Security & Compliance

Question 1

Compliance Frameworks

Answer 1

ISO
PCI
HIPAA
FedRAMP
NIST
SAS70
SOC1
FISMA
FIPS140-2

Question 2

How to mitigate DDoS attacks?

Answer 2

Minimize the attack surface area
- use ALB with WAFs
Be ready to scale to absorb attacks
- use auto scaling groups
Safeguard exposed resources
- Learn normal behaviour of your application

Question 3

• It’s a free service that protects all AWS customers on Elastic Load Balancing, Amazon CloudFront and Route 53.
• It protects against SYN/UDP floods, reflection attacks, and other Layer 3 and Layer 4 attacks.

Answer 3

AWS Shield

Question 4

• provides a always-on flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks.
• DDoS Response Team 24x7 to manage and mitigate application layer DDoS attacks
• Protects your AWS bill against higher fees due to Elastic Load Balancing, CloudFront and Route 53 usage spikes during a DDoS attack.
• $3000 a month

Answer 4

AWS Shield Advanced

Question 5

What services can you use to mitigate DDoS attacks?

Answer 5

• CloudFront
• ELBs
• Route53
• WAF
• Autoscaling
• CloudWatch

Question 6

How can you get a report of all of the users in your account who uses MFA?

Answer 6

Get credential reports on the IAM console.

Question 7

Which service is used to grant users limited and temporary access to AWS resources.
User can come from three sources:
- Federation (typically done with Active Directory)
- Federation with Mobile Apps
- Cross Account Access

Answer 7

Security Token Service

Question 8

Joining a list of users in one domain (such as IAM) with a list of users in another domain (such as AD, Facebook, etc), what does this define?

• Federation
• Identity Broker
• Identity Store
• Identity?

Answer 8

Federation

Question 9

A service that allows you to take an identity from point A and join it (federate it) to point B, what does this define?

Answer 9

Identity Broker

Question 10

Services like AD, Facebook, Google, etc., what does this define?

• Federation
• Identity Broker
• Identity Store
• Identity?

Answer 10

Identity Store

Question 11

A user of a service like Facebook, etc., what does this define?

• Federation
• Identity Broker
• Identity Store
• Identity?

Answer 11

Identity

Question 12

How does STS work?

Answer 12

1. Authenticate against third party first (AD, Facebook, Google)
2. Then you authenticate against STS.
3. STS will give you a token.
4. When you try and access your AWS resource
5. That resource will check that token against IAM
6. If everything’s correct it will give you access to the platform.

Question 13

4 Main services for Security & Logging

Answer 13

• AWS CloudTrail - API Calls
• AWS Config - Alerts any changes
• AWS CloudWatch
• VPC Flow Logs

Question 14

How can you control access to Log Files?

3 ways

Answer 14

• IAM users, groups, roles and policies
• S3 bucket policies
• MFA

Question 15

How can you obtain alerts on Log File Creation and Misconfiguration?

Answer 15

• Alerts when logs are created or fail:
• CloudTrail notifications
• AWS Config Rules
• Alerts are specific, but don’t divulge detail:
• CloudTrail SNS notifications only point to log file location

Question 16

How can you manage changes to AWS Resources and Log files?

Answer 16

Log changes to system components:

• CloudTrail
• AWS Config Rules

Controls exist to prevent modifications to logs:

• IAM and S3 controls and policies
• CloudTrail log file validation → you can see if somebody modified log files
• CloudTrail log file encryption

Question 17

What is WAF?

Answer 17

• Layer 7 Firewall
• Monitor HTTP/HTTPS requests that are forwarded to CloudFront, ALB, or API Gateway.
• Let’s you control access to your content.
• IP addresses
• Query string parameters
• If blocked, user gets a 403 error code.

Question 18

WAF Behaviors:

Answer 18

• Allow all or Block all requests except the ones that you specify
• Count the requests that match the properties you specify

Question 19

WAF provides more protection against web attacks using conditions that you specify, give some examples.

Answer 19

• IP addresses that requests originate from
• Country
• Values in request headers
• Strings that appear in requests, either specific string or string that match regular expression (regex) patterns.
• SQL Injection
• Cross-site scripting

Question 20

Which services does WAF Integrates with?

Answer 20

• CloudFront
• API Gateway
• Application Load Balancer (only)

Question 21

In an IAM policy, what action does IAM:PassRole allows?

Answer 21

The IAM:PassRole allows any affected entity to pass roles to AWS services or Accounts, granting them permission to assume the role.

Question 22

Using AWS WAF, two types of rules can be set:
- Regular rules
- Rate-based rules
What is the difference between them two?

Answer 22

Regular rule:
- Allow or block a matching IP address
Rate-based rules:
- It considers the number of requests coming from a particular IP in a five minute interval, if those requests exceeds the threshold limit, WAF will block the IP address.

Question 23

What is Hypervisor?

Answer 23

Hypervisor is the physical host that is going to run your virtual machines.

Question 24

What is HVM?

Answer 24

Hardware Virtual Machine

• Windows only
• Guests are fully virtualized.
• The VMs on top of the hypervisor are no aware that they are sharing processing time with other VMs

Question 25

What is PV?

Answer 25

Paravirtualization

• Linux and Windows
• Lighter form of virtualization, used to be quicker.
• Isolated by layers, from 0 to 3:
  
  • Layer 0: Host OS
  • Layer 1: Guest OS
  • Layer 3: Application

Question 26

Which type of instance should you use if you have specific regulatory requirements or licensing conditions?

Answer 26

Dedicated Hosts

Question 27

True or false: Both Dedicated Instances and Dedicated Hosts have dedicated hardware.

Answer 27

True

Question 28

True or false: Dedicated Hosts may share the same hardware with other AWS instances from the same account that are not dedicated:

Answer 28

False, Dedicated Instances may share the same hardware with other AWS instances from the same account that are not dedicated.

Question 29

AWS Systems Manager Run Command

Answer 29

• Commands can be applied to a group of systems based on AWS instances tags or by selecting manually
• SSM agent needs to be installed on all your managed instances
• The commands and parameters are defined in a Systems Manager Document
• Commands can be issued using the console, CLI, AWS Tools for Windows Powershell, System Managers API or Amazon SDKs
• You can use this service with your on-premise system as well as EC2 Instances

Question 30

AWS Systems Manager Parameter Store

Answer 30

• You can store confidential information such as passwords, database connection, strings, license codes, etc. inside SSM Parameter Store.
• You can encrypt or store as plain text.
• You can then reference these values by using their names.

Question 31

Secure S3 - using pre signed URLs

Answer 31

• You can access objects using pre-signed URLs
• Typically these are done via the SDK but can also be done using the CLI
• They exist for a certain length of time in seconds. Default is 1 hour.
• You can change this using “–expires-in” followed by the number of seconds.

Question 32

What does this bucket policy do?
{ 
"Version":"2012-10-17",
"Id":"S3PolicyId1",
"Statement":[
  {
   "Sid":"IPAllow",
   "Effect": "Allow",
   "Principal": "*",
   "Action":"s3:*",
   "Resource":"arn:aws:s3:::examplebucket/*",
   "Condition":{
     "IpAddress": {"aws:SourceIp": "10.0.12.0/24"},
     "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
   }
  }
 ]
}

Answer 32

• Anyone on the 10.0.12 IP address range will be able to access this S3 bucket.
• The IP 54.240.143.188/32 will not be able to access this S3 bucket.

Question 33

What are two main rules for AWS Config with S3?

Answer 33

Two main rules:

1. s3-bucket-public-read-prohibited
2. s3-bucket-public-write-prohibited

Checks that your Amazon S3 buckets do not allow public write or read access. The rule checks the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).

Question 34

It’s asking you about installing an agent on your guest operating system and creating reports that map back to the Center for Internet Security. Which service should you use?
Inspector OR Trusted Advisor?

Answer 34

Inspector

Question 35

What do these steps do?

• Create “Assessment target”
• Install agents on EC2 instances
• Create “Assessment template”
• Perform “Assessment run”
• Review “Findings” against “Rules”

Answer 35

Inspects services that are against Security Rules - Inspector

Question 36

Which service provides you visibility of:

• Cost optimization, Availability, Performance, and Security.
• If it’s just asking you to tell you whether or not you’ve got some security groups unlocked, or if you’ve got MFA on your root account or something like that.

Answer 36

Trusted Advisor

Question 37

How can you check your Service Limits?

Answer 37

By using Trusted Advisor, it offers a Service Limits check, and it’s in the Performance category, and that will display your usage and limits for some aspects of the services.

Question 38

Do you have to perform updates on PHP running on ElasticBeanstalk?

Answer 38

Yes

Question 39

______________ provides on-demand downloads of AWS security and compliance documents, such as:

• AWS ISO certifications
• PCI
• Service Organization Control or SOC reports.
• You can submit security and compliance documents also known as audit artifacts to your auditors, or your regulators to demonstrate the security and compliance of AWS infrastructure and services that you use.

Answer 39

AWS Artifact

Question 40

What types of metadata does CloudTrail log around API calls?

Answer 40

• Identity
• Time
• Source IP address
• Request parameters → what are they trying to do?
• Response elements returned by the service

Question 41

Where are CloudTrail Event Logs sent to? What’s the retention period? Delivered within how many minutes? Can you enable notifications? Can it be aggregated across regions and accounts?

Answer 41

• Sent to an S3 bucket
• You manage the retention in S3
• Delivered every 5min up to 15 min delay
• Notifications available → you can set up SNS notifications
• Can be aggregated across regions and accounts.

Question 42

How can you validate the integrity of your CloudTrail Log Files?

Answer 42

• By checking the Digest file.
• CloudTrail log file integrity validation:
• SHA-256 hashing
• SHA-256 with RSA for digital signing