Security and IAM

Question 1

You have built a severless mobile app for which you need to federate and generate temporary credentials to access an S3 bucket. What two technologies could you use?

Answer 1

Cognito and STS

Question 2

What is the use of Cognito Synch (AKA AppSynch)?

Answer 2

Synchronises calls from a MOBILE device to Cognito

Question 3

What is the maximum size of data that can be encrypted by KMS per call (NOT data at rest on S3)

Answer 3

4KB - If you need KMS to encrypt environment variables or user data, this must be less than 4Kb

Question 4

What is the difference between a resource based policy and assuming an IAM role?

Answer 4

When you assume an IAM role you give up your own IAM permissions for the duration of the role assumption. When you are using a resource based policy, your IAM permissions remain unchanged

Question 5

What CAN’T a security group reference? IP Address, CIDR block, DNS, another security group

Answer 5

A DNS cannot be referenced

Question 6

You have been granted access (IAM) to an AWS parameter store and can retrieve an encrypted password. However when you try to decrypt the password, you get an error. Why?

Answer 6

IAM will get you access to the store - but you also need IAM permissions to KMS for decryption.

Question 7

Which service allows you to issue temporary security credentials to allow access to AWS resources - Cognito, SSO or STS?

Answer 7

STS

Question 8

You have a policy set up for S3 which has been assigned to a role called ‘S3SecGroup’. The policy contains the line Action:”S3:ListBucket” against a specified ARN. When you run an S3 LS in the CLI you get an access denied error - why?

Answer 8

The policy for ListBucket specifies the name of the bucket - you can only ls INSIDE the specified bucket. You cannot ls all buckets

Question 9

For a security group, what are the defaults for In and Outbound traffic? Are there exceptions?

Answer 9

All inbound traffic is denied, all outbound traffic is allowed. It You can’t deny in a security group - but for everything EXCEPT SSH there is no specific allow rule for inbound.

Question 10

In Identity federation, is user management inside or external to AWS. Why would we use identity federation

Answer 10

Identity management is external to AWS. A trust relationship must be created between AWS and the provider. You would do this if you had a social media app for example that required access to AWS resources. You want the social media provider to manage the identities rather than creating millions of IAM accounts.

Question 11

Can secrets in AWS secrets manager be accessed from other accounts?

Answer 11

Yes - unlike a parameter store secrets manager can be accessed from other accounts. This is useful if two accounts need to share the same secret

Question 12

Can you specify allow and deny rules for:

• A security Group
• A NACL

Answer 12

A Security group allows you to specify ALLOW rules only.

A NACL allows you to specify ALLOW and DENY

Question 13

When configuring the AWS CLI on an EC2 instance should you provide your access key and secret access key?

Answer 13

No. Your access and secure access key should never be deployed on any AWS resources. IAM resources should always be used instead.

Question 14

You get a timeout when connecting to an instances via ssh on 22. Why?

Answer 14

Inbound to 22 is not setup in the security group.

Question 15

There are 2 policies that need to be enacted to give a user access to KMS. One is an IAM policy allowing API calls to KMS. What is the other.

Answer 15

A Key policy allowing the user access to the key.

Question 16

Can an IAM user belong to multiple groups?

Answer 16

Yes

Question 17

Can a security group be applied to multiple instances?

Answer 17

Yes. Each instance or ENI must have at least 1 security group.

Question 18

How can you test a policy you have setup without executing it

Answer 18

AWS IAM Policy simulator

Question 19

What is the function of a service control policy in AWS Organisations?

Answer 19

It allows for the white listing or blacklisting of specified AWS resources for specific organisational accounts. SCP’s are tree structured and support inheritence. If something is denied at a higher level, and something at a lower level is branched from that, such ans an OU then the resource for that OU will also be denied

Question 20

Should you store AWS credentials in application code? What is best practice for this?

Answer 20

No. Best practice is that credentials should be inherited from mechanisms above - for AWS services this should always be IAM.

Question 21

Can you reference one security group with another?

Answer 21

Yes. You can allow inbound traffic to an instance by specifying the group in an inbound rule. This means all instances calling tonto the machine belonging to that group will be authorised. his means you don’t need to specify IPs

Question 22

If you switch regions or deploy another VPC combination, do you need to create another security group?

Answer 22

Yes. Security groups are locked to a REGION or VPC combination. A reference can exist across PEERED VPCs, but they must be peered.

Question 23

When using the SDK to interact with AWS components, what is the recommended way to manage credentials in a secure fashion?

Answer 23

Default Credential Provider Chain

Question 24

Which services offer perfect forward security? ELB, S3, Cloud Trail, Cloud Front, EC2, GovCloud? (2)

Answer 24

ELB and Cloudfront

Question 25

Is IAM global or regional?

Answer 25

IAM is global. Once an IAM user, group policy is setup it is globally available in your account.

Question 26

In AWS KMS can the client/customer download or access the client master key (CMK)?

Answer 26

No

Question 27

Where do you define:

a) A Group
b) A Security Group

Answer 27

Groups are defined in IAM. Security groups are defined in networking.

Question 28

What are the 4 components of IAM in AWS?

Answer 28

Users, Groups and Roles and Policies

Question 29

In terms of AWS security - what acts as an INSTANCE level firewall?

Answer 29

A security group. Security groups exist outside of the instance meaning that blocked traffic will never make it to the EC2 instance

Question 30

For IAM, is the principal

1. The resource whose access is being defined
2. The user or entity to which access is assigned

Answer 30

2: The principal is the user or entity for which access is being assigned

Question 31

Which AWS tool can be used to identify vulnerabilities in/on AWS Ec2 Instances?

Answer 31

AWS Inspector

Question 32

What are the advantages of using AWS SSO rather than the assume role API in terms of creating a login mechanism for your application?

Answer 32

If you are using the assume role API you will need to manage integrations between the identity store and a login portal that you will probably need to create. There is less overhead using SSO as the identity manager and login portal is provided for you. You can also get credentials for one or more accounts

Question 33

Which AWS tool can help identify inappropriate use of AWS credentials or the presence of malware by examining AWS VPC logs?

Answer 33

AWS Guard Duty

Question 34

You have an Ec2 instance in a security group. You try to connect and receive a “Connection Refused”. Why?

Answer 34

The application is not responding or up. In this case the SG has allowed the traffic through but the app is not listening on the port

Question 35

For a cognito user pool - does cognito provide the ability to Authenticate AND Authorize?

Answer 35

Cognito user pools authenticate only. They do not authorise. I.e they specify who you are, but not what you can do. Your app must do that.

Question 36

Should you use the root aws user for engaging in admin tasks?

Answer 36

No. Create an IAM user and attached the aws managed admin policy

Question 37

How do you ensure that each ECS task has permissions it needs to access its required AWS resources and ONLY those resources?

Answer 37

1. First you create an IAM role for the EC2 instance to be able to interact with the ECS service
2. Each ECS task then has an IAM task role assigned to it enabling access to the resources it needs via the TaskRoleARN.

Question 38

What is envelope encryption?

Answer 38

With envelope encryption, the key used to encrypt the message is itself encrypted with another key. The other key is the client master key managed by AWS KMS

Question 39

If you have 2 policies attached to a user, one allowing full Ec2 access and another permitting IAM access but denying EC2 access - can the user launch an Ec2 instance? Why, Why not?

Answer 39

The user will NOT be able to launch an Ec2 instance as we have one policy allowing full Ec2 access - BUT we have another which explicitly denies. deny will always take precedent over an allow

Question 40

Can you either create or import you own keys into KM S

Answer 40

Yes. There is a cost though. $1/month for a imported key or $0.03/1000 calls for a created key

Question 41

Do you need to implement any custon changes to API gateway to use cognito user pools to authenticate?

Answer 41

No. API GW can verify automatically from a cognito user pool. No custom implementation is required

Question 42

Should you use you access_key or secret_acess_key when configuring the CLI on an Ec2 instance?

Answer 42

No. This is a security risk. you should attach an IAM role to the instance instead

Question 43

When using IAM authentication to connect to a DB:

• Where are the tokens generated
• How long are they valid?

Answer 43

AWS Credentials, and 15 minutes

Question 44

There are 3 ways to secure the API Gateway, what are they?

Answer 44

IAM
Lambda Authorizer
Cognito User Pools

Question 45

You have an application which calls an S3 bucket. Currently, this is authenticating against the bucket using environment variables. What are the variables and what could you do differently?

Answer 45

AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_Key
IAM roles would be much more secure.

Question 46

What is the AWS parameter store? How would you setup a password structure for a dev and a prod database in parameter store?

Answer 46

Allows for the storing of parameters - encrypted or plain text - in an easier to access way than KMS, KMS is used to encrypt parameters, and parameters are defined by a path structure. I.e.:
my-db/dev/password
my-db/prod/password

Question 47

Which sort of IAM policy would you use to grant cross account access?

Answer 47

Resource

Question 48

Which AWS Directory service allows for MFA?
SimpleAD
AD Connector
AWS Managed MS AD

Answer 48

AWS Managed MS AD

Question 49

In AWS AD Connector, where are your users managed?

Answer 49

They are managed on the on-prem AD infrastructure, you don’t have the ability to manage users within AD connector

Question 50

Which AWS Directory service functions as a proxy between your on-premise AD and AWS services?

Answer 50

AD Connector

Question 51

Which AWS AD service establishes a trust relationship with you On premise AD?

Answer 51

AWS Managed MS AD

Question 52

What is the difference between AWS IAM Access Advisor and IAM Access Analyzer?

Answer 52

Access Advisor is used to help identify unused IAM roles based on the last accessed time stamp
Access Analyzer is used to identify resources in your account that are shared with External entities