Security Flashcards
How to block IP at EC2 Instance level?
“Host based firewall
Linux:iptables,ufw,firewalid
Windows: Windows Firewall”
How to block IP at EC2 in Security group Instance level?
“Using Security group can allow only valid IP & all other will be denied.
Add host based firewall at EC2 instance”
How to block IP at EC2 in Security group with VPC?
“preferably Add WAF to filter IP address or Add NACL & permit only valid address & reject bad address.
Using Security group can allow only valid IP & all other will be denied.
Add host based firewall at EC2 instance”
How to block IP at EC2 in Security group with VPC along with Application load balancer?
“ALB hide end user ip; preferably Add WAF to filter IP address or add NACL before ALB.
Security group & host based firewall is ineffective in this case.”
How to block IP at EC2 in Security group with VPC along with network load balancer?
“NLB do not hide end user IP; So Security group & Host based firewall will be effective.
preferably Add WAF to filter IP address or Add NACL before NLB so that we allow only valid traffic to NLB”
How to block IP at EC2 in Security group with VPC along with ALB & Cloud front?
“Cloud front will hide end user IP & its outside VPC so NACL cant be used;
Add WAF before cloud front to filter IP address .
Security group & host based firewall is ineffective in this case.”
How to block all IP coming from a country?
Cloud Front Geo match feature can block all IP originated from a particular country.
Is KMS is global service?
No KMS is a reginal managed service.
Abbreviation for KMS?
Key Managed Service
What is the use of KMS?
KMS is used to manage security keys which is used to encrypt & decrypt data.
abbreviation for CMK?
Customer managed keys
What is use of CMK?
CMK is the logical representation of a key
Can we transfer CMK from one region to another?
No CMK will never leave the region.
What is the max size of data KMS can encrypt/decrypt?
4KB
What KMS service is charged?
KMS service charged is based on pay per API call?
Can we see audit logs for KMS?
Yes using CloudTrail; we can do audit log for KMS which is delivered to s3.
What is the cryptography standard achieved by KMS service?
FIPS 140-2 level 2
What is the cryptography standard achieve by Cloud HSM service?
FIPS 140-2 level 3
What are the different types of KMS?
“AWS Managed CMK
Customer Managed CMK
AWS Owned CMK”
what are the different type of encryption used in CMK?
“Symmetric
Asymmetric”
Where we use Symmetric encryption?
Used for encrypt & decrypt data.
Symmetric encryption uses which standards?
AES-256
Where we use Asymmetric encryption?
Used for sign messages & verify signatures
Asymmetric encryption uses which standards?
RSA \ ECC
What is abbreviation for HSM?
Hardware security Module
What is use of HSM?
HSM provide tamper resistant environment for managing keys.
Difference between KMS & HSM?
“In KMS AWS manage our keys
in HSM we manage our keys”
What is the use of Parameter store?
parameter store allows you to securly store parameter values in AWS.
How parameter in parameter store are organized?
hierarchy
Which API call allows you to rederive all parameter from hierarchy?
GetParameterByPath
What is the max level we can organize parameter in parameter store?
15
What can be stored in parameter store?
DB password, connection string & app config
Parameter store is free service?
Yes
What is secrets manager service?
It is similar to parameter store with addition of password rotation & updated to RDS service.
secrets manager is free service?
no
What is difference between parameter store & secrets manager?
Automatic password rotation & update in RDS
What is AWS Shield?
AWS Sheld service provide protection against DDOS attack
Wat are the different types of AWS Shield?
“AWS Shield Standard
AWS Shield Advance”
AWS Shield Standard is free service?
Yes
AWS Shield Advance is free service?
no
Where we can use WAF?
WAF monitor traffic of CloudFront ,ALB & API Gateway
What are the different behaviors of WAF?
Allow, Block & Count
What is AWS Firewall Manger?
AWS Firewall manager allows you manage firewall rules across an organization