Security Flashcards

(29 cards)

1
Q

DDoS

A

Distributed Denial of Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Layer 4 DDoS

A
  • SYN flood

- works at the TCP layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does the Layer 4 three-way handshake work?

A

1) Client sends a SYN packet to a server
2) server replies with SYN-ACK
3) Client responds with ACK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SYN Flood

A

uses the built in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and ignoring the SYN-ACK replies sent by the server

  • causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client
  • eats thru the maximum amount of TCP connections
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Amplification Attack

A
  • where an attacker may send a 3rd party server a request using a spoofed IP address
  • 3rd party sends a large # of bytes back to the spoofed IP address, jamming up their servers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Layer 7 attack

A

when a web server gets a flood of GET or POST requests, usually from a bot net or a large number of compromised computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cloud Trail

A

increases visibility into your user and resource activity by recording AWS Management Console actions and API calls
- logs are stored in S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What can Cloud Trail identify?

A
  • which users and accounts called AWS
  • source IP address
  • time of each call
  • metadata of each call
  • API request parameters
  • response elements returned by the service
  • NOT RDP or SSH traffic
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does Cloud Trail allow?

A

1) after-the-fact incident investigation
2) near real-time intrusion detection (when coupled with Lambda)
3) industry and regulatory compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What kind of attacks does Shield protect against?

A

Layer 3 and Layer 4

  • SYN/UPD floods
  • reflection attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Shield

A

Free DDoS protection

- protects all customers on ELB, CloudFront, Route 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS Shield Advanced

A

$3000/mo

  • always-on flow-based monitoring with real-time notifications
  • 24/7 access to the DDoS Reponse Team (DRT)
  • protects your AWS bill from DDoS usage spikes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS WAF

A

A LAYER 7 web application firewall that lets you monitor the https and http requests that are forwarded to CloudFront or an ALB
- also lets you control access to your content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some example configurations for WAF?

A
  • what IP addresses are allowed to make a request

- what query string parameters need to be passed in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What status code will ALB or Cloud Front return if it doesn’t allow the request?

A

403 - Forbidden

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some WAF behaviors?

A

1) allow all requests except the ones you specify
2) block all requests except the ones you specify
3) count the requests that match the properties you specify

17
Q

Conditions you can specify in WAF

A

1) IP Address where requests originate from
2) Country that requests originate from
3) values in request headers
4) reject SQL injection (SQL code)
5) reject presence of a script (cross-site scripting attack)
6) reject or accept based on regex

18
Q

Guard Duty

A

a threat-detection service that uses machine learning to continuously monitor for malicious behavior

19
Q

What kinds of things does Guard Duty detect?

A
  • unusual API calls
  • calls from a known malicious IP
  • attempts to disable CloudTrail logging
  • unauthorized deployments
  • compromised instances
  • reconasissance by would-be attackers
  • port scanning, failed logins
20
Q

Where do Guard Duty alerts appear?*

A
  • Guard Duty console

- Cloud Watch Events

21
Q

What kinds of feeds can Guard Duty receive?*

A
  • CrowdStrike, Proofpoint, AWS security
22
Q

What does Guard Duty monitor?*

A
  • Cloud Trail logs
  • VPC Flow logs
  • DNS logs
23
Q

How can you automate responses to what Guard Duty finds?

A

Lambda and Cloud Watch Events

24
Q

How long does it take for Guard Duty to set up a baseline of what is normal for your account?

25
What does Guard Duty cost?
30 days free, then based on the quantity of Cloud Trail events and the volume of DNS and VPC Flow Log Data
26
Macie
- uses AI to recognize if your S3 objects contain PII, HIPAA or financial data - alerts you of unencrypted buckets, public buckets or shared buckets - can send alerts to Event Bridge to be integrated into your security system
27
How can you automate remediation actions with Macie?
Step Functions
28
Inspector
an automated security assessment service that helps improve security & compliance of applications deployed to AWS
29
Kinds of Inspector assessments
- Use for vulnerability scans - Network assessments: looks at ports, does not require agent to be installed - Host (EC2) Assessments: looks at vulnerable sofwtware, host hardening and best security practices. Requires Inspector agent to be installed.