Security and Security groups Flashcards
What is an instance level firewall?
A security group acts as an INSTANCE level firewall.
A security group regulates 4 things with respect to an instance - what are they?
Access to Ports
Authorised IPv4/6 IP ranges
Control if INBOUND network from ‘other’ to instance
Control of OUTBOUND network from instance to ‘other’
If a security group has blocked a request to an EC2 instance, is the instance aware that a request has been made?
No. Security groups exist off the instance. If a request is blocked, the instance will never see it.
can an instance have multiple security groups attached to it?
Yes. An instance can have multiple groups attached
If you switch to a different region - can you use the security groups from the original region?
No, security groups are locked to a region
If you create a new VPC, can you use the security group from the original VPC?
No, security groups are locked to a VPC. If you create a new VPC, you need to recreate the security group.
You are connecting to an application on your EC2 instance and you receive a connection refused error. What is the cause of this - what changes would you need to make to the security group?
No changes need to be made to the security group. In this case, the application isn’t up. A connection is being made through the security group, but the thing you’re connecting to is not there.
For a security group, what are the defaults for inbound and outbound traffic?
All inbound traffic is blocked. All outbound is authorised
We have an instance (a) with 2 security groups attached to it, SG1 and SG2. These security groups define the inbound rules to our instance and allow access to port 2200. What happens if another instance (b) with SG1 attached to it attempts to connect to port 2200 on instance (a).
Traffic will be allowed as instance (b) has SG1 attached to it, and instance (a) also has SG1 attached to it allowing traffic to 2200. This means that you can use a security group as an inbound rule so any instance with that group attached can connect through. This means you don’t need to specify IP’s.
Security groups can reference all of the following except:
- IP Address
- CIDR Block
- Security Group
- DNS Name
DNS Name
Can you have a deny rule on a security group?
No. You can only specify allow rules. You can technically deny something by not specifically allowing it.
Which services require encryption through migration (4) if not encrypted at point of creation? Which service does not (1)?
EFS, EBS, Elasticache and RDS will require encryption through migration if not encrypted at creation time. S3 can be encrypted in place.
There are 3 mechanisms that the default credential provider chain works with to manage SDK credentials. What are they?
Credential provider chain works with:
- AWS Credentials at ~/.aws/credentials
- Instance profile credentials using IAM Roles
- Environment Variables using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
What the AWS secrets manager? Is there any interaction with lambda?
Secrets manager store secrets and is for integration with RDS. It allows for management and rotation and management of secrets via a lambda function. Can also be used to store API keys and secret keys. Secrets for RDS, Redshift and amazon document DB can be managed natively without the lambda function
There are 3 types of AWS Directory services:
-AWS Managed MS AD
-AWS AD Connector
-AWS Simple AD
What is the use case for each of these and what do they do?
Managed AD: Complete AD in the cloud for running MS Directory aware workloads (sharepoint etc). Can be peered with on-prem for SSO support
AD Connector: Forms a proxy to an on premise AD and allows for on premise user management
Simple AD: Allows SSO access to Ec2 instances via a SAMBA for AD compatible server.
