Security Deployment and OPS Flashcards

1
Q

How can you interact with Secrets Manger ?

A

console, CLI, API or SDK’s (integration)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Benefits of Secrets Mangers

A

supports automatic rotation using lambda

Direct integrates with some AWS product

( ..Like RDS** automatically rotates the instance in RDS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the main use case for AWS Shield ?

A

Provides AWS resources with protection against Layer 3 and Layer 4 DDos Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does AWS Shield Standard cover?

A

Route53 and CloudFront

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the other applications are covered with AWS Shield Advanced?

A

extend functionality to other AWS resources Like : EC2 , ELB, CloudFront, Global Accelerator & R53

Also provides DDos Response Team & Financial Insurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is AWS WAF stand for and what is it’s used for ?

A

Web Application Firewall

Layer 7 (Http/s) Firewall

Protects against complex layer 7 attacks/exploits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What kind of attacks does WAF protect against ?

A

SQL injections

Cross-Site Scripting

Geo Blocks

Rates Awareness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What AWS services can WAF be integrated with ?

A

ALB

API gateway

CloudFront

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is CloudHSM?

A

an appliance that creates manage and secures cryptographic material or keys

AWS provisioned Fully customer managed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CloudHSM difference from KMS

A

True “single Tenant” Hardware security model (HSM) : meaning that it’s isolated from amazon and is not shared under the hood

Fully FIPS 140-2 Level 3

KMS is L2 Overall, some L3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the benefit of using CloudHSM with KMS ?

A

KMS can use CloudHSM as a custom Key store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some main use cases for CloudHSM

A

offload the SSL/TLS processing from web servers

Enable transport Data Encryption(TDE) for oracle Databases

Protect the private keys for an issuing certificate authority(CA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Config

A

records configuration changes over time on resources

Auditing of changes, compliance with standards

Does not prevent changes happening.. no protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Config resiliency

A

Regional service.. supports cross-region and account aggregation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What AWS resources can AWS Config be integrated with ?

A

changes can generate SNS notifications and near-Realtime events via EventBridge & Lambda

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amazon Macie

A

Data security and Data Privacy Service

Discover, monitor and Protect Data … stored in S3

Automated discovery of data i.e. Pll, PHI , Finance

17
Q

How does Amazon Macie protect your sensitive data ?

A

It uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

18
Q

Amazon Macie Data Identifiers

A

The patterns that are matched against your data .

Two types :

Managed Data identifiers-Built-in-ML/Patterns

Custom Data identifiers - Proprietary -Regex Based

19
Q

What can Macie be integrated with ?

A

Integrates with security Hub

Macie can also generate ‘finding events’ to EventBridge

20
Q

AWS Macie Custom data Identifiers: Maximum match Distance

A

how close keywords are regex pattern

21
Q

AWS Macie Custom data Identifiers: Ignore Words

A

if regex match contains ignore words it’s ignored

22
Q

Amazon Macie: Findings

A

Policy Finds - generated when the policy or settings for an S3 bucket are changed in a way that reduces the security of the bucket or it’s objects after Macie is enabled.

policy: IAMUser/S3BlovkPublicAccessDisabled

Sensitive Data Findings- generated when it discovers sensitive data in S3 objects that you configure it to analyze

Policy:

sensitiveData: s3Object/
Credentials

23
Q

AWS Inspector

A

Scans EC2 instances & the instance OS

Vulnerabilities and deviations against best practice

24
Q

What determines what is check with AWS inspector ?

A

Rules packages determine what is checked

25
Network assessment(Agentless)
_checks exposure to instances from public networks and whether the OS is listening_ Agent can provided additional OS visibility check reachability end to end. EC2, ALB ,DX ,ELB ,ENI ,IGW ,ACLs ,RT's ,SG's, subnets , VPCs, VGWs &VPC Peering RecognnizedPortWithListener , RecognizedPortNoListener , RecognizedPortNoAgent unrecogizedPortWithListener
26
AWS inspector Assessments
Network assessment(Agentless) Network & Host Assessment(Agent) common vulnerabilities and exposure(CVE) Center for Internet Security(CIS) benchmarks **security best practices** for amazon inspector
27
Amazon GuardDuty
continuous security monitoring service that analyzes supported data sources using AL,ML, and a threat intelligence feed identifies unexpected and unauthorized activity then notify or starts event-driven protection/remediation
28
What is the price tag for Shield Standard ?
$3,000 per/month
29
How does WAF work ?
Rules are added to a WebACL and evaluated which traffic arrives
30
How can CloudHSM be accessed ?
Accessed through Industry standard APIs- **PKCS#11** , Java Cryptography Extensions (**JCE**), Microsoft **CryptoNG** (CNG) libraries
31
Can CloudHSM be integrated with other AWS resources ?
No native AWS integration .. e.g no s3 SSE
32
What is the Resiliency of CloudHSM ? How can you design an HA system using CloudHSM ?
By default CloudHSM operates in one AZ mutiple HSMs one in each subnet it's required.
33
Where does CloudHSM run from ?
runs from within an AWS CloudHSM VPC that we have no exposure to
34
How does AWS Macie work ?
you set an discovery schedule which launches a discovery job which then uses a mix of custom identifiers and managed identifiers which then generate finds or finding events which gets sent to EventBridge
35
How does AWS inspector work ?
Assessment of varying Length.. 15mins, 1 hour, 8/12 hours or 1 day provides a report of findings ordered by priority
36
How is AWS Macie managed ?
centrally managed either via AWS ORG or one Macie account inviting other accounts
37
How is AWS GaurdDuty Managed ?
supports multiple accounts(master and member)