Security

Question 1

How to block IP at EC2 Instance level?

Answer 1

“Host based firewall
Linux:iptables,ufw,firewalid
Windows: Windows Firewall”

Question 2

How to block IP at EC2 in Security group Instance level?

Answer 2

“Using Security group can allow only valid IP & all other will be denied.
Add host based firewall at EC2 instance”

Question 3

How to block IP at EC2 in Security group with VPC?

Answer 3

“preferably Add WAF to filter IP address or Add NACL & permit only valid address & reject bad address.
Using Security group can allow only valid IP & all other will be denied.
Add host based firewall at EC2 instance”

Question 4

How to block IP at EC2 in Security group with VPC along with Application load balancer?

Answer 4

“ALB hide end user ip; preferably Add WAF to filter IP address or add NACL before ALB.
Security group & host based firewall is ineffective in this case.”

Question 5

How to block IP at EC2 in Security group with VPC along with network load balancer?

Answer 5

“NLB do not hide end user IP; So Security group & Host based firewall will be effective.
preferably Add WAF to filter IP address or Add NACL before NLB so that we allow only valid traffic to NLB”

Question 6

How to block IP at EC2 in Security group with VPC along with ALB & Cloud front?

Answer 6

“Cloud front will hide end user IP & its outside VPC so NACL cant be used;
Add WAF before cloud front to filter IP address .
Security group & host based firewall is ineffective in this case.”

Question 7

How to block all IP coming from a country?

Answer 7

Cloud Front Geo match feature can block all IP originated from a particular country.

Question 8

Is KMS is global service?

Answer 8

No KMS is a reginal managed service.

Question 9

Abbreviation for KMS?

Answer 9

Key Managed Service

Question 10

What is the use of KMS?

Answer 10

KMS is used to manage security keys which is used to encrypt & decrypt data.

Question 11

abbreviation for CMK?

Answer 11

Customer managed keys

Question 12

What is use of CMK?

Answer 12

CMK is the logical representation of a key

Question 13

Can we transfer CMK from one region to another?

Answer 13

No CMK will never leave the region.

Question 14

What is the max size of data KMS can encrypt/decrypt?

Answer 14

4KB

Question 15

What KMS service is charged?

Answer 15

KMS service charged is based on pay per API call?

Question 16

Can we see audit logs for KMS?

Answer 16

Yes using CloudTrail; we can do audit log for KMS which is delivered to s3.

Question 17

What is the cryptography standard achieved by KMS service?

Answer 17

FIPS 140-2 level 2

Question 18

What is the cryptography standard achieve by Cloud HSM service?

Answer 18

FIPS 140-2 level 3

Question 19

What are the different types of KMS?

Answer 19

“AWS Managed CMK
Customer Managed CMK
AWS Owned CMK”

Question 20

what are the different type of encryption used in CMK?

Answer 20

“Symmetric

Asymmetric”

Question 21

Where we use Symmetric encryption?

Answer 21

Used for encrypt & decrypt data.

Question 22

Symmetric encryption uses which standards?

Answer 22

AES-256

Question 23

Where we use Asymmetric encryption?

Answer 23

Used for sign messages & verify signatures

Question 24

Asymmetric encryption uses which standards?

Answer 24

RSA \ ECC

Question 25

What is abbreviation for HSM?

Answer 25

Hardware security Module

Question 26

What is use of HSM?

Answer 26

HSM provide tamper resistant environment for managing keys.

Question 27

Difference between KMS & HSM?

Answer 27

“In KMS AWS manage our keys

in HSM we manage our keys”

Question 28

What is the use of Parameter store?

Answer 28

parameter store allows you to securly store parameter values in AWS.

Question 29

How parameter in parameter store are organized?

Answer 29

hierarchy

Question 30

Which API call allows you to rederive all parameter from hierarchy?

Answer 30

GetParameterByPath

Question 31

What is the max level we can organize parameter in parameter store?

Answer 31

15

Question 32

What can be stored in parameter store?

Answer 32

DB password, connection string & app config

Question 33

Parameter store is free service?

Answer 33

Yes

Question 34

What is secrets manager service?

Answer 34

It is similar to parameter store with addition of password rotation & updated to RDS service.

Question 35

secrets manager is free service?

Answer 35

no

Question 36

What is difference between parameter store & secrets manager?

Answer 36

Automatic password rotation & update in RDS

Question 37

What is AWS Shield?

Answer 37

AWS Sheld service provide protection against DDOS attack

Question 38

Wat are the different types of AWS Shield?

Answer 38

“AWS Shield Standard

AWS Shield Advance”

Question 39

AWS Shield Standard is free service?

Answer 39

Yes

Question 40

AWS Shield Advance is free service?

Answer 40

no

Question 41

Where we can use WAF?

Answer 41

WAF monitor traffic of CloudFront ,ALB & API Gateway

Question 42

What are the different behaviors of WAF?

Answer 42

Allow, Block & Count

Question 43

What is AWS Firewall Manger?

Answer 43

AWS Firewall manager allows you manage firewall rules across an organization