Security

Question 1

In computing, the ______-_______-_____ is an important concept in teh web applciation security model.

Answer 1

same-origin-policy

Question 2

Under teh same-origin-policy, a web browser permits scripts caontined in a first web apge to access data in a second web page, but only if both web pages have the same origin. This is done to prevent _______.

Answer 2

Cross site scripting - XSS.

Question 3

T or F

(SOP) same-origin-policy is enforced by web browsers and ignored by tools like postman and curl.

Answer 3

True

Question 4

____ is one way the server at the other end (not the client code in the browser) can relax the same-origin-policy.

Answer 4

Cross origin resource sharing (CORS)

Question 5

______ is a machanism that allows restricted resources (ie: fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.

Answer 5

Corss origin resource sharing (CORS)

Question 6

Cross Origin Resource Sharing (CORS)

• browser makes an HTTP options call for a URL
• options is an HTTP method like Get, Put, and Post

Server returns a resonse that says:

“These other domains are approved ti Get this URL”

-Error - “Origin policy can’t be read at the remote resource?”

You need to enable CORS on API GW

Answer 6

just read the other card.

Question 7

what is cloud HSM?

Answer 7

a dedicated Hardware Security MOdel

Question 8

cloudHSM confirms to FIPS 140-2 Level 3

Answer 8

yes

Question 9

Cloud HSM is level__ KMS

Answer 9

2

Question 10

AWS manages the keys with cloud HSM

t or f

Answer 10

false, you manage the keys

Question 11

t or fo

cloudhsm is a single tenant, dedicated hardware, multi az cluster

Answer 11

t

Question 12

cloud hsm works with industry standard APIs, not aWS apis

Answer 12

t

Question 13

HSM keys are irretrievable

t or f

Answer 13

t

Question 14

what is parameter store

Answer 14

secure serverless storage for configuration and secrets

like passwords, db connection strings, license codes, api keys, etc.

think vault

Question 15

how to you retrieve parameters in a hierarchy for ssm param store?

Answer 15

GetParametersByPAth api call

Question 16

what is secrets manager

Answer 16

similar to param store but charges per secret stroed and per 10,000 api calls

Question 17

why secrets manager?

Answer 17

it rotates keys with rds automatically

Question 18

secrets manager cna generate random secrets

t or f?

Answer 18

t

Question 19

what is aws shield

Answer 19

protects against distributed denial of service (DDoS) attacks

Question 20

is this sheidl standard or advanced?

-protects against common layer 3 and 4 attacks

SYN/UDP floods

reflection attacks

very effective

Answer 20

standard

Question 21

features of shield advanced

3k per month

enhanced protection for ec2, elb, cf, global accelerator, route53

• business and enterprise support customers get 24/7 access to ddos response team (DRT)
• ddos cost protection

Answer 21

yes

Question 22

WAF = ?

Answer 22

web application firewall

Question 23

what does waf do?

Answer 23

lets you monitor https requests to CF, ALB, or API GW

Question 24

what filtering rules can you use with WAF?

Answer 24

ip addresses

query string params

sql query injection

Question 25

when waf blocks traffic, what error code is returned?

Answer 25

403

Question 26

what are the 3 waf behaviors?

Answer 26

allow, block, count

Question 27

___ ____ is a security management service that allows you to centrally configure and manage firewall rules across an aws organization

Answer 27

firewall manager