Security Deployment and OPS Flashcards
How can you interact with Secrets Manger ?
console, CLI, API or SDK’s (integration)
Benefits of Secrets Mangers
supports automatic rotation using lambda
Direct integrates with some AWS product
( ..Like RDS** automatically rotates the instance in RDS)
What is the main use case for AWS Shield ?
Provides AWS resources with protection against Layer 3 and Layer 4 DDos Attacks
What does AWS Shield Standard cover?
Route53 and CloudFront
What are the other applications are covered with AWS Shield Advanced?
extend functionality to other AWS resources Like : EC2 , ELB, CloudFront, Global Accelerator & R53
Also provides DDos Response Team & Financial Insurance
What is AWS WAF stand for and what is it’s used for ?
Web Application Firewall
Layer 7 (Http/s) Firewall
Protects against complex layer 7 attacks/exploits
What kind of attacks does WAF protect against ?
SQL injections
Cross-Site Scripting
Geo Blocks
Rates Awareness
What AWS services can WAF be integrated with ?
ALB
API gateway
CloudFront
What is CloudHSM?
an appliance that creates manage and secures cryptographic material or keys
AWS provisioned Fully customer managed
CloudHSM difference from KMS
True “single Tenant” Hardware security model (HSM) : meaning that it’s isolated from amazon and is not shared under the hood
Fully FIPS 140-2 Level 3
KMS is L2 Overall, some L3
What is the benefit of using CloudHSM with KMS ?
KMS can use CloudHSM as a custom Key store
What are some main use cases for CloudHSM
offload the SSL/TLS processing from web servers
Enable transport Data Encryption(TDE) for oracle Databases
Protect the private keys for an issuing certificate authority(CA)
AWS Config
records configuration changes over time on resources
Auditing of changes, compliance with standards
Does not prevent changes happening.. no protection
AWS Config resiliency
Regional service.. supports cross-region and account aggregation
What AWS resources can AWS Config be integrated with ?
changes can generate SNS notifications and near-Realtime events via EventBridge & Lambda
Amazon Macie
Data security and Data Privacy Service
Discover, monitor and Protect Data … stored in S3
Automated discovery of data i.e. Pll, PHI , Finance
How does Amazon Macie protect your sensitive data ?
It uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Amazon Macie Data Identifiers
The patterns that are matched against your data .
Two types :
Managed Data identifiers-Built-in-ML/Patterns
Custom Data identifiers - Proprietary -Regex Based
What can Macie be integrated with ?
Integrates with security Hub
Macie can also generate ‘finding events’ to EventBridge
AWS Macie Custom data Identifiers: Maximum match Distance
how close keywords are regex pattern
AWS Macie Custom data Identifiers: Ignore Words
if regex match contains ignore words it’s ignored
Amazon Macie: Findings
Policy Finds - generated when the policy or settings for an S3 bucket are changed in a way that reduces the security of the bucket or it’s objects after Macie is enabled.
policy: IAMUser/S3BlovkPublicAccessDisabled
Sensitive Data Findings- generated when it discovers sensitive data in S3 objects that you configure it to analyze
Policy:
sensitiveData: s3Object/
Credentials
AWS Inspector
Scans EC2 instances & the instance OS
Vulnerabilities and deviations against best practice
What determines what is check with AWS inspector ?
Rules packages determine what is checked