Security Flashcards
AWS Firewall that let’s you monitor HTTP and HTTPS
AWS WAF
What services can be protected by an AWS WAF
CloudFront
Application Load Balancer (ALB)
API Gateway
What can be tracked with AWS WAF
IP address request comes form
Countryh request comes form
Values in request header
Strings in request (based on regex)
Lenght of request
SQL injuection
Cross-site scripting
3 types of allowed behavior for AWS WAF
Allow all requests except ones you specifiy
Block all requests except the once you specify
Count number of requests based on specs
What AWS service should you use if you want to prevent certain IP addresses or countries from hitting your CloudFront distribution
WAF
What AWS service should you use to help prevent SQL injection or cross-site scripting on your Layer 7 application
WAF
Where does CloudTrail store it’s API logs
S3
How to monitor all API calls in your account
Cloudtrail
Free DDoS protection for Layer 3 and Layer 4 SYN/UDP flood and reflection attacks
AWS Shield
More enhanced protection for ELB, Cloudfront and Route53 with near real-time notifications of DDoS attacks
AWS Shield Advanced
How much is Shield Advanced
$3000 / month
Centralized Threat detection service that uses Machine Learning to continuously look for malicious activity in your account/s and lookups on known malicious IPs.
AWS GuardDuty
How can you respond to a threat found by GuardDuty?
Create a Cloudwatch Event to Trigger a Lambda function that addresses a threat
Centralize and set and manage firewall rules across AWS Organizations
Firewall Manager
Automated Security Detection Service that assessess applications for vulnerabilities on EC2 and VPC
AWS Inspector
2 Types of Assessments Inspector can give you
Network Assessment
Host Accessment
TRUE or FALSE Inspector Host assessments can be turned on easily in EC2 Console
FALSE, must install agent on EC2 unless it is an instance that allows SSM manager run command
3 Ways to Create CMK
AWS creates it for you and managed in KMS
Can import Key material
Use in CloudHSM
What Encryption service you should use if you need a dedicated and full control of hardware
CloudHSM
You want to use Secrets Manager for password rotation. You turned it on but now your application is having trouble authenticating with old password what happened?
Secrets Manager auto rotates the secret once and you had something hard coded in your app
How many parameters can be stored in parameter store?
10,000
Supported Services for AWS Certificate Manager
ELB
CloudFront
API Gateway
Continuously audit and Compliance AWS Accounts for things like HIPPA
AWS Audit Manager
Downloading Compliance reports in AWS for Audits
AWS Artifact
What are Cognito User Pools
directories of users that can sign in
What are Cognito Identity Pools
give users access to certain AWS services
Analyze Investigate and Determine Root Cause of potential security issue using Machine Learning and Graph Theory to Triage Security Findings & Threat Hunting
AWS Detective
Deploying physical firewall protection across VPCs fully managed by AWS for IPS
AWS Network Firewall
How to filter traffic before it get’s to your internet Gateway
Use AWS Network Firewall
Single place to view all security alerts from Guard Duty, Inpector, and Macie and AWS Firewall Manager across multiple AWS Accounts
AWS Security Hub
How to grant EC2 permission to an RDS database using an authentication token
IAM database authentication
