Security Flashcards
You are working on a web application which handles confidential financial data. The application runs on a few EC2 instances which are behind an Elastic Load Balancer. How can you ensure the data is encrypted end-to-end in transit between your ELB and EC2 instances?
-Configure a secure listener on your load balancer
Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. However, if you are developing an application that needs to comply with strict external regulations, you might be required to secure all network connections. First, add a secure listener to your load balancer, then configure the instances in your environment to listen on the secure port and terminate HTTPS connections.
-Configure the instances in your environment to listen on the secure port
Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. However, if you are developing an application that needs to comply with strict external regulations, you might be required to secure all network connections. First, add a secure listener to your load balancer, then configure the instances in your environment to listen on the secure port and terminate HTTPS connections.
-Terminate HTTPS connections on your EC2 instances
Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. However, if you are developing an application that needs to comply with strict external regulations, you might be required to secure all network connections. First, add a secure listener to your load balancer, then configure the instances in your environment to listen on the secure port and terminate HTTPS connections.
You are working as a Developer for an online retailer. Your Security Architect has requested that any files stored in S3 must be encrypted. However some teams are continuing to upload their files without encrypting them. Which of the following will ensure that only encrypted data is uploaded?
Use a bucket policy that only allows PUT operations which include the x-amz-server-side-encryption parameter in the request header
There are a few different ways to enforce encryption, however from the provided options, the use of a bucket policy to reject requests that do not include encryption in their header is the best answer
You are designing an application which handles online credit card applications. It will have a number of web and application servers running on EC2, customer reference data stored in S3 and transactional data stored in RDS. The security team advised that a lot of sensitive customer information will be stored in S3 and you have been asked to make sure that all new objects are encrypted at rest to protect the data when they are stored in the bucket. How can you do this?
Select default encryption on your S3 bucket
You can set default encryption on a bucket so that all objects are encrypted when they are stored in the bucket. When you use server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centers and decrypts it when you download the objects.
An organization is hosting their static website on S3, using a custom domain name. Users have started reporting that their web browsers’ are alerting them to the fact that the organization’s website is “Not Secure” because it is not served via a secure HTTPS connection.
What is the easiest way to start serving the website via HTTPS?
Add a CloudFront distribution in front of the S3 static website, which supports HTTPS with a custom domain name.
S3 buckets do not directly support HTTPS with a custom domain name. The simplest solution is to create a CloudFront distribution and set its origin to the S3 bucket. CloudFront allows you to specify a custom domain name, and supports managed certificates via Amazon Certificate Manager.
Enabling AES-256 Default Encryption on the S3 bucket only affects the object at rest.
Application Load Balancers do support SSL termination but do not support S3 as a target.
AWS Shield relates to Distributed Denial of Service protection, not encryption over the wire.
Your main application currently stores its credentials as a text file on an EC2 server. Your Manager has informed you that this is an insecure practice and has told you to store these credentials in an AWS managed service instead. AWS Systems Manager Parameter Store and AWS Secrets Manager can be used for the secure storage of credentials. Of the below features, which apply to both Secrets Manager and Parameter Store?
-Supports encryption at rest using customer-owned KMS keys
Many aspects of Parameter Store and Secrets Manager appear very similar, but Secrets Manager charges you for storing each secret and also provides a secret rotation service whereas Parameter Store does not. Therefore these are the only three answers related to both services. AWS Systems Manager FAQs AWS Secrets Manager FAQs
-Can store credentials in hierarchical form
Many aspects of Parameter Store and Secrets Manager appear very similar, but Secrets Manager charges you for storing each secret and also provides a secret rotation service whereas Parameter Store does not. Therefore these are the only three answers related to both services. AWS Systems Manager FAQs AWS Secrets Manager FAQs
-Integrated with Identity and Access Management
Many aspects of Parameter Store and Secrets Manager appear very similar, but Secrets Manager charges you for storing each secret and also provides a secret rotation service whereas Parameter Store does not. Therefore these are the only three answers related to both services. AWS Systems Manager FAQs AWS Secrets Manager FAQs
You work for a large government agency which is conducting research for a top secret defense project. You are using SQS to handle messaging between components of a large, distributed application. You need to ensure that confidential data relating to your research is encrypted by the messaging system, which of the following services can you use to centrally manage your encryption keys?
KMS
You can use a CMK to encrypt and decrypt up to 4 KB (4096 bytes) of data. Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. This strategy is known as envelope encryption. CMKs are created in AWS KMS and never leave AWS KMS un-encrypted. To use or manage your CMK, you access them through AWS KMS.