Security & Architecture

Question 1

What is IAM?

Answer 1

Identity Access Management

Question 2

How many EC2 instances can an IAM role be attached to at a given time?

Answer 2

Many

Question 3

How many IAM roles can be attached to an EC2 instance at one time?

Answer 3

One

Question 4

How can you test if an IAM Policy works as expected?

Answer 4

Use the IAM Policy Simulator

Question 5

Can IAM roles and resource based policies be delegated across partitions (i.e. US to China)?

Answer 5

No. IAM roles and resource based policies can only delegate within a single partition.

Question 6

Can a trusted AWS account give a level of access that exceeds their own level of access?

Answer 6

No. Give access only to entities you trust, and give the minimum level of access necessary. Whenever the trusted entity is another AWS account, that account can in turn delegate access to any of its IAM users. The trusted AWS account can delegate access only to the extent that it has been granted access; it cannot delegate more access than the account itself has been granted.

Question 7

What are the 5 pillars of the well-architected framework?

Answer 7

• Operational Excellence
• Security
• Reliability
• Performance Efficency
• Cost Optimization

Question 8

What is Fault Tolerance?

Answer 8

Being able to support the failure of our components within your architecture

Question 9

What is High Availability?

Answer 9

Keeping your entire solution running in the expected manner despite issues that may occur.

Question 10

Name 3 of the main Compliance services the AWS offers to help meet Compliance.

Answer 10

AWS Config

• Provides conformance packs for standards

AWS Artifact

• Provides self-service access to reports
• Many of these require that you sign a non-disclouse agreement with AWS

Amazon GuardDuty

• Provides intelligent threat detection

Question 11

Jane’s company is building an application to process credit cards directly, and not through a 3rd party service. Their bank needs a PCI DSS compliance report for AWS. Where would Jane go to get the information.

Answer 11

AWS Artifact

This service provides the actual report that the bank needs.

Question 12

Tims company is considering a transistion to the cloud.

They store personal information securely in their system.

Tim’s CTS has asked what the company’s responsbility is for security. Wat would you tell Tims’s CTO?

Answer 12

Depends on services they decide to acquire but assuming they are not using fully managed, serverless service they will need to configure

• IAM groups/role
• Security Groups
• Routing Tables
• Ports VPCs/Subnets

Essentially - know the Shared Responsbility Model

Question 13

What are policies in IAM?

Answer 13

• A JSON document that defines permissions for an AWS IAM identity (principal)
• Defines both the AWS service(s) that the identity can access and what actions can be taken on that service (authentication & authorization).
• Can either be customer managed (custom policy) or managed by AWS (managed policy).

Question 14

What are some IAM Best Practices?

Answer 14

• Multi-Factor Authentication
• Least Privilege Access

Question 15

If you want to generate a report that lists all your account’s users and the status of their various credentials, what report would you run?

Answer 15

IAM credentials Report (account level)

Question 16

If you wanted to view the service permissions granted to a user and when those services were last accessed, what IAM security tool could you use?

Answer 16

IAM Access Advisor (user -level)

Question 17

What is a proper definition of IAM Roles?

Answer 17

An IAM entity that defines a set of permissions for making AWS service requests, that will be used by AWS services.

Question 18

What are the two IAM Security Tools?

Answer 18

IAM Access Advisor

IAM Credentials Report

Question 19

You need your clients to log in with Twitter and directly interact with your DynamoDB tables. What AWS Service can you use to achieve this?

Answer 19

Cognito Identity Pools

Question 20

You would like to provide a Facebook login before your users call your API hosted by API Gateway. You need seamlessly authentication integration. Which AWS Service will you use?

Answer 20

Cognito User Pools

Question 21

You would like to store the users that have successfully logged in to Cognito in RDS. What should you do?

Answer 21

Write a post-authentication hook with Lambda

Question 22

What are cognito user pools?

Answer 22

• User pools are for authentication (identity verification).
• With a user pool, your app users can sign in through the user pool or federated through a third-party identity provider.

Question 23

What are Cognito Identity Pools?

Answer 23

• Identity pools are for authorization (access control) - what can a user do?
• You can use identity pools to create unique identities for users and give then access to other AWS services.

Question 24

Describe use cases for Cognito User Pools

Answer 24

• Design sign-up and sign-in webpages for your app.
• Access and manage user data.
• Track user device, location, and IP address, and adapt to sign-in requests of different risk levels.
• Use a custom authentication flow for your app.

Question 25

Describe use cases for Cognito Identity Pools

Answer 25

• Give your users access to AWS resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or an Amazon DynamoDB table.
• Generate temporary AWS credentials for unauthenticated users.

Question 26

You are managing a central AWS account in your company. You need a tool to analyze access control policies in resources such as S3 and determine if resources can be accessed pubicly or from other AWS accounts. What IAM Security Tool can you use to help achieve this?

Answer 26

Create an IAM Access Analyzer and review the findings.

Question 27

What is IAM Access Analyzer?

Answer 27

A tool that can help identify resources that are shared with external entities.

Question 28

Several teams share one AWS account, and there is a large number of IAM roles. You need a method to periodically check each IAM role and identify unused roles based on a time window that you define. What compliance tool can be used to help evaluate this?

Answer 28

Periodically trigger an AWS Config rule that invokes a lambda function. The lambda function checks the status of each IAM role.

NOTE: The IAM API provides you with information about when an IAM role was last accessed.

https://aws.amazon.com/blogs/security/continuously-monitor-unused-iam-roles-aws-config/

Question 29

What is AWS Config?

Answer 29

• A service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
• Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
• Helps to determine your overall compliance against the configurations specified in your internal guidelines.
• Periodically triggers your AWS Config rule and will record compliance status.

Question 30

What is an AWS Config Rule?

Answer 30

• This resource represents your desired configuration settings for specific AWS resources or for an entire AWS account.
• This resource checks the compliance status of your AWS resources.
• You can provide the logic that determines compliance, which enables you to mark IAM roles in use as “compliant” and inactive roles as “non-compliant.”

Question 31

What is KMS?

Answer 31

• AWS Key Management Service
• Encrypts data at rest
• Two types: Symmetric (most common) and Asymmetric
• Able to fully manage the keys and policies
  
  • Create, Disable, Enable Keys
  • Create key rotation policies for stringer encryption
• Able to audit key useage with CloudTrail

Question 32

Explain Symmetric KMS Customer Master Keys

Answer 32

• AES-256 keys
• AWS services that are integrated with KMS use Symmetric CMKs
  
  • So Symmetric Key always stay within AWS
• Necessary for Envelope Encryption
• You never get access to the Key unencrypted (must call KMS API to use)

Question 33

Give an overview of Asymmetric KMS Customer Master Keys

Answer 33

• Public (Encrypt) and Private key (Decrypt) pair
• Used for encrypt/decrypt, or sign/verify operations
• The public key is downloadable, but you can not access the Private Key unencrypted.
• Use Case: encryption outside of AWS by users who can not call the KMS API

Question 34

Do symmetric CMKs and the private keys of asymmetric CMKs ever leave AWS KMS unencrypted?

Answer 34

No

Question 35

What is the size limit for data sent to AWS KMS for asymmetric operations?

Answer 35

4kb

Question 36

Where is my data encrypted if I use AWS KMS?

Answer 36

• you can use AWS KMS APIs directly to encrypt and decrypt data using your CMKs stored in the service.
• you can choose to have AWS services encrypt your data using your CMKs stored in the service. In this case data is encrypted using data keys that are protected by your CMKs.
• you can use the AWS Encryption SDK that is integrated with AWS KMS to perform encryption within your own applications, whether they operate in AWS or not.

Question 37

Why use envelope encryption? Why not just send data to AWS KMS to encrypt directly?

Answer 37

• When you encrypt data directly with AWS KMS it must be transferred over the network.
• Envelope encryption reduces the network load since only the request and delivery of the much smaller data key go over the network.
• The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire block of data to AWS KMS and suffer network latency.

Question 38

What’s the difference between a CMK I create and CMKs created automatically for me by other AWS services?

Answer 38

• You can track AWS managed keys in your account and all usage is logged in AWS CloudTrail, but you have no direct control over the keys themselves.
• Creating your own CMK gives you more control than you have with AWS managed CMKs.

Question 39

can asymmetric CMKs be automatically rotated?

Answer 39

No. Automatic key rotation is not supported for asymmetric CMKs. You can manually rotate them by creating a new CMK and mapping an existing key alias from the old CMK to the new CMK.

Question 40

Can I bring my own keys to AWS KMS?

Answer 40

Yes. You can import a copy of your SYMMETRIC key from your own key management infrastructure to AWS KMS and use it with any integrated AWS service or from within your own applications. You cannot import asymmetric CMKs into AWS KMS.

Question 41

When would I use an imported key?

What type of keys can I import?

Answer 41

• You can use an imported key to get greater control over the creation, lifecycle management, and durability of your key in AWS KMS. Imported keys are designed to help you meet your compliance requirements which may include the ability to generate or maintain a secure copy of the key in your infrastructure, and the ability to immediately delete the imported copy of the key from AWS infrastructure.
• You can import 256-bit symmetric keys.

Question 42

How is the key that I import into AWS KMS protected in transit?

Answer 42

During the import process, your key must be wrapped by an AWS KMS-provided public key using one of two RSA PKCS#1 schemes. This ensures that your encrypted key can only be decrypted by AWS KMS.

Question 43

What’s the difference between a key I import and a key I generate in AWS KMS?

Answer 43

You are responsible for maintaining a copy of your imported keys in your key management infrastructure so that you can re-import them at any time. AWS, however, ensures the availability, security, and durability of keys generated by AWS KMS on your behalf until you schedule the keys for deletion.

You may set an expiration period for an imported key. AWS KMS will automatically delete the key material after the expiration period. You may also delete imported key material on demand. In both cases the key material itself is deleted but the CMK reference in AWS KMS and associated metadata are retained so that the key material can be re-imported in the future. Keys generated by AWS KMS do not have an expiration time and cannot be deleted immediately; there is a mandatory 7 to 30 day wait period. All customer managed CMKs, irrespective of whether the key material was imported, can be manually disabled or scheduled for deletion. In this case the CMK itself is deleted, not just the underlying key material.

Question 44

How often can KMS keys be set to rotate

Answer 44

yearly

Question 45

Do I have to re-encrypt my data after keys in AWS KMS are rotated?

Answer 45

• Not for AWS KMS keys - previous versions of keys are kept and used for decryption of data encrypted under an old version of a key.
• If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available.

Question 46

Is there a limit to the number of keys I can create in AWS KMS?

Answer 46

• You can create up to 10,000 CMKs per account per region.
• Both enabled and disabled CMKs count towards the limit,
• AWS recommends deleting disabled keys that you no longer use.

Question 47

How do I use the public portion of an asymmetric CMK?

Answer 47

• The public portion of the asymmetric key material is generated in AWS KMS and can be used for digital signature verification by calling the “Verify” API, or for public key encryption by calling the “Encrypt” API. T
• he public key can also be used outside of AWS KMS for verification or encryption. You can call the GetPublicKey API to retrieve the public portion of the asymmetric CMK.

Question 48

If you want to encrypt data that is larger then 4kb, what do you use?

Answer 48

• You need to use Envelope Encrytption
• The main API is KMS GenerateDataKey API

Question 49

KMS Symmetric API:

Encrypt

Answer 49

encrypts up to 4Kb of data through KMS

Question 50

KMS Symmetric API:

GenerateDataKey

Answer 50

Generate a unique symmetric data key (DEK)

Important! -> This is what is used to perform Envelope Encryption right now/immediately

Exam may try and trick you

Question 51

KMS Symmetric API:

GenerateDataKeyWithoutPlainText

Answer 51

• Generate a DEK to use at some point (not immediately)
• DEK that is encrypted under the CMK that you specify (must use Decrypt late)

Question 52

KMS Symmetric API:

Decrypt

Answer 52

decrypt up to 4KB of data (including DEKs)

Question 53

KMS Symmetric API: GenerateRandom

Answer 53

Returns a random byte string

Question 54

If you recieve a throttling error in KMS, what are the 3 main ways you can handle this?

Answer 54

1. Use exponential back off
2. Use envelope encryption instead
3. Request an increase from AWS

Question 55

When using SSE-KMS with S3 what must be added to the header?

Answer 55

“x-amz-server-side-encrytpion”: “aws:kms”

Question 56

You are uploading some big files into Amazon S3. What API can you/S3 use to encrypt these large files using SSE-KMS?

Answer 56

Use the GenerateDataKey and Decrypt KMS API calls

Question 57

What authorization is needed to perform SSE-KMS?

Answer 57

• A KMS Key Policy that authorizes the user/role
• An IAM policy that authorizes access to KMS

If either of these are missing you will get an access denied error

Question 58

You are uploading thousands of objects per second into Amazon S3 using SSE-KMS and recieve a throttling error. Is the throttling occuring in KMS or S3? What can you do?

Answer 58

• Try exponential backoff
• request an increase in KMS limits
• The throttling issue here will be a result of reaching KMS limits, not S3

Question 59

How can you significantly reduce the number of API calls made to KMS from S3 as well as overall cost? What is one downfall of using this method?

Answer 59

Use an S3 Bucket Key

Downfall: You will see less KMS CloudTrail events in CloudTrail

Question 60

What is the difference between SSM Parameter Store and AWS Secrets Manager?

Answer 60

Both can

• store secrets
• be integrated with CloudFormation

Secrets Manager

• more expensive
• KMS is required

SSM Parameter Store

• less expensive
• Simple API
• KMS is optional

Question 61

Can CloudWatchLogs be Encrypted?

Answer 61

• Yes, with KMS at the log group level.
• You can not associate a CMK with a log group using the CoudWatch (AWS) console.
• You must use the CloudWatch Logs API which can be implemented through the CLI or an SDK.

Question 62

How do you force SSL on an S3 bucket?

Why would you do this?

Answer 62

To force SSL create an S3 bucket policy with a DENY on the condition aws:SecureTransport = false because using aws:SecureTransport = true would allow anonymous GetObject if using SSL.

Question 63

How do you force Encryption of SSE-KMS on an S3 bucket policy?

Answer 63

In the bucket policy, deny incorrect encryption head. It must be to aws:kms.

Deny no encryption header to ensure objects are not uploaded un-encrypted.

Question 64

To enable encryption in flight, we need to have

Answer 64

an HTTPS endpoint with a SSL certificate

Question 65

T/F

Server side encryption means that the data is sent encrypted to the server first.

Answer 65

false

Question 66

In server side encryption, only the encryption happens on the server. Where does the decryption happen?

Answer 66

The Server

Data get encrypted on server after it comes in and decrypted before it leaves.

Question 67

T/F

In client side encryption, the server must know our encryption scheme to accept the data.

Answer 67

False

Question 68

T / F

We need to create User Keys in KMS before using the encryption features for EBS, S3, etc…

Answer 68

False

We can use the AWS managed service keys in KMS

Question 69

We’d like to encrypt 400 KB of data. We should use

Answer 69

AWS KMS GenerateDataKey call and encryt client side

Question 70

We’d like our Lambda function to have access to a database password. We should

a. Embed it in the code

b. Have it as a plaintext environment variable

c. Have it as an encrypted environment variable and decrypt it at runtime

Answer 70

c. Have it as an encrypted environment variable and decrypt it at runtime

Question 71

We would like to audit the values of an encryption value over time. Which AS Service should you use?

Answer 71

SSM Paramter Store

Question 72

An EC2 instance is trying to download a file from S3 that is encrypted with SSE:KMS. It’s getting a denied exception, even though the IAM policy allows access to that S3 object. What do you recommend?

Answer 72

Add permissions for KMS:Decrypt

Question 73

You would like to store secrets and have automatic rotation. What’s your recommendation?

Answer 73

Secrets Manager - where automatic rotation is natively supported

Question 74

How to encrypt existing CloudWatch Logs?

Answer 74

use the associate-kms-key API call

This api call is to be used if the log group already exists.

Question 75

How to encrypt non-existing CloudWatch Log(s)?

Answer 75

use the create-log-group API call