secrets Manager?

Answer 26

• Secrets manager is a service that securely stores, encrypts, and rotates your database credentials and other secrets.
• Encryption in transit and at rest using KMS
• Automatically rotates credentials
• Apply fine-grained access control using IAM policies
• Costs money but is highly scalable
• What can be stored?
  
  • RDS credentials
  • Credentials for non-RDS databases
  • Any type of secret, provided you can store it as a key-value pair(SSH keys, API Keys)
• Exam Tip: If you enable rotation, Secrets manager immediately rotates the secret once to test the configuration - your applications must get the secrets directly from the secret manager and not be hard coded.
  
  • If you appplications are using embedded credentials, do not enable rotation because the embedded credentials will no longer work.

Question 27

What is Parameter Store?

Answer 27

• Parameter store is a capability of AWS Systems manager that provides secure, hierachical storage for configuration data management and secrets management.
• You can store data such as passwords, database strings, Aamazon machine Image (AMI) IDs, and license codes as parameter values.
• You can store values in plain text or encrypted data.
• Parameter Store is Free
• Limitations:
  
  • ​Limit to the number of parameters you can store (currently 10,000)
  • No key rotation

Question 28

Exam Tips: Parameter Store or Secrets Manager

Answer 28

• If you are minimizing cost - use parameter store
• if you need more than 10 000 parameters, key rotation , or the ability to generate passwords using CloudFormation, use Secrets Manager

Question 29

Signing S3 Objects(Presigned URL)?

Answer 29

• All objects in S3 are private by default
• Only the owner has permissions to access these objects, however the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited persmissions to download the projects.
• Presigned URLs
  
  • When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name and an object key, and indicate the HTTP method (or GET to download the object) as well as expiration date and time.
  • Anyone who receives the presigned URL can the access the object.
• Presigned Cookies
  
  • This can be useful whe you want to provide access to multiple restricted files. The cookie will be saved on the user’s computer, and they will be able to browse the entire contents of the restricted content.

Question 30

What is Amazon Resource Names (ARNs)?

Answer 30

• ARN all begin with:
  
  • arn:partitition:service:region:account_id:

Question 31

IAM Policies?

Answer 31

• JSON document that defines permissions
• Identity policy
• Resource policy
• No effect until attached
• List of statements

Question 32

What is Permission Boundaries?

Answer 32

• Used to delegate administration to other users
• Prevent privilege escalation or unnecessarily broad permissions
• Control maximum permissions an IAM policy can grant

Question 33

Exam Tips: IAM policies

Answer 33

• Learn to read and interprete policies
• Not explicitly allowed = = implicitly denied
• Explicit deny > everything else
• Only attached policies have an effect
• AWS joins all applicable policies
• AWS managed vs Customer managed

Question 34

AWS Certificate Manager?

Answer 34

• AWS Certificate manager allows you to create, manage and deploy public and Private SSL certificates for use with other AWS services.
• It integrates with other services such as Elastic Load Balancing, CloudFront distributions, and API gateway - allowing you to easily manage and deploy SSL certificates in your AWS environment.
• Benefits of AWS Certificate Manager
  
  • Cost
    
    • No more paying for SSL certificates
    • AWS Certificate manager provisions both public and private certificates for free
    • You will still pay for the resources that utilize your certificate (such as your Elastic Load Balancer)
  • Automatic Renewals and Deployment
    
    • Certificate Manager can automate the renewal of your SSL certificate and automatically update the new certificate with ACM-intgerated services, such as Elastic Load Balancing, CloudFront and API Gateway.
  • Easier to Set Up
    
    • Removes a lot of manual process, such as generating a key pair or creating a certificate siging request (CSR).
    • You can create your own SSL certificate with just a few licks in the AWS management Console.