Security

Question 1

CloudTrail

Answer 1

Console shows past 90 days
Default UI only shows Create, Modify and Delete events

Can create a CloudTrail

Get detailed list of all events you choose, can include events happening at the object level in S3
Can store trail events in S3 for further analysis
Can be region specific or global (IAM etc)

If something is deleted look in CloudTrail

Question 2

CloudTrail Delivery to S3

Answer 2

• Can enable versioning
• Can use encryption SSE-S3, SSE-KMS
• MFA Delete Protection
• S3 Lifecycle policy (Glacier, IA)
• Object locks to protect from delete or modify
• Can do sha-256 for hashing and signing verifying the content is as expected

Question 3

CloudTrail delivery notifications

Answer 3

Could be setup through:

• CloudTrail directly sns -> sqs, lambda
• S3 events sns, sqs, lambda

Question 4

CloudTrail - MultiAccount, Multi Region

Answer 4

For Write need Bucket Policy

For Reads and Gets need either Cross Account role + AssumeRole OR bucket policy

Question 5

CloudTrail Alerts for API calls

Answer 5

CloudTrail -> CW Logs -> Metric Filter -> CW Alerts -> SNS
Ex:
- Count number of API calls of type or per user
- Detect high number of denied API calls

Question 6

CloudTrail Speed

Answer 6

Can take 15 minutes to deliver events

• CW events - fastest most reactive, single API call
• Delivery to CW Logs - streamed, aggregated, multiple API calls
• Delivery to S3 - can check integrity, cross account, glacier, more comprehensive (athena)

Question 7

AWS KMS

Answer 7

AWS manages key for you, integration with IAM for authorization.

Only able to encrypt up to 4KB per call
if > 4KB, use Envelope Encryption using DTK

All API calls recorded to CloudTrail

Question 8

AWS KMS Acess

Answer 8

• Need Key policy

- IAM policy to allows KMS API calls

Question 9

AWS KMS CMK

Answer 9

CMK is used to encrypt/decrypt put can never be seen. Can be rotated

Question 10

KMS keys

Answer 10

Customer Managed

• Create, manage, user, enable/disable
• Rotate, old is kept new added every year
• Key policy
• Leverage for envelope encryption

AWS Managed
- Used by AWS services

Question 11

AWS Parameter Store

Answer 11

• Securely store configuration and secrets
• Mostly free, seamless KMS integration, serverless
• Version tracing of configurations/secrets
• Can notify of changes via CW events
• Dynamic parameter interpolation for CloudFormation

Question 12

AWS Parameter Store Paths

Answer 12

• Can retrieve secrets from Secrets manager using parameter store API, using pre-defined special path
• Special paths include retrieving latest ami id
• IAM integration on configuration path level
• GetParameters/GetParametersByPath

Question 13

AWS Secrets Manager

Answer 13

• Can automatically rotate secrets every X days
• Integration with RDS (admin passwords etc)
• Encrypted with KMS

Question 14

RDS Security at rest

Answer 14

KMS Encryption at rest for underlying EBS volume/snapshots

Question 15

RDS Security TDE

Answer 15

TDE for Oracle and Sql Server only

Question 16

RDS Security in transit

Answer 16

In transit ssl encryption for all databases

Question 17

RDS Security Authorization

Answer 17

Using database authorization

Question 18

RDS Security Authentication

Answer 18

IAM autheNTICATION only for mysql and psql

Question 19

RDS Security CloudTrail

Answer 19

Cannot track queries using CloudTrail

Question 20

RDS Secuirty Snapshots

Answer 20

Can copy un-encrypted RDS snapshot into an encrypted one

Question 21

SNI (Server Name Indication) SSL handshake

Answer 21

Only supported in NLB, ALB and CloudFront, NOT in CLB

Question 22

AWS and MINM Attacks

Answer 22

• Don’t use HTTP

- Use DNS with DNSSEC, so protect your domain using DNSSEC

Question 23

Route53 DNSSEC

Answer 23

• Does not support for DNS service only for domain registration.
• Must use another DNS Service Provider, e.g. custom DNS server on EC2 (Bind, dnsmasq, KnotDNS, PowerDNS)

Question 24

AWS ACM

Answer 24

• Buy own SSL certs and store using cli
• Provision new or renew SSL certs using ACM (free)
• Integrates seamlessly with by provisioning and maintaining certs on:
  
  • Load Balancers
  • CloudFront
  • APIs on API Gateway
• Renewal automatic or manual depends on external or internal

Question 25

ACM and regions

Answer 25

ACM is regional, cannot use certs cross region
Must issue ssl certificates for each region needed for a global application with Load Balancers (also regional)
Not needed for CloudFront cause it is a global distribution