Security

Question 1

What is a DDoS Attack?

Answer 1

A Distributed Denial of Service (DDoS) Attack is an attack that attempts to make your website or application unavailable to your end users.

This can be achieved through multiple mechanisms, such as large packet floods, but using a combination of reflection and amplification techniques, or by using large botnets.

Question 2

What is a Layer 4 DDoS Attack?

Answer 2

A Layer 4 DDoS Attack is often referred to as a “SYN flood”. It works at the transport layer (TCP).

To establish a TCP connection a 3-way handshake takes place. The client sends a SYN packet to a server, the server replies with a SYN-ACK, and the client then responds to that with an ACK.

After the “3-way handshake” is complete, the TCP connection is established. After this, applications begin sending data using Layer 7 (application layer protocol), such as HTTP, etc.

A SYN Flood uses the built-in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and then ignoring the SYN-ACKs returned by the server. This causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client.

Question 3

What happens to the server when it is under a SYN Attack?

Answer 3

There are only so many concurrent TCP connections that a web server or application server can have open, so if an attacker sends enough SYN packets to a server, it can easily eat through the allowed number of TCP connections.

This then prevents legitimate requests from being answered by the server.

Question 4

What is an Amplification Attack?

Answer 4

Amplification/reflection attacks can include things such as NTP, SSDP, DNS, CharGEN, SNMP attacks, etc.

This is where an attacker may send a third-party server (such as an NTP, or Network Time Protocols, server) a request using a spoofed IP address.

That server then responds to that request with a greater payload than the initial request (usually within the region of 28-54 times larger than the request) to the spoofed IP address.

This means the attacker sends a packet with a spoofed IP address of 64 bytes, the NTP server would respond with up to 3,456 bytes of traffic.

Attackers can coordinate this and use multiple NTP servers as second to send legitimate NTP traffic to the target.

Question 5

What is a Layer 7 Attack?

Answer 5

A Layer 7 attack occurs where a web server receives a flood of GET or POST requests, usually from a botnet or a large number of compromised computers.

Question 6

What is AWS CloudTrail?

Answer 6

AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls and storing the logs in S3.

You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

This of CloudTrail as CCTV monitoring for your AWS account.

Question 7

What is an example of activity that is not recorded in AWS CloudTrail?

Answer 7

RDP or SSH traffic

Question 8

What information is logged in AWS CloudTrail?

Answer 8

1. Metadata around API calls
2. The identity of the API caller
3. The time of the API call
4. The source IP address of the caller
5. The request parameters
6. The response elements returned by the service

Question 9

What are the benefits of AWS CloudTrail?

Answer 9

1. After-the-fact incident investigation
2. Near real-time intrusion detection (by integrating CloudTrail with Lambda)
3. Industry and regulatory compliance

Question 10

What is AWS Shield?

Answer 10

It is free DDoS protection

1. Protects all customers on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53.
2. It protects against SYN/UDP floods, reflection attacks, and other Layer 3 and 4 attacks

Question 11

What is AWS Shield Advanced?

Answer 11

It provides enhanced protections for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated DDoS attacks.

1. Offers always-on, flow-based monitoring of network traffic and active application monitoring to provide near-real-time notifications of DDoS attacks
2. Gives you 24/7 access to the DDoS Response Team (DRT) to help manage and mitigate application-layer DDoS attacks.
3. Protects your AWS bill against higher fees due to Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 usage spikes during a DDoS attack.

Question 12

What are the costs related to AWS Shield Advanced?

Answer 12

Shield Advanced costs $3,000 USD per month

Question 13

What layers does AWS Shield protect against?

Answer 13

Layer 3 and Layer 4 attacks

Question 14

What is AWS WAF?

Answer 14

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.

AWS WAF also lets you control access to your content.

You can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for the request to be allowed.

The Application Load Balancer or CloudFront will either allow this content to be received or give an HTTP 403 status code.

Question 15

What layer does AWS WAF operate at?

Answer 15

Layer 7

Question 16

If you are given a scenario that talks about Layer 4 attacks, what service would you recommend?

Answer 16

AWS Shield

Question 17

If you are given a scenario that talks about Layer 7 attacks, what service would you recommend?

Answer 17

AWS WAF

Question 18

What are the behaviors of AWS WAF?

Answer 18

1. Allows all requests except the ones you specify
2. Blocks all requests except the ones you specify
3. Count the requests that match the properties you specify

Question 19

What characteristics of web requests can you use to define conditions in AWS WAF?

Answer 19

1. IP addresses that requests originate from
2. Country that requests originate from
3. Values in request headers
4. Presence of SQL code that is likely to be malicious (called SQL injection)
5. Presence of a script that is likely to be malicious (known as cross-site scripting)
6. Strings that appear in requests - either specific strings or strings that match regular expression (regex) patterns

Question 20

What type of attacks can AWS WAF protect against?

Answer 20

1. Layer 7 DDoS attacks
2. SQL injection
3. Cross-site scripting

Question 21

What is Amazon GuardDuty?

Answer 21

GuardDuty is a threat detection service that uses machine learning to continuously monitor for malicious behavior, like:

1. Unusual API calls, or calls from known malicious IP addresses
2. Attempts to disable CloudTrail logging
3. Unauthorized deployments
4. Reconnaissance by would-be attackers
5. Port scanning, failed logins

Question 22

What are the features of Amazon GuardDuty?

Answer 22

1. Alerts appear in the GuardDuty Console and CloudWatch Events
2. Receives feeds from third parties like ProofPoint and CloudStrike, as well as AWS Security, about known malicious domains and IP addresses, etc.
3. Monitors CloudTrail logs, VPC Flow Logs, and DNS logs
4. Centralize threat detection across multiple AWS accounts
5. Automated response using CloudWatch Events and Lambda
6. Machine learning and anomaly detection

Question 23

How does the threat detection using AI work in Amazon GuardDuty?

Answer 23

It takes 7-14 days to set a baseline - what is normal behavior in your account?

Once active, you will see findings in GuardDuty console and in CloudWatch Events only if GuardDuty detects behavior is considered a threat.

Question 24

What are the fees related to using AWS GuardDuty?

Answer 24

The first 30 days are free!

And then your charges are based on:

1. Quantity of CloudTrail events
2. Volume of DNS and VPC Flow Logs

Question 25

If you are given a scenario that is talking about using AI and automation to protect your whole AWS account, and to monitor things like CloudTrail, VPC Flow Logs and DNS logs, what service would you recommend?

Answer 25

AWS GuardDuty

Question 26

What is AWS Firewall Manager?

Answer 26

AWS Firewall Manager is a security management service in a single pane of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.

You can create new AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront Distributions.

You can also mitigate DDoS attacks using AWS Shield Advanced for your Application Load Balancers, Elastic IP Addresses, CloudFront Distributions, and more.

Question 27

What are the benefits of using AWS Firewall Manager?

Answer 27

1. Simplify management of firewall rules across your accounts - one single pane of glass allows you to manage security across multiple AWS services and accounts
2. Ensure compliance of existing and new applications - Firewall Manager automatically enforces security policies that you create across existing and newly created resources, across multiple accounts

Question 28

If you are given a scenario where it talks about needing to manage the resources that need to be secured across multiple accounts, what service would you recommend?

Answer 28

AWS Firewall Manager

Question 29

What is PII?

Answer 29

Personally Identifiable Information

1. Personal data used to establish a person’s identity
2. This data could be exploited by criminals, used in identity theft, and financial fraud
3. Home address, email address, Social Security Number, Passport Number, drivers license number, date of birth, phone number, bank account number, credit card number, etc.

Question 30

What is Amazon Macie?

Answer 30

Macie uses machine learning and pattern matching to discover sensitive data stored in S3.

1. Uses AI to recognized if your S3 objects contain sensitive data, such as PII, PHI and financial data
2. Alerts you to unencrypted buckets
3. Alerts you about public buckets
4. Can also alert you about buckets shared with AWS accounts outside of those defined in your AWS Organization
5. Great for frameworks such as HIPAA (governs the way healthcare information is stored in the US) and GDPR (governs the way PII is stored in the UK)

Question 31

How can you use alerts from Amazon Macie?

Answer 31

1. You can filter and search Macie alerts on the console.
2. Alerts sent to Amazon EventBridge can be integrated with your security incident and event management or CM systems
3. Can be integrated with AWS Security Hub for a broader analysis of your organization’s security posture
4. Can also be integrated with other AWS services, such as Step Functions, to automatically take remediation actions

Question 32

If you are given a scenario where it is talking about PII and how you can prevent this from being leaked accidentally in S3, what service would you recommend?

Answer 32

Amazon Macie

Question 33

What is Amazon Inspector?

Answer 33

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.

It is used to perform vulnerability scans on both EC2 instances and VPCs.

Question 34

How are assessment findings handled in Amazon Inspector?

Answer 34

After an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.

These findings can be reviewed directly or as part of detailed assessment reports that are available via the Amazon Inspector console or API.

Question 35

What are the two types of assessments performed in Amazon Inspector?

Answer 35

1. Network Assessments - network configuration analysis to check for ports reachable outside the VPC (Inspector agent is not required)
2. Host Assessments - vulnerable software (CVE), host hardening (CIS, or Center of Information Security, Benchmarks) and security best practices (Inspector agent is required)

Question 36

How do you set up Amazon Inspector?

Answer 36

1. Create assessment target
2. Install agents on EC2 instances - AWS automatically installs the agent for instances that allow System Manager Run Command
3. Create assessment template
4. Perform assessment run
5. Review findings against the rules

You can choose to run the assessment once or run them weekly.

Question 37

If you are given a scenario that talks about vulnerability scans, what service would you recommend?

Answer 37

Amazon Inspector

Question 38

What is AWS KMS?

Answer 38

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Question 39

What services does AWS KMS integrate with?

Answer 39

1. EBS
2. S3
3. RDS
   and more…

Question 40

How are encryption keys controlled in AWS KMS?

Answer 40

AWS provides you with centralized control over the lifecycle and permissions of your keys.

You can create new keys whenever you wish, and you can control who can manage the keys separately from who can use them.

Question 41

What is a Customer Managed Key (CMK) in AWS KMS?

Answer 41

A Customer Managed Key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description and key state.

The CMK also contains the key material used to encrypt and decrypt data.

Question 42

What are the three ways to generate a Customer Managed Key (CMK) in AWS KMS?

Answer 42

You request the creation of the CMK, and also control the lifecycle of the CMK as well who can use it and manage it.

1. AWS creates a CMK for you. The key material for a CMK is generated within HSMs managed by AWS KMS.
2. Import key material from your own key management infrastructure and associate it with a CMK.
3. Have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS

Question 43

What is an HSM?

Answer 43

A hardware security module (HSM) is a physical computing device that safeguards and managed digital keys and performs encryption and decryption functions.

An HSM contains one or more secure cryptoprocessor chips.

Question 44

How does key rotation work in AWS KMS?

Answer 44

You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within the AWS KMS HSMs.

Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.

Question 45

How do you manage access to AWS KMS keys?

Answer 45

The primary way to manage access to your AWS KMS CMKs is with policies. Policies are documents that describe who has access to what.

Policies attached to an IAM identity are called identity-based policies (or IAM policies), and policies attached to other kinds of resources are called resource-based policies.

Question 46

What are Key Policies in AWS KMS?

Answer 46

In AWS KMS, you must attach resource-based policies to your customer managed keys (CMKs). These are called key policies.

All KMS CMKs have a key policy.

Question 47

What are the three ways to control permissions of keys in AWS KMS?

Answer 47

1. Use the key policy - controlling access this way means the full scope of access to the CMK is defined in a single document (the key policy)
2. Use IAM policies in combination with the key policy - controlling access this way enables you to manage all the permissions for your IAM identities in IAM
3. Use grants in combination with the key policy - controlling access this way enables you to allow access to the CMK in the key policy as well as allow users to delegate their access to others

Question 48

What is CloudHSM?

Answer 48

AWS CloudHSM is a cloud-based HSM that enables you to easily generate and use your own encryption keys on the AWS Cloud

It’s a physical device, entirely dedicated to you, that can be deployed in a highly available fashion

Question 49

What is the difference between KMS and CloudHSM?

Answer 49

KMS

1. Shared tenancy of underlying hardware
2. Automatic key rotation
3. Automatic key generation

CloudHSM

1. Dedicated HSM to you
2. Full control of underlying hardware
3. Full control of users, groups, keys, etc.
4. No automatic key rotation

Question 50

What is Secrets Manager?

Answer 50

Secrets Manager is a service that securely stores, encrypts, and rotates your database credentials and other secrets.

1. It has encryption in transit and at rest using KMS
2. Automatically rotates credentials
3. Apply fine-grained access control using IAM policies
4. Costs money but is highly scalable

Your application makes an API call to Secrets Manager to retrieve the secret programmatically.

It reduces the risk of credentials being compromised.

Question 51

What type of secrets can be stored in Secrets Manager?

Answer 51

1. RDS credentials
2. Credentials for non-RDS databases
3. Any other type of secret, provided you can store it as a key-value pair (SSH keys, API keys)

Question 52

If you are given a scenario where you want to enable key rotation in Secrets Manager but your application might have the credentials hard-coded in it. What should be done first before enabling key rotation?

Answer 52

Ensure that all your applications that have the hard-coded credentials are updated to retrieve the credentials from the secret using Secrets Manager.

Question 53

What is Parameter Store?

Answer 53

Parameter Store is a capability of AWS Systems Management that provides secure, hierarchical storage for configuration data management and secrets management

You can store things such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data.

Question 54

What is the cost of using Parameter Store?

Answer 54

It is free!

Question 55

What are the 2 key limitations of using Parameter Store vs Secrets Manager?

Answer 55

1. There is limit to the number of parameters you can store (currently 10,000)
2. There is no key rotation provided

Question 56

If you are given a scenario where you need to store secrets but are trying to minimize costs, what service would you recommend?

Answer 56

Parameter Store

Question 57

If you are given a scenario where you have more than 10,000 parameters, need key rotation or the ability to generate passwords using CloudFormation, what service would you recommend?

Answer 57

Secrets Manager

Question 58

When using S3 to store objects, what are the default privacy settings?

Answer 58

All objects in S3 are private by default.

Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned url, using their own security credentials, to grant time-limited permission to download the objects.

Question 59

What are presigned URLS in S3?

Answer 59

When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name and an object key, and indicate the HTTP method (or GET to download the object) as well as the expiration date and time.

The presigned URLs are valid only for the specified duration.

Question 60

What access is allowed to those you have a presigned URL from S3?

Answer 60

Anyone who receives the presigned URL can then access the object.

For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL.

Question 61

If you are given a scenario where you need to share a file from S3 but it is in a private bucket, what would you recommend doing to share the file?

Answer 61

Use a presigned URL

Question 62

What are presigned cookies?

Answer 62

This can be useful when you want to provide access to multiple restricted files. The cookie will be saved on the user’s computer, and they will be able to browse the entire contents of the restricted content.

Question 63

If you are given a scenario where you are building a photo template website and you have many photos in a restricted bucket in S3. Your users have to sign up to your website, create an account, and pay money and once they have enabled their subscription, they are free to download any photo template file. What would you recommend to allow access to all the photo templates in the restricted bucket?

Answer 63

Use presigned cookies in S3

Question 64

What is the structure of an AWS ARN?

Answer 64

arn:partition:service:region:account_id:

And end with:

resource
resource_type/resource
resource_type/resource/qualifier
resource_type/resource:qualifier
resource_type:resource
resource_type:resource:qualifier

Example:

arn:aws:iam::123456789012:user/ryan
arn:aws:s3:::my_awesome_bucket/image.png
arn:aws:dynamodb:us-east-1:123456789012:table/orders
arn:aws:ec2:us-east-1:123456789012:instance/*

Question 65

What are IAM policies?

Answer 65

1. JSON document that defines permissions
2. They have no affect until they are attached
3. They are a list of statements - each statement matches and AWS API request
4. If you don’t explicitly allow something, then it is implicitly denied
5. If you have an explicit denial for something, it trumps everything else
6. You can have multiple policies joined to a specific resource
7. There are both AWS managed and customer managed policies

Question 66

What are the two types of policies?

Answer 66

1. Identity policy - used for applying policies to users and groups
2. Resource policy - used for controlling access to things like S3 buckets or to our KMS CMKs, etc.

Question 67

What is the SID in a policy in AWS IAM?

Answer 67

The SID is a human readable string to tell you what the policy is going to do

Question 68

What is the Effect in a policy in AWS IAM?

Answer 68

An effect is either “Allow” or “Deny’

Question 69

What are Actions in a policy in AWS IAM?

Answer 69

The actions allowed or denied by the policy.

Question 70

What is the Resource in a policy in AWS IAM?

Answer 70

The resource the action is against

Question 71

What are Permission Boundaries?

Answer 71

1. Used to delegate administration to other users
2. Prevent privilege escalation or unnecessarily broad permissions
3. Control maximum permissions and IAM policy can grant

Use Cases:

1. Developers creating roles for Lambda functions
2. Application owners creating roles for EC2 instances
3. Admins creating ad-hock users

Question 72

What is AWS Certificate Manager?

Answer 72

AWS Certificate Manager allows you to create, manage and deploy public and private SSL certificates for use with other AWS services

It integrates with other services - such as Elastic Load Balancing, CloudFront distributions and API Gateway - allowing you to easily manage and deploy SSL certificates in your AWS environment.

Question 73

What are the benefits of AWS Certificates Manager?

Answer 73

1. Cost - no more paying for SSL certificates because AWS Certificates Manager provisions both public and private certificates for free - you will still pay for the resources that utilize your certificates (such as Elastic Load Balancing)
2. Automated renewals and deployment - Certificates Manager automates the renewal of your SSL certificate and then automatically updates the new certificate with ACM-integrated services, such as Elastic Load Balancing, CloudFront and API Gateway
3. Easier to set up - Removes a lot of the manual processes, such as generating a key pair or creating a certificate signing request (CSR) - you can create your own SSL certificate with just a few clicks in the AWS console

Question 74

What is Audit Manager?

Answer 74

With it, you can continuously audit your AWS usage to make sure you stay compliant with industry standards and regulations.

Audit Manager is an automated service that produces reports specific to auditors for PCI compliance, GDPR and more.

Question 75

What are use cases for Audit Manager?

Answer 75

1. Transition from manual to automated evidence collection - it allows you to produce automated reports for auditors and reduces the need to compile these reports manually
2. Continuous auditing and compliance - it works on a continuous basis so that, as you AWS environment evolves and adapts, you can produce automated reports to evaluate your environment against industry standards (such as PCI compliance)
3. Internal risk assessments - you can create a new framework from the beginning or customize prebuilt frameworks - you can also launch assessments to automatically collect evidence, helping you to validate if your internal policies are being followed

Question 76

If you see a scenario about HIPAA or GDPR compliance that asks about continuous auditing or automating audit reports, what service would you recommend?

Answer 76

Audit Manager

Question 77

What is AWS Artifact?

Answer 77

Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements

Question 78

What is available in AWS Artifact?

Answer 78

There are a huge number of compliance reports available, such as AWS Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and GDPR reports, as well as other certifications (including ISO reports, HIPAA and more).

Question 79

What is Amazon Cognito?

Answer 79

Cognito provides authentication, authorization and user management for your web and mobile apps in a single service without the need for custom code. Your users can sign in directly with a username and password they create or through a third party (e.g., Facebook, Amazon, Google and Apple).

Question 80

What features does Amazon Cognito provide?

Answer 80

1. Sign-up and Sign-in options for your app
2. Access for guest users
3. Acts as an identity broker between your application and web ID providers, so you don’t need to write any custom code
4. Synchronizes user data across multiple devices
5. Recommended for all mobile applications that call AWS services

Question 81

What are use cases for Amazon Cognito?

Answer 81

1. Authentication - users can sign in using a user pool or a third-party identity provider, such as Facebook
2. Third-Party Authentication - users can authenticate using identity pools that require and identity provider (IdP) token
3. Access Server-Side Resources - a signed-in user is given a token that allows them access to resources that you specify
4. Access AWS AppSync Resources - users can be given access to AppSync resources with tokens received from a user or identity pool in Cognito

Question 82

What are the two main components in Cognito?

Answer 82

User Pools and Identity Pools

Question 83

What are User Pools in Cognito?

Answer 83

User Pools are directories of users that provide sign-up and sign-in options for your application users

Question 84

What are Identity Pools in Cognito?

Answer 84

Identity Pools allow you to give your users access to other AWS resources. You can use Identity Pools and User Pools separately or together.

Question 85

What are the sequence of events for Amazon Users and Identity Pools?

Answer 85

1. Authenticate and get tokens - you’ve got your device you’re connecting to Cognito to a User Pool you’re authenticating and getting a token
2. Exchange tokens and get AWS credentials - you are then taking that token and sending that token to an identity pool and that identity pool will then give you AWS credentials
3. Access AWS resources using credentials - use those credentials to access S3 or DynamoDB