Security

Question 1

IAM User Groups can contain other Groups

Answer 1

FALSE

Question 2

What does an IAM Policy Statement Consist of ?

Answer 2

A statement in an IAM Policy consists of Sid, Effect, Principal, Action, Resource, and optionally Condition.

Version is part of the IAM Policy itself, not the statement.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “ListYourObjects”,
“Effect”: “Allow”,
“Action”: “s3:ListBucket”,
“Resource”: [
“arn:aws:s3:::bucket-name”
],
“Condition”: {
“StringLike”: {
“s3:prefix”: [
“cognito/application-name/${cognito-identity.amazonaws.com:sub}/*”
]
}
}

Question 3

When to use SSM Paraeter Store.

Answer 3

Create a SecureString when you need to securly store key/value pairs using KMS with a single API.

Question 5

Recomended Credentials for CodeCommit

Answer 5

Use Git credentials generated from IAM

CodeCommit repositories are Git-based and support the basic functionalities of Git such as Git credentials. AWS recommends that you use an IAM user when working with CodeCommit. You can access CodeCommit with other identity types, but the other identity types are subject to limitations.

The simplest way to set up connections to AWS CodeCommit repositories is to configure Git credentials for CodeCommit in the IAM console, and then use those credentials for HTTPS connections.

Question 6

What is keypair used for

Answer 6

A key pair is used to enable remote ssh to an ec2 instance without credentials.

When you create the ec2, you specify the keypair. The public key is automatically added to ~/.ssh/authorized_keys when the instance is first booted.

When you connect , you specify the private key with your ssh command.

You only need this if connecting outside of aws. From console you can connect directly since you’re already authenticated.

Question 7

If you want to create IAM for a lot of users but don’t want to explicitly create a new IAM every time you have a new user, how would you do this?

Answer 7

Policy Variables

Instead of creating individual policies for each user, you can use policy variables and create a single policy that applies to multiple users (a group policy). Policy variables act as placeholders. When you make a request to AWS, the placeholder is replaced by a value from the request when the policy is evaluated.

… “Resource”:
[“arn:was:s3::myBUcket/${aws.username”}/*]

Question 8

What services can provide authentication mechanism that returns a JWT (JSON Web Token).

Answer 8

COGNITO USER POOLS

After successful authentication, Amazon Cognito returns user pool tokens to your app. You can use the tokens to grant your users access to your own server-side resources, or to the Amazon API Gateway.

Amazon Cognito user pools implement ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard.

The ID token is a JSON Web Token (JWT)

Question 9

How does KMS Encryption Work?

Answer 9

KMS Stores the CMK (Customer Master Key) and receives data from the client, which it then ecrypts and sends back.

AWS KMS supports three types of CMKs: customer-managed CMKs, AWS managed CMKs, and
AWS owned CMKs.

Question 10

Which secuirty credetnials can ONLY be craeted by the account ROOT user ?

Answer 10

CloudFront Key Pairs

Question 11

Which is the only resource-based policy that the IAM service supports?

Answer 11

Trust Policy

Trust policy - Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. An IAM role is both an identity and a resource that supports resource-based policies. For this reason, you must attach both a trust policy and an identity-based policy to an IAM role. The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.

Question 12

How to test IAM permissions ?

Answer 12

use AWS CLI with –dry-run or IAM Policy Simulator

Question 14

COgnito User Pool v Idenity Pool

Answer 14

User pools are for authentication. Your app users can sign in through the user pool, or federate through a third-party identity provider (IdP).

Identity pools are for authorization. You can use identity pools to create unique identities for users, and give them access to other AWS services.

Question 15

IAM v IAM Identity Centre for creating users

Answer 15

You can use both IAM and AWS IAM Identity Center to create new users or federate existing users into AWS. The main difference between the two is that IAM users are granted long-term credentials to your AWS resources while users in IAM Identity Center have temporary credentials that are established each time the user signs-in to AWS.

Question 17

What is AssumeRole

Answer 17

Returns a set of temporary security credentials that you can use to access AWS resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access.

For example, the following shows an example of a policy you can attach to a user that would allow that user to assume the marketingadminrole.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “arn:aws:iam::123456789012:role/marketingadminrole”
}
]
}

Question 18

How woud you enccrypt data outside of KMS?

Answer 18

Make a GenerateDataKey API call that returns a plaintext key and an encrypted copy of a data key. Use a plaintext key to encrypt the data

Question 19

Configure AWS credentials for multiple accounts.

Answer 19

AWS Access Keys/Tokens are stored in ~/.aws/credentials.

To update this file, we run
aws configure

To have multiple accounts, we use profiles and run

aws configure –profile myOtherAccount

Question 20

How do you use MFA with CLI or SDK ?

Answer 20

Must call STS GetSessionToken

aws sts get-session-token –serial-number arnOfMFADevice –token TokenFromDevice –duration-seconds 3600

Question 22

Signing AWS HTTP Request with SigV4. How to transmit /.

Answer 22

SDK and CLI do this for you automatically.

2 ways to transmit the SIGV4 signature once computed,

1) HTTP Header authorisation
2) Pre-Signed URL - Use QUeryString for key x-amz-signature

Question 23

AWS CLI cred ordering

Answer 23

Command Line
ENV Vars
~/.aws/credentials
~/.aws/config
ECS/EC2

Question 24

how to use MFA with CLI

Answer 24

aws sts get-session-token -
-serial-number
–token
–duration-seconds

Question 25

What is a LAMDA Authoriser used for ?

Answer 25

API Gateway feature that controls access to your APIs for bearer tokens like OAUTH or SAML using LAMDA.

Question 26

what is default rotation period if you enabe Rotation on KMS keys?

Answer 26

1 year.

Question 27

what header do you need for S3 to encrypt using SSE-S3

Answer 27

‘x-amz-server-side-encryption’: ‘aws:kms’

‘x-amz-server-side-encryption’: ‘aws:kms’
(S3) buckets using the SSE-KMS encryption mechanism

‘x-amz-server-side-encryption’: ‘AES256’
This refers to Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3).

Question 28

How to decode a coded authorisation failure message

Answer 28

AWS STS decode-authorization-message

The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the operation should not see. To decode an authorization status message, a user must be granted permissions via an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.

Question 29

valid LB port range

Answer 29

1024-65535

Question 30

is S3 encrypted by default?

Answer 30

Yes. using SSE-S3

Amazon S3 automatically enables server-side encryption with Amazon S3 managed keys (SSE-S3) for new object uploads.

Unless you specify otherwise, buckets use SSE-S3 by default to encrypt objects.

Question 32

sse-s3 v sse-kms.

Answer 32

Both of these use AES256 encryption.

The difference is sse-s3 manages its own keys. THINK 3 - THINK 256!!

To use sse-kms, specify x-amz-server-side-encryption’: ‘aws:kms in header

to use S3, specify x-amz-server-side-encryption’: ‘AES256’ in header.

Question 33

geo-spacial caching

Answer 33

Think Elastic Cache WITH REDIS

Question 34

REDIS WITH CLUSTER MODE.

Answer 34

You can leverage ElastiCache for Redis with cluster mode enabled to enhance reliability and availability with little change to your existing workload. Cluster Mode comes with the primary benefit of horizontal scaling up and down of your Redis cluster, with almost zero impact on the performance of the cluster.

Enabling Cluster Mode provides a number of additional benefits in scaling your cluster. In short, it allows you to scale in or out the number of shards (horizontal scaling) versus scaling up or down the node type (vertical scaling). This means that Cluster Mode can scale to very large amounts of storage (potentially 100s of terabytes) across up to 90 shards, whereas a single node can only store as much data in memory as the instance type has capacity for.

Cluster Mode also allows for more flexibility when designing new workloads with unknown storage requirements or heavy write activity. In a read-heavy workload, one can scale a single shard by adding read replicas, up to five, but a write-heavy workload can benefit from additional write endpoints when cluster mode is enabled.

Question 35

REDIS CLUSTER

Answer 35

All the nodes in a Redis cluster must reside in the same region (Cluster enable or disabled)

While using Redis with cluster mode enabled, there are some limitations:

You cannot manually promote any of the replica nodes to primary.

Multi-AZ is required.

You can only change the structure of a cluster, the node type, and the number of nodes by restoring from a backup.

Question 36

max size of kms key

Answer 36

4KB

Question 37

The development team at a retail organization wants to allow a Lambda function in its AWS Account A to access a DynamoDB table in another AWS Account B.

Answer 37

Create an IAM role in Account B with access to DynamoDB. Modify the trust policy of the role in Account B to allow the execution role of Lambda to assume this role. Update the Lambda function code to add the AssumeRole API call

Question 38

How is STS used for Roles ?

Answer 38

STS is Security Token Service. Its used to get temporary credentials for a user or service that wants to ASSUME a ROLE.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Statement1”,
“Effect”: “Allow”,
“Principal”: {},
“Action”: “sts:AssumeRole”
}
]
}

Question 39

Which AWS entities can be used to deploy SSL/TLS server certificates?

Answer 39

AWS Certificate Manager
and IAM

IAM is used as a certificate manager only when you must support HTTPS connections in a Region that is not supported by ACM.

Question 40

IAM Deny v ALLOW ?

Answer 40

An explicit Deny always overrides any Allows.

Question 41

x-amz-server-side-encryption header values ?

Answer 41

There are two possible values for the x-amz-server-side-encryption header: AES256, which tells S3 to use S3-managed keys, and

aws:kms, which tells S3 to use AWS KMS–managed keys.

Question 42

which encryption mechanisms will a request get rejected if the connection is not using HTTPS

Answer 42

SSE-C. (customer-provided encryption keys)

AWS rejects any HTTP request sent when using SSE-C