Security and Encryption

Question 1

What are the 2 KMS Customer Master Key types?

Answer 1

• Symmetric (AES-256)

- Asymmetric (RSA & ECC key pairs)

Question 2

What are 4 features of Symmetric Key Type?

Answer 2

• Single Key Encryption for encrypt/decrypt
• Used for AWS services that are integrated with KMS
• Required for Envelope Encryption
• You never get access to the unencrypted key

Question 3

What are 4 features of Asymmetric Key Type?

Answer 3

• Public and Private key pair. Public is for encryption, private is for decryption
• Used for encrypt/decrypt and sign/verify operations
• The public key is downloadable but the private key is always encrypted
• Encryption outside of AWS

Question 4

What are 3 use cases for KMS?

Answer 4

• When you need to store DB passwords
• Credentials to external service
• PrivateKey of SSL certificates

Question 5

When I copy an EBS snapshot from one region to another, does the KMS key get copied also?

Answer 5

No, you need to create a new key for the snapshot in the new region

Question 6

What is the timeframe for automatic key rotation?

Answer 6

1 year

Question 7

If you want to rotate keys every 30/60/90 days, what rotation method should you use?

Answer 7

Manual key rotation

Question 8

What is Secrets Manager usually used for?

Answer 8

RDS Integration

Question 9

What would you use AWS Shield for?

Answer 9

For protection from DDos attacks

Question 10

What are 2 features of AWS Shield Standard?

Answer 10

• Free service activated for all customers

- Protection from attacks such as SYN/UDP floods and other layer 3/4 attacks

Question 11

What are 4 features of AWS Shield Advanced?

Answer 11

• Optional DDoS mitigation service - $3k per month
• Protection against attacks on EC2, ELB, Cloudfront etc
• 24/7 access to AWS DDoS response team (DRP)
• Protect against higher fees during usage spikes due to DDoS

Question 12

What does AWS Web Application Firewall (WAF) do?

Answer 12

Protects your web app from common web exploits on layer 7 (HTTP)

Question 13

What 3 services can a WAF be used with?

Answer 13

• Application Load Balancer
• API Gateway
• Cloudfront

Question 14

What are 2 examples of what WAF can protect against?

Answer 14

• SQL injection

- Cross Site Scripting

Question 15

What is AWS GuardDuty?

Answer 15

It is an intelligent threat detection service to protect your AWS account

Question 16

How does GuardDuty detect threats?

Answer 16

It uses machine learning algorithms to search logs for unusual traffic

Question 17

Can GuardDuty protect against CryptoCurrency attacks?

Answer 17

Yes

Question 18

What is AWS Inspector?

Answer 18

It is a way to automate Security Assessments for your EC2 instances

Question 19

What do you need to do to use AWS Inspector?

Answer 19

Install the Inspector Agent on all EC2 instances

Question 20

When do I not need an Inspector Agent?

Answer 20

For Network Assesments

Question 21

What is AWS Macie?

Answer 21

Its a data security and data privacy service that uses machine learning and pattern matching to protect your sensitive data

Question 22

In the Shared Responsibility Model, what is AWS responsible for?

Answer 22

Security OF the Cloud

Question 23

In the Shared Responsibility Model, what is the Customer responsible for?

Answer 23

Security IN the Cloud

Question 24

What are 4 examples of Shared Controls of the Shared Responsibility Model?

Answer 24

• Patch Management
• Config Management
• Awareness
• Training

Question 25

What are 2 examples of AWS responsibility OF the Cloud?

Answer 25

• Protecting infrastructure that runs all AWS services

- Protecting managed services like S3, DynamoDB etc

Question 26

What are 2 examples of the Customer responsibility IN the Cloud?

Answer 26

• Management of guest OS, firewall, config and IAM

- Encryption application data