Security

Question 1

WAF vs NACL

Answer 1

WAF

• common exploits like SQL injection
• can be attached to CloudFront

NACL

• IP
• range of IPs
• can’t block IPs when behind CloudFront

Question 2

KMS - Key management service

Answer 2

Regional

Manages CMKs (customer master keys)
- never leave region or KMS

Ideal for S3, DB passwords, API keys

pay per API call

CloudTrail logs of KMS sent to S3

FIPS level 2
- need to show evidence of tampering

Question 3

CMK types

Answer 3

Customer managed

• can view
• can manage
• dedicated to account

AWS managed

• can view
• can NOT manage
• dedicated to account

AWS owned

• can NOT view
• can manage
• NOT dedicated to account

Question 4

Symmetric vs Asymmetric CMKs

Answer 4

Symmetric

• AES-256
• never leaves AWS unencrypted
• Encrypt, decrypt, re-encrypt

Asymmetric

• RSA and ECC
• Private key never leaves AWS unencrypted
• Used by users who can’t call KMS APIs
• AWS services integrated w/ KMS do NOT support asymmetric CMKs
• sign messages, and verify signatures

Question 5

Key policies

Answer 5

Policies created when creating CMKs

Define access

Question 6

Data encryption key

Answer 6

Used to encrypt/decrypt large files

Question 7

CloudHSM (HSM - hardware security module)

Answer 7

dedicated hardware security module
FIPS Level 3 - physical security mechanisms that zero out plaintext security providers when tampered with

manage your own keys
no access to AWS-managed component
Runs w/in VPC in your account
single tenant
no AWS APIs

Question 8

CloudHSM architecture

Answer 8

Stored in it own VPC
Connected to other VPCs via ENI
Not HA by default

Question 9

Systems manager Parameter store

Answer 9

Component of SSM (Systems manager)

Serverless

allows you to securely store secrets

• passwords
• DB connection strings
• license codes
• api keys

values can be encrypted (via KMS) or in plaintext

supports versions and TTL

Question 10

Parameter store hierarchies

Answer 10

/prod/db/mysql/db-string
/dev/app/apikey

15 levels deep

Question 11

Parameter store + CloudFormation

Answer 11

CloudFormation can reference values stored in Parameter store

Question 12

Secrets manager

Answer 12

helps you rotate, manage, and retrieve secrets

secure, audit, and manage secrets

Question 13

Secrets manager vs parameter store

Answer 13

Parameter store:
-free

Secrets manager:

• automatically rotate secrets
• can generate random secrets

Question 14

AWS Shield

Answer 14

sits on perimeter to protect against DDoS attacks

Question 15

Shield Standard vs Advanced

Answer 15

Standard

• Automatically enabled
• no cost
• Protects against
• –SYN/UDP floods
• –reflection attacks

Advanced

• $3000/month
• enhanced protection for EC2, ELB, CloudFront, Route53
• 24/7 access to DDoS response team
• DDoS cost protection

Question 16

WAF

Answer 16

lets you monitor HTTP(S) requests to Cloudfront, ALB, or API gateway

configure filtering rules to allow/deny traffic

• IP
• Query string params
• SQL query injection

Question 17

WAF responses

Answer 17

Allow

Block

Count

Question 18

WAF properties

Answer 18

Originating IP
Originating country
request size
request header values
strings in reqeusts matching regex

Can block

• SQL injection
• XSS

Question 19

AWS firewall manager

Answer 19

allows you to configure and manage FW rules across an AWS org

• WAF rules
• Shield advanced policies
• Configure security groups across multiple accounts
• Audit security groups