Security Flashcards
DDOS
Distributed Denial of Service attack attempts to make your site or app unavailable
Common DDOS attacks include layer 4 attacks such as SYN floods or NTP amplifications
Common layer 7 attacks include floods or GET/POST requests
Cloud Trail Logging
After the fact incident investigation
Near real-trim intrusion detection
Industry & regulatory compliance
Remember CloudTrail is basically cctv for your AWS acct. It logs all API calls made to your AWS account and stores these logs in S3
Shield
Shield protects against layer 3 & 4 attacks only
Remember that shield is used for DDOS protection of layer 3 & 4 attacks
Also there are 2 tiers free and paid
Free comes w/ all account
Paid costs 3k per month but gives a dedicated 24/7 DDOS response team
AWS WAF
Allow all requests except for the one you specify
Block all requests except the ones you specify
Count the requests that match the properties you specify
WAF operates @ layer 7
WAF can block layer 7 DDOS attacks as well as things like SQL injection & Cross Site Scripting
If you need to block across specific contrives IPs you can do this inWAF
Guard Duty
Uses AI learning to learn what is normal behavior in your AWS environment. It will then alert you to abnormal or malicious bahvior
Updates a DB of know malicious domains using external feeds from third parties
Monitors cloudtrail logs, Vpc flow logs, & dns logs
Findings appear in the guard duty dashboard
Cloud watch events can be used to trigger a lambda fxn to address a threat
Macie
Macie crawls S3 buckets looking for PII, PHI & financial data using AI. & patter matching
Great for complying w/ frameworks like HIPAA, PCI, NIST, etc & preventing identity theft
Macie alerts can be sent to EventBridge & integrated w/ your event mgmt systems
Automate remediation actions using other AWS services such as step functions
Inspector
Used to perform vulnerability scans on EC2 & VPC EC2 requires the agent, VPC does not
These are called Host Assesssments (EC2) & network assessments (VPC)
You can run these assessments once or alternatively weekly
KMS
A managed service that makes it easy for you to create & control the encryption keys used to encrypt data
You start using the service by requesting the creation of a CMK. You control the lifecycle of the CMK as well as who can use it & who can manage it
Shared Tenancy
Automatic Key Rotation
Automatic Key Generation
Cloud HSM
Dedicated HSM to you
Full control of users, groups, keys, etc
No automatic Key Rotation
Three Ways to generate a CMK
AWS creates the CMK for you. They key material for a CMK is generated in HSMs managed by AWS KMS
Import key material from your own key management infrastructure & associate it w/ a CMK
Have the key material generated & used in an AWS Cloud HSM Cluster as part of the custom key store feature in AWS KMS
Three ways to control permissions in KMS/Cloud HSM
Use the key policy
Controlling access this way means the full scope of access to the CMK is defined in a single doc, key policy
Use IAM Policies in combo w/ the key policy. Controlling access this way enables you to manage all permissions for your IAM identities in IAM
Use grants in combo w/ the key policy
Controlling access this way enables you to allow access to the CMK in the key policy, as well as to allow users to delegate their access to others
Secretes Manager
Can be used to securely store your app secrets: db creeds, API keys, SSH Keys, PWs, etc.
Apps use secrets manager API
Rotating creds. Is easy, be careful
Apps w/ hard coded creds, don’t turn on rotation or it will change the password and shits gonna break
Make sure all apps are configured to use secrets manager before turning on rotation
Parameter Store vs. Secrets Manager
In the exam you will get scenario based questions:
If you are trying to minimize costs use parameter store
If you need more than 10k parameters, key rotation, or the ability to generate passwords using Cloud Formation use secrets manager
Pre signed URLs
If you see a question about sharing private files in S3 think Presigned URLs
Advanced IAM Policies
Not Explicitly Allowed == implicitly denied
Explicitly denied trumps allows
Only attached policies take effect
AWS joins all applicable assigned policies
AWS managed vs. customer managed
