Security and Encryption Flashcards
Which of the following would you identify as data sources supported by GuardDuty?
VPC Flow Logs, DNS logs, CloudTrail events
What happens if you suspend GuardDuty?
GuardDuty stops analyzing your data sources, but it doesn’t delete the existing findings and the configurations
What happens if you disable GuardDuty?
It will stop GuardDuty and delete all the findings, configurations and service permissions
How can you block the traffic to an ALB based on the country?
You can create a rule in the web ACL of WAF (Web Application Firewall), restricting access based on geographic locations
What happens if you delete a Customer Master Key (CMK) from KMS?
It goes in the ‘pending deletion’ status and hence you can just cancel the CMK deletion and recover the key.
The waiting period for deletion can be set between 7 days to 30
When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ………
1 year
You have created the main Edge-Optimized API Gateway in us-west-2 AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in ap-southeast-1. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in?
us-east-1
Because Edge-Optimezed Gateway uses CloudFront under the hood, and CloudFront is a global service, so the certificate has to be in us-east-1
How to renew an imported ACM?
It cannot be renewed automatically since it’s imported. However, you can be notified by using a managed rule in AWS Config that send an event to EventBridge when the rule is not compliant
Can you modify the key rotation period of the SSE-S3 policy?
No, rotation can only be enabled/disabled, but the period cannot be modified
How can you provide SSL to different domains within a single ALB?
You can do it with SNI, upload all the certificates to the same ALB listener and it will choose automatically which certificate to use for each client
Another way is using a wildcard certificate (SAN) but it has a few limitations:
1. It only works for related subdomains that match a simple pattern
2. You have to reauthenticate and reprovision your certificate every time you add a new domain
How does encryption work for DynamoDB?
By default encryption is enabled in DynamoDB and cannot be disabled.
Encryption is done with a Customer Master Key which is owned by AWS. You don’t have any visibility of this key, you cannot control the rotation strategy and you’re not charged for it.
You can select an option to encrypt all or some of your tables under a customer-managed CMK or an AWS managed CMK
What’s the difference between Customer managed key, AWS managed key and AWS owned key?
Customer managed key: can view metadata, can manage KMS key, used only for your accounts, optional rotation (365 days), pay monthly fee and per-use fee
AWS managed key: can view metadata, cannot manage, used only for your account, required rotation (365 days), pay only per-use fee
AWS owned key: cannot view metadata, cannot manage, used for multiple accounts, unknown rotation, no fees
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt
Which services are supported by WAF?
CloudFront, ALB, API Gateway, AppSyncs
What is most expensive between AWS Secret Manager and System Manager Parameter Store?
AWS Secret Manager
Parameter Store is free for storing standard parameters
How can you check if an imported SSL certificate in ACM is expiring?
Use the AWS Config managed Rule acm-certificate-expiration-check. You can configure it to trigger SNS notifications or EventBridge events
