Security

Question 1

What is a DDOS attack?

Answer 1

Attack that tries to make your service unavailable.

Question 2

What are 3 types of DDOS attacks and at what layers?

Answer 2

1. Syn Ack flood attack layer 4
2. NTP Amplification attack layer 4
3. HTTP/HTTPS flood attack layer 7

Question 3

What is CloudTrail?

Answer 3

CloudTrail is a service that logs AWS API calls for ip address, time, and api call (request params, metadata, response)

Question 4

Would CloudTrail be able to log SSH/RDP into EC2?

Answer 4

No it would not as it needs to be an API call.

Question 5

Where are CloudTrail Logs stored?

Answer 5

S3

Question 6

What is AWS Shield?

Answer 6

It is free DDOS Protection for CloudFront, ELB, Route 53 against layer 3/4 attacks

Question 7

What is AWS Shield Advanced? What are 3

Answer 7

1. Enhanced protection for CloudFront, ELB, Route 53
   2 Provides a dedicated 24/7 AWS response team
2. Near realtime monitoring of DDOS attacks

Question 8

How much is AWS Shield Advanced?

Answer 8

3k a month

Question 9

What Layer does AWS Shield protect? What about WAF?

Answer 9

AWS Shield protects against layer3/4

WAF protects against layer 7

Question 10

What is WAF?

Answer 10

Web Application Firewall provides monitoring and access control for HTTP/HTTPS to ELB,Route 53,CloudFront

Question 11

What kinds of attacks does WAF protect against?

Answer 11

SQL Injection, Cross site scripting, DDOS layer 7

Question 12

What can WAF look at in requests that go through it?

Answer 12

It can look at

1. IP addresses
2. Request parameters
3. string search patterns
4. country originating
5. if there is sql code or scripts

Question 13

What returns if WAF blocks access?

Answer 13

It will return a 403

Question 14

What are the 3 behvious of WAF?

Answer 14

1. allow all content you specify
2. block all content you specify
3. count requests meeting the properties you specify

Question 15

What is AWS Guard Duty? What can be triggered from it?

Answer 15

Threat detection Service that monitors your AWS account for malicious behavior using machine learning AI (taking a baseline)
External db of known threats
Can trigger lambda from Cloudwatch events if threat detected

Question 16

What does AWS Guard Duty monitor?

Answer 16

DNS Logs, Cloudtrail logs, VPC Flow logs

Question 17

What is AWS Macie?

Answer 17

Uses Machine learning to find PII/sensitive data in S3 and alerts you through EventBridge (which you can then automate remediation)

Question 18

What is AWS Inspector?

Answer 18

A security assessment service that inspects for vulnerabilities and best practices

Question 19

What are the 2 types of scanning AWS Inspector does? How do they differ?

Answer 19

1. Network Assesment of configurations in VPC
2. Host Assessment of EC2
   One does not need an agent installed while the other does

Question 20

What is KMS? What are CMK?

Answer 20

KMS is a service that lets you manage and create encryption keys.
CMK are customer master keys, the actual encryption key itself.

Question 21

What is CloudHSM?

Answer 21

A dedicated hardware security module in the cloud that generates your CMK

Question 22

What are 3 ways to generate a CMK?

Answer 22

1. Use AWS HSM
2. Use your own HSM
3. Rent a cloud HSM from AWS

Question 23

What are 3 ways to control access to CMKs?

Answer 23

1. Key policies (who can manage and use keys)
2. IAM policies
3. Grants with key policies (for delegation)

Question 24

What are 3 ways to control access to CMKs?

Answer 24

1. Key policies (who can manage and use keys)
2. IAM policies
3. Grants with key policies (for delegation)

Question 25

What is AWS Secrets Manager?

Answer 25

Service that lets you store encrypted credentials and retrieve/rotate them. e.g. RDS

Question 26

What is AWS Parameter Store?

Answer 26

Service that lets you store your parameters in a hierarchy.

Question 27

What is the difference between Secrets Manager and Parameter store?

Answer 27

Secrets Manager can handle secrets at scale, but costs money

Parameter Store is free but can only handle 10k secrets, and doesn’t have key rotation

Question 28

What should you watch out for with Secrets Manager rotation?

Answer 28

When rotation is enabled, it will immediately attempt to rotate credentials once

Question 29

What is the encryption like for Secrets Manager?

Answer 29

Automatically encrypted in transit and at rest

Question 30

When should you use Presigned URL’s over Presigned Cookies?

Answer 30

Use Presigned URLs with you have a single resource needing public access
Use presigned cookies if there are multiple resources needing to be shared

Question 31

How do you share a video in a private S3 bucket?

Answer 31

Use a presigned url

Question 32

What is a presigned url?

Answer 32

A url generated with a time duration giving access to a private S3 bucket using the object owners credentials

Question 33

Why do we need presigned urls?

Answer 33

By default all objects in S3 are private and only object owner has permission to access

Question 34

How is a not explicitly allowed permission treated in IAM policy?

Answer 34

It is implicitly denied if it is not defined

Question 35

How is an explicit denied permission treated?

Answer 35

IAM will take the denial over everything else

Question 36

How does AWS treat multiple policies on attached to the same role?

Answer 36

The union of all permissions is taken.

Question 37

What is AWS Certificate Manager? What is the cost? What services does it work with?

Answer 37

Service that lets create/manage SSL certificates. Certificates are free and automatically renews/deploys for ELB, CLoudfront,APi Gateway