Security

Question 1

How do kms and cloudtrail work together?

Answer 1

With cloudtrail you are able to audit every KMS key usage.

Question 2

What is a kms symmetric key?

Answer 2

Same key is used to encrypt and decrypt data

AWS Services integrated with KMS use symmetric keys

Question 3

What is a kms asymmetric key?

Answer 3

2 keys. Public key to encrypt, private key to decrypt data.

For cases when you encrypt data outside of aws and then receive data.

Question 4

What types of keys does aws kms have?

Answer 4

AWS Owned keys: Free default keys. (these are the service owned keys like SSE-S3, SSE-SQS, SSE-DDB),

AWS Managed keys: Free (these are the kms managed keys that services use like SSE-KMS in s3: example: aws/servicename)

Customer Managed Keys created in KMS: 1$ per month

Customer Managed Keys imported (external): 1$ per month

Question 5

What is automatic key rotation?

Answer 5

AWS KMS managed keys rotate automatically every 1 year.

For AWS KMS Customer managed keys created in kms, you can enable it and its a custom period.

For external keys only manual possible. Cause KMS cant rotate them.

Question 6

What happens to encrypted EBS volumes when copied to another region?

Answer 6

KMS re encrypts the volumes with a different key.

Keys are regional.

Question 7

What are kms key policies?

Answer 7

Define who can access and administer your kms keys

Only for customer managed kms keys. For default keys everyone has access as long as they have iam permissions.

You have cross account access to kms keys.

Question 8

Why would you need cross account access to a KMS Key?

Answer 8

For copying encrypted snapshots across accounts.

Question 9

What are muti region keys?

Answer 9

KMS Keys that are replicated from the origin region to other regions.

Ending up with the same identical key in multiple regions.

Not global, 1 master key and many replica keys. Each replica key is managed independently.

Great to be able to decrypt data from other regions.
Great to lower latency decryption when using encrypted global databases. Or encrypted columns.

Question 10

How does encryption behave with s3 replication?

Answer 10

There is decryption and re-encryption with object replication across regions.

Question 11

What is SSM parameter store?

Answer 11

Its a secure storage for your configurations and secrets.

You use it by creating parameters with the written text of your data. And you can encrypt them if you want.

You can access these parameters with get commands from the cli, and with lambda functions if you have the correct iam permissions for the lambda function.

Question 12

What is AWS Secrets Manager?

Answer 12

For storing secrets or passwords. You can force rotation of secrets every x number of days.

You can also force generation of secrets on rotations, with lambda. Meaning automatically renew passwords.

Secrets can be encrypted with kms

Question 13

Which services does secrets manager integrate with?

Answer 13

DBs like RDS, aurora, documentdb, redshift, etc can use secrets manager for you databases user and passwords.

You create a user and secret and specify for which db service you want it, and then choose the database. Now you will be able to access the database with these credentials, and you have secrets manager features like encryption and automatic rotation.

Question 14

Which server is integrated with RDS and Aurora, or other databases to store users and secrets of your databases?

Answer 14

AWS Secrets Manager

Question 15

What is a Secrets Manager feature?

Answer 15

You can replicate secrets across regions.

A use case is with read replicas, you can promote a read replica secret to a standalone secret when you need to do disaster recovery in your RDS database.

This is also great for multi region apps, disaster recovery strategies, multi region DBs.

Question 16

What is AWS Certificate Manager? (ACM)

Answer 16

Provision, manage, and deploy TLS Certificates

Supports creation of both public and private TLS Certificates, for free, for your aws resources.

Supports importing external certificates, with no automatic renewal.

ACM Public Certificates can be used with ALB, NLB, Cloudfront Distributions, APIs on API Gateway and Elastic Beanstalk.

You can’t use public ACM Certs with EC2 instances.

Question 17

Whats are the differences between AWS Certificate manager (ACM) certificates and traditional CA certificates like DigiCert?

Answer 17

There is no difference in functionality.

AWS CM Public Certificates are free, but limited to specific aws services.

Question 18

What is a great advantage of AWS Certificate Manager owned Certificates when renewing them?

Answer 18

They are renewed automatically and installed automatically too thanks to ACM being integrated with these services: ALB, NLB, Cloudfront Distributions, APIs on API Gateway, elastic beanstalk.

You don’t need to worry about installing the new certificate.

Question 19

How does the ALB integration with ACM work?

Answer 19

Requests made with HTTP to your ALB, are redirected to HTTPS by the ALB which has this option. And then the connection will leverage the TLS certificate coming from the ACM. Then the request will be redirected to the target group.

Question 20

What is AWS WAF?

Answer 20

Web Application Firewall:

Protects your web apps from common web exploits. In layer 7 HTTP.

Question 21

What are the possible targets of WAF?

Answer 21

ALB
API Gateway
CloudFront (http cache endpoint)
AppSync GraphQL API (Web apis)
Cognito User Pool (web and mobile app authentication)

Question 22

Can you deploy WAF on an NLB?

Answer 22

No. WAF if for layer 7 protection, so you can only deploy it in the ALB load balancer. NLB is layer 4.

Question 23

What options do you have for WAF firewall configurations?

Answer 23

You can define web ACLs, based on http headers, body, URI strings.

You can block countries

DDOS protection by counting number of requests and blocking ips if they go over a specified number of requests per second.

All of this to protect against HTTPS attacks, these attacks could be SQL injections, cross site scripting.

Question 24

How does WAF integrate with Cloudfront?

Answer 24

Generally WAF web ACLs are regional, but for cloudfront they are global.

Question 25

Whats the issue with using a static ip in a load balancer and using WAF?

Answer 25

ALB doesn’t have static ip. Only NLB does.
And WAF doesn’t work with NLB.

To workaround this limitation you can use global accelerator as a static ip at the front, then point the global accelerator to our ALB, and integrate WAF with ALB.

Question 26

What is AWS shield?

Answer 26

A service for DDOS protection.

You have AWS Shield Standard: Free and activated by default for everyone.

AWS Shield Advanced: Optional more advanced option. Costs $3000 per month per aws organization.
Grants protection against more sophysticated attacks on your AWS Services.
It also gives you access 24/7 to the AWS DDOS response team, that can assist you in case of an attack.
Also protects you from higher fees if you are attacked.

Question 27

What is AWS Firewall manager?

Answer 27

A service to manage all firewall rules across an aws org

With this service you get centralized management across your accounts for the following AWS features:

WAF rules for alb, etc.
Shield advanced for DDoS (shield classic has no config, it comes by default)
Security groups for EC2 ALB and all ENIs in your VPCs.
Network Firewall rules(VPC Level)
Route 53 DNS Firewall

It uses security policies with sets of rules in them, to manage the previous features, and those security policies are regional.

What it actually does is it lets you create policies for all the previous features, but it does it for every resource in your account or organization (multiple accounts), PER REGION.

Also manages existing individual SGs.
And finally it helps you get rid of redundant security rules.

Question 28

Why is it better to use Firewall manager to administer your security policies?

Answer 28

Existing rules are applied to new resources on creation.

Question 29

What is Firewall manager for?

Answer 29

Firewall manager can be used on top of WAF and Shield to automate application of rules to new resources

Accelerates cross account configurations.

Question 30

How do waf and shield work together?

Answer 30

They are complementary.

But Shield advanced uses WAF by creating WAF rules automatically for you.

Question 31

What kind of protection does standard shield give you?

Answer 31

DDoS protection against SYN floods, and UDP reflection

Question 32

How is your edge protected against DDoS attacks?

Answer 32

Services like cloudfront, global accelerator, Route 53 and ELBs, are protected against syn or udp floods and reflections by default with SHIELD Standard.

Services like WAF and Cloudfront protect your application layer. Thus protecting your backend (ASG of EC2 instances ie) from DDoS attacks.
Cloudfront helps by serving cached content and geo blocks. (Attacks on cache dont affect your backend).
WAF helps by blocking suspicious or malicious sources of requests.

Question 33

What is AWS GuardDuty?

Answer 33

Intelligent threat discovery to protect your AWS Account

It takes your CloudTrail, DNS, and VPC flow logs, and analyzes them with Machine Learning (ML).

With this input data it finds possible threats.

Can be used with EventBridge rules to notify these findings, or to trigger automations.

Question 34

What is Amazon Inspector?

Answer 34

Its a service that makes automated security assessments.

It uses a CVE database for the assessments.

It runs automatically, periodically, and gives out a risk score for vulnearbilities found, so that you can prioritize fixes.

For EC2: Using the SSM agent on EC2 instances, makes assessments of the security of those instances. For example known vulnerabilities of the OS, and network accessibility (open ports, etc).

For docker images in ECR: As images are pushed into ECR, inspector analyzes them for vulnerabilities.

For Lambda Functions: These are analyzed by inspector on creation, for software vulnerabilities in the code.

Question 35

What is Amazon SSM Agent?

Answer 35

Systems manager agent:

Can be installed on EC2 instances to manage its resources remotely

Question 36

What resources can inspector be used on?

Answer 36

Only EC2 instances, container images and lambda functions.

Question 37

What is Amazon Macie?

Answer 37

Data security and data privacy service:

Services that analyzes your s3 buckets with ML and pattern matching to discover and protect your sensitive business personal data.

Sensitive data is called “PII”. Personally identifiable information.

Question 38

You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can’t use it. How would you solve this problem?

Answer 38

You need to share the customer master key with the other account.

Question 39

You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS …

True or False?

Answer 39

False.

You can use the AWS Managed Service keys in KMS, therefore we don’t need to create our own KMS keys.

Question 40

AWS KMS supports both symmetric and asymmetric KMS keys.

Answer 40

True

Question 41

When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ……………..

Answer 41

1 year.

Question 42

You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 6 months. What should you do?

Answer 42

Reconfigure your KMS CMK and enable automatic key rotation, and configure the retention period to 180 days.

Question 43

You have a Lambda function used to process some data in the database. You would like to give your Lambda function access to the database password. Which of the following options is the most secure?

Answer 43

Have it as an encrypted environment variable and decrypt it at runtime

Question 44

You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?

Answer 44

SSM Parameter Store

SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter’s history.

Question 45

Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?

Answer 45

AWS Shield Advanced

Question 46

You would like to externally maintain the configuration values of your main database, to be picked up at runtime by your application. What’s the best place to store them to maintain control and version history?

Answer 46

SSM Parameter Store

Question 47

AWS GuardDuty scans the following data sources, EXCEPT …………….

1) CloudWatch Logs
2) DNS Logs
3) VPC Flow Logs
4) CloudTrail Logs

Answer 47

1) CloudWatch Logs

Question 48

You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)?

Answer 48

AWS WAF

Question 49

You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use?

Answer 49

Amazon Inspector (With the usage of SSM)

Question 50

What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation?

AWS SSM Parameter Store
AWS KMS
AWS Secrets Manager

Answer 50

AWS Secrets Manager

Question 51

Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?

Answer 51

AWS Firewall Manager

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.

Question 52

What should you use to control access to your KMS CMKs?

KMS Key Policies
KMS IAM Policies
AWS GuardDuty
KMS Access Control Lists (KMS ACL)

Answer 52

KMS Key Policies

Question 53

Which AWS service helps you protect your sensitive data stored in S3 buckets?

Answer 53

Amazon Macie

Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).

Question 54

An online-payment company is using AWS to host its infrastructure. The frontend is created using VueJS and is hosted on an S3 bucket and the backend is developed using PHP and is hosted on EC2 instances in an Auto Scaling Group. As their customers are worldwide, they use both CloudFront and Aurora Global database to implement multi-region deployments to provide the lowest latency and provide availability, and resiliency. A new feature required which gives customers the ability to store data encrypted on the database and this data must not be disclosed even by the company admins. The data should be encrypted on the client side and stored in an encrypted format. What do you recommend to implement this?

Answer 54

Using Aurora Client Side Encryptions and KMS Multi Region Keys.

Amazon Aurora Client-Side Encryption (CSE) is a method of encrypting data on the client side before it is sent to the Aurora database. This ensures that the data is already encrypted before it leaves the client application, providing an additional layer of security by making the data unreadable to unauthorized parties, even if they have access to the Aurora database or network.

Here’s how it generally works:

Key Management:

The encryption process starts with the client-side application, which needs a data encryption key (DEK). This key is used to encrypt the data before it is sent to Aurora.
The DEK can be generated or obtained from a key management service (KMS). Typically, AWS Key Management Service (KMS) is used to generate and manage these encryption keys.
The DEK is encrypted using a customer master key (CMK) stored in AWS KMS, and this encrypted DEK (EDEK) is stored alongside the encrypted data.
Encrypting Data:

Before sending data to the Aurora database, the client encrypts the data using the DEK.
The encrypted data, along with the EDEK, is then sent to the database. Aurora does not need to decrypt this data; it simply stores it as-is.
Decrypting Data:

When reading data from the Aurora database, the client retrieves the encrypted data and the EDEK.
The client application must use the AWS KMS to decrypt the EDEK back into the original DEK.
Once the DEK is available, the client can use it to decrypt the data retrieved from Aurora.
Data at Rest and In Transit:

Since the data is encrypted on the client side, it remains encrypted while at rest in the Aurora database and while in transit over the network.
Additional encryption layers can be used, such as SSL/TLS for encrypting data in transit between the client and Aurora.
Benefits:

Enhanced security by ensuring data is encrypted before it leaves the client’s control.
Data remains secure even if unauthorized users gain access to the Aurora database or backup copies.
Compliance with regulations that require encryption of sensitive data.
Key Considerations:

Client-side encryption requires managing encryption keys securely. AWS KMS provides a robust way to handle key management, but it adds complexity to the client application.
Performance impact, as encryption and decryption are performed on the client side, can affect processing speed, especially for large datasets.
The application must handle encryption and decryption, which means the encryption logic must be integrated into the client code.

Question 55

You have created the main Edge-Optimized API Gateway in us-west-2 AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in ap-southeast-1. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in?

Answer 55

us-east-1

You need to create the ACM certificate in the us-east-1 (N. Virginia) region. For Edge-Optimized API Gateways, AWS requires that the ACM certificate be issued in the us-east-1 region, as this is where CloudFront, which handles the edge distribution, is managed.

AWS manages CloudFront in the us-east-1 (N. Virginia) region because this is the primary region for many of AWS’s global services. Historically, AWS started by centralizing certain global control plane services in us-east-1, and CloudFront was designed to use this region as its main point for managing configurations, including certificates for edge locations.

Question 56

You have an S3 bucket that is encrypted with SSE-KMS. You have been tasked to replicate the objects to a target bucket in the same AWS region but with a different KMS Key. You have configured the S3 replication, the target bucket, and the target KMS key and it is still not working. What is missing to make the S3 replication work?

Answer 56

You have to configure permissions for both source KMS Key and Target KMS Key, to be used by the S3 Replication Service.

Question 57

You have generated a public certificate using LetsEncrypt and uploaded it to the ACM so you can use and attach to an Application Load Balancer that forwards traffic to EC2 instances. As this certificate is generated outside of AWS, it does not support the automatic renewal feature. How would you be notified 30 days before this certificate expires so you can manually generate a new one?

Answer 57

Configure EventBridge for Daily Expiration Events from ACM to invoke SNS notifications to your email.

Question 58

You are managing an AWS Organization with multiple AWS accounts. Each account has a separate application with different resources. You want an easy way to manage Security Groups and WAF Rules across those accounts as there was a security incident the last week and you want to tighten up your resources. Which AWS service can help you to do so?

Answer 58

AWS Firewall Manager