Security, Deployment, and Operations

Question 1

How is Secrets Manager different from Parameter Store?

Answer 1

Designed specifically for secrets (passwords, API keys, etc) and provides specific features such as rotation via Lambda, tooling/SDK integration, and directly integrates with some additional AWS products such as RDS.

Question 2

What is AWS Shield?

Answer 2

DDoS prevention, specifically Layer 3 and Layer 4 attacks.

Question 3

What are the AWS Shield tiers?

Answer 3

Standard - free with Route53 and CloudFront.

Advanced - includes EC2, ELB, Global Accelerator, as well as a 24/7/365 response team and financial insurance.

Question 4

What is the Web Application Firewall (WAF)?

Answer 4

A Layer 7 (HTTP/S) Firewall that knows about things like SQL Injection and XSS.

Integrates with edge-of-network services such as CloudFront, API Gateway, and ALBs.

Question 5

What is CloudHSM?

Answer 5

Similar to KMS but provides true, single-tenant HSMs (Hardware Security Modules) and is fully FIPS 140-2 Level 3 compliant.

Question 6

What is AWS Config?

Answer 6

Audit/changelog of configuration changes to resources.

Regional services but can be configured for cross-region.

Question 7

What is AWS Macie?

Answer 7

A data security and privacy service that can discover, monitor, and protect sensitive data stored within S3 including PII, PHI, financial information, security credentials, or anything custom definable by a regular expression.

Question 8

What is AWS Inspector?

Answer 8

A tool for scanning EC2 instances, their OSes, and network components for any deviations from best practice.

Question 9

What can an agent-driven AWS Inspector job find?

Answer 9

CVEs, CIS benchmarks, and other security best practices defined by AWS.

Question 10

What can an agent-less AWS Inspector job find?

Answer 10

Network and port reachability for well-known ports and warnings for unrecognized ports.