Security Flashcards
How do kms and cloudtrail work together?
With cloudtrail you are able to audit every KMS key usage.
What is a kms symmetric key?
Same key is used to encrypt and decrypt data
AWS Services integrated with KMS use symmetric keys
What is a kms asymmetric key?
2 keys. Public key to encrypt, private key to decrypt data.
For cases when you encrypt data outside of aws and then receive data.
What types of keys does aws kms have?
AWS Owned keys: Free default keys. (these are the service owned keys like SSE-S3, SSE-SQS, SSE-DDB),
AWS Managed keys: Free (these are the kms managed keys that services use like SSE-KMS in s3: example: aws/servicename)
Customer Managed Keys created in KMS: 1$ per month
Customer Managed Keys imported (external): 1$ per month
What is automatic key rotation?
AWS KMS managed keys rotate automatically every 1 year.
For AWS KMS Customer managed keys created in kms, you can enable it and its a custom period.
For external keys only manual possible. Cause KMS cant rotate them.
What happens to encrypted EBS volumes when copied to another region?
KMS re encrypts the volumes with a different key.
Keys are regional.
What are kms key policies?
Define who can access and administer your kms keys
Only for customer managed kms keys. For default keys everyone has access as long as they have iam permissions.
You have cross account access to kms keys.
Why would you need cross account access to a KMS Key?
For copying encrypted snapshots across accounts.
What are muti region keys?
KMS Keys that are replicated from the origin region to other regions.
Ending up with the same identical key in multiple regions.
Not global, 1 master key and many replica keys. Each replica key is managed independently.
Great to be able to decrypt data from other regions.
Great to lower latency decryption when using encrypted global databases. Or encrypted columns.
How does encryption behave with s3 replication?
There is decryption and re-encryption with object replication across regions.
What is SSM parameter store?
Its a secure storage for your configurations and secrets.
You use it by creating parameters with the written text of your data. And you can encrypt them if you want.
You can access these parameters with get commands from the cli, and with lambda functions if you have the correct iam permissions for the lambda function.
What is AWS Secrets Manager?
For storing secrets or passwords. You can force rotation of secrets every x number of days.
You can also force generation of secrets on rotations, with lambda. Meaning automatically renew passwords.
Secrets can be encrypted with kms
Which services does secrets manager integrate with?
DBs like RDS, aurora, documentdb, redshift, etc can use secrets manager for you databases user and passwords.
You create a user and secret and specify for which db service you want it, and then choose the database. Now you will be able to access the database with these credentials, and you have secrets manager features like encryption and automatic rotation.
Which server is integrated with RDS and Aurora, or other databases to store users and secrets of your databases?
AWS Secrets Manager
What is a Secrets Manager feature?
You can replicate secrets across regions.
A use case is with read replicas, you can promote a read replica secret to a standalone secret when you need to do disaster recovery in your RDS database.
This is also great for multi region apps, disaster recovery strategies, multi region DBs.
What is AWS Certificate Manager? (ACM)
Provision, manage, and deploy TLS Certificates
Supports creation of both public and private TLS Certificates, for free, for your aws resources.
Supports importing external certificates, with no automatic renewal.
ACM Public Certificates can be used with ALB, NLB, Cloudfront Distributions, APIs on API Gateway and Elastic Beanstalk.
You can’t use public ACM Certs with EC2 instances.
Whats are the differences between AWS Certificate manager (ACM) certificates and traditional CA certificates like DigiCert?
There is no difference in functionality.
AWS CM Public Certificates are free, but limited to specific aws services.
What is a great advantage of AWS Certificate Manager owned Certificates when renewing them?
They are renewed automatically and installed automatically too thanks to ACM being integrated with these services: ALB, NLB, Cloudfront Distributions, APIs on API Gateway, elastic beanstalk.
You don’t need to worry about installing the new certificate.
How does the ALB integration with ACM work?
Requests made with HTTP to your ALB, are redirected to HTTPS by the ALB which has this option. And then the connection will leverage the TLS certificate coming from the ACM. Then the request will be redirected to the target group.
What is AWS WAF?
Web Application Firewall:
Protects your web apps from common web exploits. In layer 7 HTTP.
What are the possible targets of WAF?
ALB
API Gateway
CloudFront (http cache endpoint)
AppSync GraphQL API (Web apis)
Cognito User Pool (web and mobile app authentication)
Can you deploy WAF on an NLB?
No. WAF if for layer 7 protection, so you can only deploy it in the ALB load balancer. NLB is layer 4.
What options do you have for WAF firewall configurations?
You can define web ACLs, based on http headers, body, URI strings.
You can block countries
DDOS protection by counting number of requests and blocking ips if they go over a specified number of requests per second.
All of this to protect against HTTPS attacks, these attacks could be SQL injections, cross site scripting.
How does WAF integrate with Cloudfront?
Generally WAF web ACLs are regional, but for cloudfront they are global.
Whats the issue with using a static ip in a load balancer and using WAF?
ALB doesn’t have static ip. Only NLB does.
And WAF doesn’t work with NLB.
To workaround this limitation you can use global accelerator as a static ip at the front, then point the global accelerator to our ALB, and integrate WAF with ALB.
What is AWS shield?
A service for DDOS protection.
You have AWS Shield Standard: Free and activated by default for everyone.
AWS Shield Advanced: Optional more advanced option. Costs $3000 per month per aws organization.
Grants protection against more sophysticated attacks on your AWS Services.
It also gives you access 24/7 to the AWS DDOS response team, that can assist you in case of an attack.
Also protects you from higher fees if you are attacked.
What is AWS Firewall manager?
A service to manage all firewall rules across an aws org
With this service you get centralized management across your accounts for the following AWS features:
WAF rules for alb, etc.
Shield advanced for DDoS (shield classic has no config, it comes by default)
Security groups for EC2 ALB and all ENIs in your VPCs.
Network Firewall rules(VPC Level)
Route 53 DNS Firewall
It uses security policies with sets of rules in them, to manage the previous features, and those security policies are regional.
What it actually does is it lets you create policies for all the previous features, but it does it for every resource in your account or organization (multiple accounts), PER REGION.
Also manages existing individual SGs.
And finally it helps you get rid of redundant security rules.
Why is it better to use Firewall manager to administer your security policies?
Existing rules are applied to new resources on creation.
What is Firewall manager for?
Firewall manager can be used on top of WAF and Shield to automate application of rules to new resources
Accelerates cross account configurations.
How do waf and shield work together?
They are complementary.
But Shield advanced uses WAF by creating WAF rules automatically for you.
What kind of protection does standard shield give you?
DDoS protection against SYN floods, and UDP reflection
How is your edge protected against DDoS attacks?
Services like cloudfront, global accelerator, Route 53 and ELBs, are protected against syn or udp floods and reflections by default with SHIELD Standard.
Services like WAF and Cloudfront protect your application layer. Thus protecting your backend (ASG of EC2 instances ie) from DDoS attacks.
Cloudfront helps by serving cached content and geo blocks. (Attacks on cache dont affect your backend).
WAF helps by blocking suspicious or malicious sources of requests.
What is AWS GuardDuty?
Intelligent threat discovery to protect your AWS Account
It takes your CloudTrail, DNS, and VPC flow logs, and analyzes them with Machine Learning (ML).
With this input data it finds possible threats.
Can be used with EventBridge rules to notify these findings, or to trigger automations.
What is Amazon Inspector?
Its a service that makes automated security assessments.
It uses a CVE database for the assessments.
It runs automatically, periodically, and gives out a risk score for vulnearbilities found, so that you can prioritize fixes.
For EC2: Using the SSM agent on EC2 instances, makes assessments of the security of those instances. For example known vulnerabilities of the OS, and network accessibility (open ports, etc).
For docker images in ECR: As images are pushed into ECR, inspector analyzes them for vulnerabilities.
For Lambda Functions: These are analyzed by inspector on creation, for software vulnerabilities in the code.
What is Amazon SSM Agent?
Systems manager agent:
Can be installed on EC2 instances to manage its resources remotely
What resources can inspector be used on?
Only EC2 instances, container images and lambda functions.
What is Amazon Macie?
Data security and data privacy service:
Services that analyzes your s3 buckets with ML and pattern matching to discover and protect your sensitive business personal data.
Sensitive data is called “PII”. Personally identifiable information.
You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can’t use it. How would you solve this problem?
You need to share the customer master key with the other account.
You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS …
True or False?
False.
You can use the AWS Managed Service keys in KMS, therefore we don’t need to create our own KMS keys.
AWS KMS supports both symmetric and asymmetric KMS keys.
True
When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ……………..
1 year.
You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 6 months. What should you do?
Reconfigure your KMS CMK and enable automatic key rotation, and configure the retention period to 180 days.
You have a Lambda function used to process some data in the database. You would like to give your Lambda function access to the database password. Which of the following options is the most secure?
Have it as an encrypted environment variable and decrypt it at runtime
You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?
SSM Parameter Store
SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter’s history.
Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?
AWS Shield Advanced
You would like to externally maintain the configuration values of your main database, to be picked up at runtime by your application. What’s the best place to store them to maintain control and version history?
SSM Parameter Store
AWS GuardDuty scans the following data sources, EXCEPT …………….
1) CloudWatch Logs
2) DNS Logs
3) VPC Flow Logs
4) CloudTrail Logs
1) CloudWatch Logs
You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)?
AWS WAF
You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use?
Amazon Inspector (With the usage of SSM)
What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation?
AWS SSM Parameter Store
AWS KMS
AWS Secrets Manager
AWS Secrets Manager
Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?
AWS Firewall Manager
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.
What should you use to control access to your KMS CMKs?
KMS Key Policies
KMS IAM Policies
AWS GuardDuty
KMS Access Control Lists (KMS ACL)
KMS Key Policies
Which AWS service helps you protect your sensitive data stored in S3 buckets?
Amazon Macie
Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).
An online-payment company is using AWS to host its infrastructure. The frontend is created using VueJS and is hosted on an S3 bucket and the backend is developed using PHP and is hosted on EC2 instances in an Auto Scaling Group. As their customers are worldwide, they use both CloudFront and Aurora Global database to implement multi-region deployments to provide the lowest latency and provide availability, and resiliency. A new feature required which gives customers the ability to store data encrypted on the database and this data must not be disclosed even by the company admins. The data should be encrypted on the client side and stored in an encrypted format. What do you recommend to implement this?
Using Aurora Client Side Encryptions and KMS Multi Region Keys.
Amazon Aurora Client-Side Encryption (CSE) is a method of encrypting data on the client side before it is sent to the Aurora database. This ensures that the data is already encrypted before it leaves the client application, providing an additional layer of security by making the data unreadable to unauthorized parties, even if they have access to the Aurora database or network.
Here’s how it generally works:
Key Management:
The encryption process starts with the client-side application, which needs a data encryption key (DEK). This key is used to encrypt the data before it is sent to Aurora.
The DEK can be generated or obtained from a key management service (KMS). Typically, AWS Key Management Service (KMS) is used to generate and manage these encryption keys.
The DEK is encrypted using a customer master key (CMK) stored in AWS KMS, and this encrypted DEK (EDEK) is stored alongside the encrypted data.
Encrypting Data:
Before sending data to the Aurora database, the client encrypts the data using the DEK.
The encrypted data, along with the EDEK, is then sent to the database. Aurora does not need to decrypt this data; it simply stores it as-is.
Decrypting Data:
When reading data from the Aurora database, the client retrieves the encrypted data and the EDEK.
The client application must use the AWS KMS to decrypt the EDEK back into the original DEK.
Once the DEK is available, the client can use it to decrypt the data retrieved from Aurora.
Data at Rest and In Transit:
Since the data is encrypted on the client side, it remains encrypted while at rest in the Aurora database and while in transit over the network.
Additional encryption layers can be used, such as SSL/TLS for encrypting data in transit between the client and Aurora.
Benefits:
Enhanced security by ensuring data is encrypted before it leaves the client’s control.
Data remains secure even if unauthorized users gain access to the Aurora database or backup copies.
Compliance with regulations that require encryption of sensitive data.
Key Considerations:
Client-side encryption requires managing encryption keys securely. AWS KMS provides a robust way to handle key management, but it adds complexity to the client application.
Performance impact, as encryption and decryption are performed on the client side, can affect processing speed, especially for large datasets.
The application must handle encryption and decryption, which means the encryption logic must be integrated into the client code.
You have created the main Edge-Optimized API Gateway in us-west-2 AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in ap-southeast-1. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in?
us-east-1
You need to create the ACM certificate in the us-east-1 (N. Virginia) region. For Edge-Optimized API Gateways, AWS requires that the ACM certificate be issued in the us-east-1 region, as this is where CloudFront, which handles the edge distribution, is managed.
AWS manages CloudFront in the us-east-1 (N. Virginia) region because this is the primary region for many of AWS’s global services. Historically, AWS started by centralizing certain global control plane services in us-east-1, and CloudFront was designed to use this region as its main point for managing configurations, including certificates for edge locations.
You have an S3 bucket that is encrypted with SSE-KMS. You have been tasked to replicate the objects to a target bucket in the same AWS region but with a different KMS Key. You have configured the S3 replication, the target bucket, and the target KMS key and it is still not working. What is missing to make the S3 replication work?
You have to configure permissions for both source KMS Key and Target KMS Key, to be used by the S3 Replication Service.
You have generated a public certificate using LetsEncrypt and uploaded it to the ACM so you can use and attach to an Application Load Balancer that forwards traffic to EC2 instances. As this certificate is generated outside of AWS, it does not support the automatic renewal feature. How would you be notified 30 days before this certificate expires so you can manually generate a new one?
Configure EventBridge for Daily Expiration Events from ACM to invoke SNS notifications to your email.
You are managing an AWS Organization with multiple AWS accounts. Each account has a separate application with different resources. You want an easy way to manage Security Groups and WAF Rules across those accounts as there was a security incident the last week and you want to tighten up your resources. Which AWS service can help you to do so?
AWS Firewall Manager
