Security Flashcards
In computing, the ______-_______-_____ is an important concept in teh web applciation security model.
same-origin-policy
Under teh same-origin-policy, a web browser permits scripts caontined in a first web apge to access data in a second web page, but only if both web pages have the same origin. This is done to prevent _______.
Cross site scripting - XSS.
T or F
(SOP) same-origin-policy is enforced by web browsers and ignored by tools like postman and curl.
True
____ is one way the server at the other end (not the client code in the browser) can relax the same-origin-policy.
Cross origin resource sharing (CORS)
______ is a machanism that allows restricted resources (ie: fonts) on a web page to be requested from another domain outside the domain from which the first resource was served.
Corss origin resource sharing (CORS)
Cross Origin Resource Sharing (CORS)
- browser makes an HTTP options call for a URL
- options is an HTTP method like Get, Put, and Post
Server returns a resonse that says:
“These other domains are approved ti Get this URL”
-Error - “Origin policy can’t be read at the remote resource?”
You need to enable CORS on API GW
just read the other card.
what is cloud HSM?
a dedicated Hardware Security MOdel
cloudHSM confirms to FIPS 140-2 Level 3
yes
Cloud HSM is level__ KMS
2
AWS manages the keys with cloud HSM
t or f
false, you manage the keys
t or fo
cloudhsm is a single tenant, dedicated hardware, multi az cluster
t
cloud hsm works with industry standard APIs, not aWS apis
t
HSM keys are irretrievable
t or f
t
what is parameter store
secure serverless storage for configuration and secrets
like passwords, db connection strings, license codes, api keys, etc.
think vault
how to you retrieve parameters in a hierarchy for ssm param store?
GetParametersByPAth api call
what is secrets manager
similar to param store but charges per secret stroed and per 10,000 api calls
why secrets manager?
it rotates keys with rds automatically
secrets manager cna generate random secrets
t or f?
t
what is aws shield
protects against distributed denial of service (DDoS) attacks
is this sheidl standard or advanced?
-protects against common layer 3 and 4 attacks
SYN/UDP floods
reflection attacks
very effective
standard
features of shield advanced
3k per month
enhanced protection for ec2, elb, cf, global accelerator, route53
- business and enterprise support customers get 24/7 access to ddos response team (DRT)
- ddos cost protection
yes
WAF = ?
web application firewall
what does waf do?
lets you monitor https requests to CF, ALB, or API GW
what filtering rules can you use with WAF?
ip addresses
query string params
sql query injection
when waf blocks traffic, what error code is returned?
403
what are the 3 waf behaviors?
allow, block, count
___ ____ is a security management service that allows you to centrally configure and manage firewall rules across an aws organization
firewall manager