Security Flashcards
How many KMS key types are there?
Symmetric keys: it’s a single encryption key that is used to encrypt and decrypt for a AWS service that is integrated with KMS using symmetric keys. You never get access to KMS Key
Asymmetric: They are pair of Keys - Public and Private keys. Used to encrypt and decrypt operations. Public key is downloadable, but you don’t have access to the private key. It is used for the use cases that can’t call KMS API.
What are different kind of keys in KMS?
Customer managed keys are KMS keys in your AWS account that you create, own, and manage.
AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service integrated with AWS KMS
Copying Snapshot and Encryption keys?
You can copy a snapshot that has been encrypted using a KMS key. If you copy an encrypted snapshot, the copy of the snapshot must also be encrypted. If you copy an encrypted snapshot within the same AWS Region, you can decrypt the copy with the same KMS key as the original snapshot. Or you can specify a different KMS key.
If you copy an encrypted snapshot across Regions, you must specify a KMS key valid in the destination AWS Region. It can be a Region-specific KMS key or a multi-Region key. For more information on multi-Region KMS keys, see
What is KMS Multi-Region key?
- AWS KMS supports multi-region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions.
- Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
- Multi-key region are not global (primary +replica).
- Each Key is managed independently.
The use cases for multi-region keys are global client-side encryption, Encryption for global DynamoDB or global Aurora.
How S3 replication works with encryption?
- Unencrypted objects and objects encrypted with SSE-S3 are replicated by default.
- objects encrypted with SSE-C (customer provided key) are never replicated
- The objects encrypted with SSE - KMS are not replicated by default. You need to enable the option:
—- you need to specify which KMS key to use to encrypt the objects within the target bucket
—- which KMS key policy to adapt for the target key
—- define an IAM role with KMS. This will help decrypt the object using the source KMS key and encrypt the objects with the target KMS key in the target location.
You can also use multi-region AWS Kms, but they are currently treated as independent keys by Amazon S3. That means the objects will still be decrypted and then encrypted.
How to share an encrypted AMI (amazon machine image) with another account?
- Modify the image attribute to add launch permission to allow the target account to use the AMI.
- You must share the KMS keys used to encrypt the AMI with the target account using IAM roles.
- the IAM role in the target account must have the permissions to DescribeKey, Re-encrypted, CreateGrant and Decrypt
- While launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volumes.
what is SSM parameter store?
AWS Systems Manager Parameter Store (or SSM Parameter Store) is a convenient way to store hierarchical parameters in AWS. You can use it for any configuration values, including secure values like passwords or API keys. It integrates well with other AWS services too.
These parameters can be encrypted by using KMS
It is serverless, scalable and durable with easy SDK
What are SSM parameter tiers?
Standard:
- maximum number of parameters allowed are 10,000
- maximum size of parameter value is 4KB
- parameter policy not available and it’s FREE
Advanced:
- maximum number of parameter allowed are 100,000
- maximum size of parameter allowed is 8 KB
What are SSM parameter tiers?
Standard:
- the maximum number of parameters allowed is 10,000
- the maximum size of the parameter value is 4KB
- parameter policy not available, and it’s FREE
Advanced:
- the maximum number of parameter allowed is 100,000
- the maximum size of parameter allowed is 8 KB
what is AWS secrets manager?
AWS Secrets Manager is a secrets management service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
AWS secret manager can be multi-region and sync the secret across the regions.
What is AWS CloudFormation?
AWS CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation provides and configures those resources for you. You don’t need to individually create and configure AWS resources and figure out what’s dependent on what; CloudFormation handles that. The following scenarios demonstrate how CloudFormation can help.
What is SES (Simple email service)?
Amazon SES offers several methods of sending email, including the Amazon SES console, the Simple Mail Transfer Protocol (SMTP) interface, and the Amazon SES API. You can access the API using the AWS Command Line Interface (AWS CLI), or by using an AWS Software Development Kit (SDK).
What is AWS Pinpoint?
Amazon Pinpoint is an AWS service to engage with your customers across multiple messaging channels. You can use Amazon Pinpoint to send push notifications, in-app notifications, emails, text messages, voice messages, and messages over custom channels.
It is scalable to weigh marketing communication services. It can send emails, SMS, push notifications, voice, and in-app messaging. It can receive replies on how to stop it can scale to billions of massages per day.
Use case: run campaigns by sending marketing bulk transactional SMS messages.
What is SSM - Session Manager?
Session Manager is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs). You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI).
SSM Agent is installed on the EC2 instances so they can be accessed directly without using SSH (or port 22)
What is a System Manager - run command
Run Command can run the command on multiple EC2 instances. There is no need for SSH. The output can be sent to the AWS console, S3 buckets, and Cloudwatch logs. Send notification to SNS about command status. It is integrated with IAM and cloud trail. It can be invoked using an event bridge.
it can be used to automate batching processes, OS updates, application updates, security updates
System Manager - Automation: it can simplify a common maintenance and deployment task of EC2 instances and other AWS resources.
What is AWS Cognito User Pool?
With a user pool,
1. Create a serverless database of users for your application and and mobile application
2. Provide simple login mechanism with user with user name and password. Provide password reset functionality.
3. Provides email phone number verification and functionality
4. Multifactor authentication.
5. Users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.
6. It integrates with API gateway and application load balancer
What is AWS Identify Center?
- Earlier it was called as Single Sign On.
- IAM Identity Center is built on top of AWS Identity and Access Management (IAM) to simplify access management to multiple AWS accounts, AWS applications, and other SAML-enabled cloud applications. In IAM Identity Center, you create, or connect, your workforce users for use across AWS.
E.g.:
* AWS accounts in AWS Organizations
* Business cloud applications (e.g., Salesforce, Box, Microsoft 365, …)
* SAML2.0-enabled applications
* EC2 Windows Instances
What is AD Connector?
AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. You can spread application loads across multiple AD Connectors to scale to your performance needs. There are no enforced user or connection limits.
What is AWS Control Tower?
Provides ongoing governance for your Control Tower environment (AWS Accounts).
* Preventive Guardrail – using SCPs (e.g., Restrict Regions across all your accounts)
* Detective Guardrail – using AWS Config (e.g., identify untagged resources)
What is GuardDuty?
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
how certificates are renewed in ACM?
- ACM generated certificates are renewed 60 days before the expiry
- For external certificates:
a. ACM sends daily expiration events 45 days before the expiry. The events are sent to event bridge (it can go to Lambda, SNS and SQS)
b. You can use AWS Config rule named acm-certificate-expiration-check to theck for expirting certificates (you can configure the number of days before which you will get the event) and sends an event to the event bridge.
