Security

Question 1

DDoS

Answer 1

Distributed Denial of Service

Question 2

Layer 4 DDoS

Answer 2

• SYN flood

- works at the TCP layer

Question 3

How does the Layer 4 three-way handshake work?

Answer 3

1) Client sends a SYN packet to a server
2) server replies with SYN-ACK
3) Client responds with ACK

Question 4

SYN Flood

Answer 4

uses the built in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and ignoring the SYN-ACK replies sent by the server

• causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client
• eats thru the maximum amount of TCP connections

Question 5

Amplification Attack

Answer 5

• where an attacker may send a 3rd party server a request using a spoofed IP address
• 3rd party sends a large # of bytes back to the spoofed IP address, jamming up their servers

Question 6

Layer 7 attack

Answer 6

when a web server gets a flood of GET or POST requests, usually from a bot net or a large number of compromised computers

Question 7

Cloud Trail

Answer 7

increases visibility into your user and resource activity by recording AWS Management Console actions and API calls
- logs are stored in S3

Question 8

What can Cloud Trail identify?

Answer 8

• which users and accounts called AWS
• source IP address
• time of each call
• metadata of each call
• API request parameters
• response elements returned by the service
• NOT RDP or SSH traffic

Question 9

What does Cloud Trail allow?

Answer 9

1) after-the-fact incident investigation
2) near real-time intrusion detection (when coupled with Lambda)
3) industry and regulatory compliance

Question 10

What kind of attacks does Shield protect against?

Answer 10

Layer 3 and Layer 4

• SYN/UPD floods
• reflection attacks

Question 11

Shield

Answer 11

Free DDoS protection

- protects all customers on ELB, CloudFront, Route 53

Question 12

AWS Shield Advanced

Answer 12

$3000/mo

• always-on flow-based monitoring with real-time notifications
• 24/7 access to the DDoS Reponse Team (DRT)
• protects your AWS bill from DDoS usage spikes

Question 13

AWS WAF

Answer 13

A LAYER 7 web application firewall that lets you monitor the https and http requests that are forwarded to CloudFront or an ALB
- also lets you control access to your content

Question 14

What are some example configurations for WAF?

Answer 14

• what IP addresses are allowed to make a request

- what query string parameters need to be passed in

Question 15

What status code will ALB or Cloud Front return if it doesn’t allow the request?

Answer 15

403 - Forbidden

Question 16

What are some WAF behaviors?

Answer 16

1) allow all requests except the ones you specify
2) block all requests except the ones you specify
3) count the requests that match the properties you specify

Question 17

Conditions you can specify in WAF

Answer 17

1) IP Address where requests originate from
2) Country that requests originate from
3) values in request headers
4) reject SQL injection (SQL code)
5) reject presence of a script (cross-site scripting attack)
6) reject or accept based on regex

Question 18

Guard Duty

Answer 18

a threat-detection service that uses machine learning to continuously monitor for malicious behavior

Question 19

What kinds of things does Guard Duty detect?

Answer 19

• unusual API calls
• calls from a known malicious IP
• attempts to disable CloudTrail logging
• unauthorized deployments
• compromised instances
• reconasissance by would-be attackers
• port scanning, failed logins

Question 20

Where do Guard Duty alerts appear?*

Answer 20

• Guard Duty console

- Cloud Watch Events

Question 21

What kinds of feeds can Guard Duty receive?*

Answer 21

• CrowdStrike, Proofpoint, AWS security

Question 22

What does Guard Duty monitor?*

Answer 22

• Cloud Trail logs
• VPC Flow logs
• DNS logs

Question 23

How can you automate responses to what Guard Duty finds?

Answer 23

Lambda and Cloud Watch Events

Question 24

How long does it take for Guard Duty to set up a baseline of what is normal for your account?

Answer 24

7-14 days

Question 25

What does Guard Duty cost?

Answer 25

30 days free, then based on the quantity of Cloud Trail events and the volume of DNS and VPC Flow Log Data

Question 26

Macie

Answer 26

• uses AI to recognize if your S3 objects contain PII, HIPAA or financial data
• alerts you of unencrypted buckets, public buckets or shared buckets
• can send alerts to Event Bridge to be integrated into your security system

Question 27

How can you automate remediation actions with Macie?

Answer 27

Step Functions

Question 28

Inspector

Answer 28

an automated security assessment service that helps improve security & compliance of applications deployed to AWS

Question 29

Kinds of Inspector assessments

Answer 29

• Use for vulnerability scans
• Network assessments: looks at ports, does not require agent to be installed
• Host (EC2) Assessments: looks at vulnerable sofwtware, host hardening and best security practices. Requires Inspector agent to be installed.