Security and Security groups Flashcards

1
Q

What is an instance level firewall?

A

A security group acts as an INSTANCE level firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security group regulates 4 things with respect to an instance - what are they?

A

Access to Ports
Authorised IPv4/6 IP ranges
Control if INBOUND network from ‘other’ to instance
Control of OUTBOUND network from instance to ‘other’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

If a security group has blocked a request to an EC2 instance, is the instance aware that a request has been made?

A

No. Security groups exist off the instance. If a request is blocked, the instance will never see it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

can an instance have multiple security groups attached to it?

A

Yes. An instance can have multiple groups attached

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If you switch to a different region - can you use the security groups from the original region?

A

No, security groups are locked to a region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If you create a new VPC, can you use the security group from the original VPC?

A

No, security groups are locked to a VPC. If you create a new VPC, you need to recreate the security group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are connecting to an application on your EC2 instance and you receive a connection refused error. What is the cause of this - what changes would you need to make to the security group?

A

No changes need to be made to the security group. In this case, the application isn’t up. A connection is being made through the security group, but the thing you’re connecting to is not there.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

For a security group, what are the defaults for inbound and outbound traffic?

A

All inbound traffic is blocked. All outbound is authorised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

We have an instance (a) with 2 security groups attached to it, SG1 and SG2. These security groups define the inbound rules to our instance and allow access to port 2200. What happens if another instance (b) with SG1 attached to it attempts to connect to port 2200 on instance (a).

A

Traffic will be allowed as instance (b) has SG1 attached to it, and instance (a) also has SG1 attached to it allowing traffic to 2200. This means that you can use a security group as an inbound rule so any instance with that group attached can connect through. This means you don’t need to specify IP’s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security groups can reference all of the following except:

  • IP Address
  • CIDR Block
  • Security Group
  • DNS Name
A

DNS Name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can you have a deny rule on a security group?

A

No. You can only specify allow rules. You can technically deny something by not specifically allowing it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which services require encryption through migration (4) if not encrypted at point of creation? Which service does not (1)?

A

EFS, EBS, Elasticache and RDS will require encryption through migration if not encrypted at creation time. S3 can be encrypted in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

There are 3 mechanisms that the default credential provider chain works with to manage SDK credentials. What are they?

A

Credential provider chain works with:

  • AWS Credentials at ~/.aws/credentials
  • Instance profile credentials using IAM Roles
  • Environment Variables using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What the AWS secrets manager? Is there any interaction with lambda?

A

Secrets manager store secrets and is for integration with RDS. It allows for management and rotation and management of secrets via a lambda function. Can also be used to store API keys and secret keys. Secrets for RDS, Redshift and amazon document DB can be managed natively without the lambda function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

There are 3 types of AWS Directory services:
-AWS Managed MS AD
-AWS AD Connector
-AWS Simple AD
What is the use case for each of these and what do they do?

A

Managed AD: Complete AD in the cloud for running MS Directory aware workloads (sharepoint etc). Can be peered with on-prem for SSO support

AD Connector: Forms a proxy to an on premise AD and allows for on premise user management

Simple AD: Allows SSO access to Ec2 instances via a SAMBA for AD compatible server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Shield provides basic DDOS protection. Which additional AWS components does shield advanced provide protection for over and above the basic AWS Shield (4)?

A

ELB’s
EC2 Instances
Route53
CloudFront

17
Q

Which services support resource based policies? (3)

A

S3, SQS, SNS.

18
Q

You have a role assigned to an EC2 instance which allows lists against an S3 bucket. How does this roles based authentication work, where would you set it up and what mechanism does it use?

A

Assuming an IAM role has been setup correctly, a short lived token is generated allowing access to S3. This token lasts for approximately an hour.