Security and Monitoring Flashcards
What is a security group?
A virtual firewall for EC2 instances
What is bootstrap scripts?
a script that runs when instance first runs
what permissions does bootstrap script have?
full administrative access
How long does it take for changes to security groups to occur?
Immediately
How many EC2 instances can you have in a security group?
Any number
Why can there only be one security group attached to an EC2 instance?
There can many security groups attached to an EC2 instance
What inbound traffic is blocked by default?
All inbound traffic
Is a network ACL or security group hit first when a request is coming from the internet into a public subnet?
The network ACL is hit first
What does 0.0.0.0/0 do?
Let’s everything in
What is the first line of defense?
Network ACL’s
What is a Network ACL?
An layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets
By default what inbound and outbound traffic is allowed by the default network ACL?
All
Does a VPC automatically have a network ACL?
Yes
What inbound and outbound traffic is allowed by default in a custom network ACL?
None
Should you block IP addresses using a network ACL’s or security groups
Network ACL
How many network ACL’s can a subnet be associated with?
One
Are security groups or network ACL’s stateless?
Network ACL
In what order are the network ACL’s numbered list of rules evaluated?
In order from lowest number
What does VPN Cloudhub do?
Connect multiple sites with differing VPN’s together
What measure does VPN Cloudhub do to protect your data since it uses the public internet?
Encrypts your data
What is cloudwatch?
A monitoring and observability platform designed to give insight into your AWS architecture and potential problems
What should you create to notify you of a system failure?
An alarm
What are default metrics for cloudwatch?
CPU utilization and network throughout
What are custom metrics for cloudwatch?
EC2 memory utilization, EBS storage capacity
What is cloudwatch logs?
A tool that allows you to monitor, store, and access log files from a variety of sources
What is a log event?
A record of what happened
What does a log event contain?
The data and a timestamp
What is a log stream?
A collection of log events from the same source
What is a log group?
A collection of log streams
What is a filter pattern in cloud watch logs?
A way to look for specific errors
What is Amazon managed Grafana?
Fully managed AWS service allowing instant querying correlating and visualizing of your operational metrics, logs, and traces
What are Grafana workspaces?
areas created to allow separate data visualizations and querying
Does Grafana have built in security?
Yes
What are some key use examples for Amazon managed Grafana?
container metric visualizations, internet of things monitoring, troubleshooting
What is Amazon managed service for prometheus?
Serverless, prometheus compatible service used for securely monitoring container metrics at scale
What is CloudTrail?
it increases visibility into your user and resource activity by recording AWS Management Console actions and API calls
What is logged with CloudTrails?
Metadata of API call, identity of API caller, time of API call, source IP address of API caller, request parameters, response elements returned by server
What is logged with CloudTrails?
Metadata of API call, identity of API caller, time of API call, source IP address of API caller, request parameters, response elements returned by server
What can you think of CloudTrails as?
The CCTV system of your AWS account
What is AWS Shield?
Free DDoS protection for ELB, CloudFront, and Route 53
What layer attacks does Shield protect against?
Layer 3/4 (SYN floods, reflection attacks, etc)
What is AWS Shield Advanced?
Enhanced protection for ELB, Cloudfront, and Route 53
What is the difference between Shield and Shield Advanced?
24/7 access to DDoS response time, real time alerts, and Advanced is 3000 per month
What is AWS WAF?
AWS web application firewall is a service that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an application load balancer
If you want to control what IP addresses are allowed to make requests, what should you use?
AWS WAF
If you are afraid of layer 7 attacks, what should you use?
AWS WAF
What are the three conditions available on AWS WAF?
Allow all (except what you specify), deny all (except what you specify), count what matches conditions you stated
What is AWS GuardDuty?
A threat detection service that uses machine learning to continuously monitor for malicious behavior
Where do GuardDuty alerts appear?
GuardDuty console and Cloudwatch events
What does GuardDuty monitor?
Cloudtrail logs, VPC flow logs, and DNS logs
What is firewall manager?
A security management service that goes across multiple AWS accounts
What is Macie?
Uses machine learning and pattern matching to discover sensitive data stored in S3
Can Macie utilize automated remediation actions?
Yes
What is amazon inspector?
Automatically assesses applications for vulnerabilities or deviations from best practice
What are the 2 types of Amazon inspector assessments?
Network assessments, host assessments
What is KMS?
Key management service
What is a CMK in regards to KMS?
A customer master key is a logical representation of a master key
What is a HSM?
a hardware security module is a physical computing device that safeguards and manages digital keys and performs encryption and decryption functions
What are the three ways a CMK is created?
AWS creates it for you in HSMs, import key material from own key management infrastructure, have key material generated in AWS CloudHSM cluster
How often can you have AWS KMS rotate the CMK?
every year
What CMKs do not support automatics key rotation?
imported keys, asymmetric keys, or keys generated in AWS CloudHSM
What type of policy do KMS CMK’s require?
a resource policy
What is the difference between KMS and CloudHSM?
KMS has shared tenancy of underlying hardware, CloudHSM is dedicated to you, KSM has automatic key rotation, CloudHSM does not
What is Secrets Manager?
A service that securely stores, encrypts, and rotates your database credentials and other secrets
What must you do before enabling credential rotation?
make sure all application instances are configured to use secrets manager
Does secret manager rotate credentials automatically?
Yes
What is parameter store?
a capability of AWS systems manager that provides secure, hierarchical storage
If you are trying minimize costs and don’t need key rotation, what secure storage solution should you use?
parameter storage
What is the maximum amount of parameters for parameter storage?
10,000
How can the owner of a private object in S3 grant time limited permission to download the object?
by creating a presigned URL
if you want someone to have access to all the contents of multiple restricted files, what should you use?
Presigned cookies
What is AWS Certificate Manager?
allows you to create, manage, and deploy public and private SSL certificates for use with other AWS services
How much does AWS charge for provisioning public and private certificates?
for free
Does AWS Certificate Manager automatically renew and deploy certificates?
Yes
What service should you use to manage your SSL certificates?
AWS Certificate manager
What is AWS audit manager?
with it, you can continuously audit your AWS usage to make sure you stay compliant with industry standards and regulations
Is audit manager an automated service?
yes
If you need continuous auditing, what should you use?
audit manager
What is AWS artifact?
A single source you can visit to get the compliance -related information that matters to you
If you need to compliance reports, what should you use?
AWS artifact
What is amazon cognito?
it provides authentication, authorization, and user management for your web and mobile apps in a single service without the need for custom code
What is the series of events that Cognito does to sign in?
Authenticates and gets a token, exchanges that token in for AWS credentials in the identity pool, finally uses AWS credentials to sign in
What is Amazon Detective?
it pulls data in from your AWS resources and uses machine learning, stat analysis, and graph theory to quickly figure out the root cause of your security issues
If you need to know the root cause of an event, what should you use?
Amazon detective
What is network firewall?
a managed service that makes it easy to deploy a physical firewall across your VPC’s.
Does AWS Network Firewall work with Firewall Manager?
Yes
If you need an intrusion prevention system or to filter internet traffic before it reaches your gateway, what should you use?
AWS Network FIrewall
If you need an intrusion prevention system or to filter internet traffic before it reaches your gateway, what should you use?
AWS Network FIrewall
What is AWS Security Hub?
a single place to view all your security alerts from differing services
