Security Flashcards
If you see a question that asks for an Intrusion Prevention System (IPS), think of…
Network Firewall
Which AWS service has access to a database of known malicious IPs?
GuardDuty
How does a Web ACL relate to AWS WAF?
A Web ACL is a configurable component of AWS WAF.
What is GuardDuty?
A threat detection service that uses machine learning to continuously monitor for malicious behaviour.
Which AWS services does AWS Shield work with?
ELB, CloudFront, Route53
If you see a scenario about multiple AWS accounts and resources that need to be secured centrally, think of…
AWS Firewall Manager
Which AWS service provides sign-up and sign-in options for your apps?
Cognito
If you see a question about filtering your network traffic before it even reaches your internet gateway, think of…
Network Firewall
What two types of assessment does Inspector offer and what do they check for?
Network - ports reachable from outside VPC.
Host - CVEs, security best practices.
What is AWS Network Firewall?
A managed service that deploys a physical firewall protection across your VPCs.
For exam questions that ask for an AI / automated solution to protect your AWS account, think of…
GuardDuty
Apart from DDoS attacks, what kind of attacks can AWS WAF protect against?
SQL injection
Cross-site scripting
What is KMS?
A managed services that makes it easy for you to manage the encryption keys used to encrypt your data.
Shield/Shield Advanced protects against attacks on which layers?
Layers 3 and 4
What logs does AWS GuardDuty monitor?
CloudTrail Logs
VPC Flow Logs
DNS Logs
Shield Advanced gives you 24/7 access to…
a dedicated DDoS response team.
When should you use Secrets Manager over Parameter Store?
If you need:
- more than 10,000 parameters
- key rotation
- the ability to generate passwords with CloudFormation
Where can you view all your alerts from services like GuardDuty, Inspector, Macie, and Firewall Manager, across multiple accounts?
Security Hub
What’s a typical use case for pre-signed cookies?
A stock photo website
What does Inspector do?
It performs vulnerability scans on EC2 instances and VPCs.
If you need to share an object in a bucket, but both bucket and object are private, think of using…
pre-signed URLS.
How does GuardDuty work?
It needs 7 - 14 days to set a baseline, then alerts on anomalies.
If you enable rotation in Secrets Manager, when will be the next time it rotates the secret?
Immediately
Which AWS tool operates across multiple AWS services and uses graph theory to uncover the root cause of an event?
Detective
What does CloudTrail do?
It records actions in the AWS console and API calls.
i.e. it increases visibility.
When would you use a pre-signed cookie?
When you want to provide access to multiple restricted files in an S3 bucket.
What does AWS Certificate Manager do?
Allows you to create, manage, and deploy SSL certificates for use with other AWS services.
Which tool can tell you, in real time, if you are being DDoSed?
AWS Shield Advanced
When should you use Parameter Store over Secrets Manager?
When trying to minimize costs.
How much does Shield Advanced cost?
$3000 per month
What does CMK stand for?
Customer Master Key
How do you start using KMS?
By requesting the creation of a CMK.
To implement ratelimiting, would you use a Web ACL or a NACL?
Web ACL
What layer does AWS WAF operate on?
Layer 7 (Application layer)
If you need to block specific countries or IP addresses, you can use…
AWS WAF
What are two benefits of AWS Certificate Manager?
- Certificates are free.
- It automates the renewal of your SSL certificate.
What’s are 3 differences between a Web ACL and a NACL?
Web ACL:
- application layer (Inspects HTTP/S traffic)
- fine-grained control
- stateful
NACL:
- network layer (Inspects IP traffic)
- broad control
- stateless
What does Cognito allow your users to do?
Sign in to your web or mobile apps with a username and password they create OR through a third party, e.g. Google, Facebook, Apple.
What are the two limitations of Parameter Store?
- There is a limit to the number of parameters you can store (currently 10,000)
- No automatic key rotation
For questions about HIPAA or GDPR compliance that asks about continuous auditing or automating audit reports, think of…
AWS Audit Manager
What is Parameter Store?
Storage for configuration data management and secrets management.
TRUE or FALSE?
Secrets Manager automatically rotates credentials
TRUE
Where does CloudTrail store the logs?
S3
In Cognito, what does an identity pool do?
It allows your users to access other AWS services.
How can AWS Shield Advanced help with cost savings?
It protects your AWS bill against higher fees due to usage spikes during a DDoS attack.
What can you do with Detective?
It lets you analyse the root cause of potential security issues or suspicious activities.
What is AWS Shield?
Free DDoS protection
What does AWS WAF do?
Monitors the HTTP(S) requests to CloudFront or an Application Load Balancer, and controls access to your content.
What should you make sure of before enabling rotation in Secrets Manager?
That all applications that use those credentials are updated to retrieve them from Secrets Manager, and don’t have them embedded.
This is because Secrets Manager will rotate the credentials immediately, and your application will break.
What does Macie do?
Uses machine learning and pattern matching to discover sensitive data stored in S3, e.g. PII
If you want to get alerts on unencrypted or public S3 buckets, use…
Macie
