Security Deployment and OPS Flashcards

1
Q

How can you interact with Secrets Manger ?

A

console, CLI, API or SDK’s (integration)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Benefits of Secrets Mangers

A

supports automatic rotation using lambda

Direct integrates with some AWS product

( ..Like RDS** automatically rotates the instance in RDS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the main use case for AWS Shield ?

A

Provides AWS resources with protection against Layer 3 and Layer 4 DDos Attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does AWS Shield Standard cover?

A

Route53 and CloudFront

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the other applications are covered with AWS Shield Advanced?

A

extend functionality to other AWS resources Like : EC2 , ELB, CloudFront, Global Accelerator & R53

Also provides DDos Response Team & Financial Insurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is AWS WAF stand for and what is it’s used for ?

A

Web Application Firewall

Layer 7 (Http/s) Firewall

Protects against complex layer 7 attacks/exploits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What kind of attacks does WAF protect against ?

A

SQL injections

Cross-Site Scripting

Geo Blocks

Rates Awareness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What AWS services can WAF be integrated with ?

A

ALB

API gateway

CloudFront

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is CloudHSM?

A

an appliance that creates manage and secures cryptographic material or keys

AWS provisioned Fully customer managed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CloudHSM difference from KMS

A

True “single Tenant” Hardware security model (HSM) : meaning that it’s isolated from amazon and is not shared under the hood

Fully FIPS 140-2 Level 3

KMS is L2 Overall, some L3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the benefit of using CloudHSM with KMS ?

A

KMS can use CloudHSM as a custom Key store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are some main use cases for CloudHSM

A

offload the SSL/TLS processing from web servers

Enable transport Data Encryption(TDE) for oracle Databases

Protect the private keys for an issuing certificate authority(CA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Config

A

records configuration changes over time on resources

Auditing of changes, compliance with standards

Does not prevent changes happening.. no protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Config resiliency

A

Regional service.. supports cross-region and account aggregation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What AWS resources can AWS Config be integrated with ?

A

changes can generate SNS notifications and near-Realtime events via EventBridge & Lambda

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amazon Macie

A

Data security and Data Privacy Service

Discover, monitor and Protect Data … stored in S3

Automated discovery of data i.e. Pll, PHI , Finance

17
Q

How does Amazon Macie protect your sensitive data ?

A

It uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

18
Q

Amazon Macie Data Identifiers

A

The patterns that are matched against your data .

Two types :

Managed Data identifiers-Built-in-ML/Patterns

Custom Data identifiers - Proprietary -Regex Based

19
Q

What can Macie be integrated with ?

A

Integrates with security Hub

Macie can also generate ‘finding events’ to EventBridge

20
Q

AWS Macie Custom data Identifiers: Maximum match Distance

A

how close keywords are regex pattern

21
Q

AWS Macie Custom data Identifiers: Ignore Words

A

if regex match contains ignore words it’s ignored

22
Q

Amazon Macie: Findings

A

Policy Finds - generated when the policy or settings for an S3 bucket are changed in a way that reduces the security of the bucket or it’s objects after Macie is enabled.

policy: IAMUser/S3BlovkPublicAccessDisabled

Sensitive Data Findings- generated when it discovers sensitive data in S3 objects that you configure it to analyze

Policy:

sensitiveData: s3Object/
Credentials

23
Q

AWS Inspector

A

Scans EC2 instances & the instance OS

Vulnerabilities and deviations against best practice

24
Q

What determines what is check with AWS inspector ?

A

Rules packages determine what is checked

25
Q

Network assessment(Agentless)

A

checks exposure to instances from public networks and whether the OS is listening

Agent can provided additional OS visibility

check reachability end to end. EC2, ALB ,DX ,ELB ,ENI ,IGW ,ACLs ,RT’s ,SG’s, subnets , VPCs, VGWs &VPC Peering

RecognnizedPortWithListener , RecognizedPortNoListener , RecognizedPortNoAgent

unrecogizedPortWithListener

26
Q

AWS inspector Assessments

A

Network assessment(Agentless)

Network & Host Assessment(Agent)

common vulnerabilities and exposure(CVE)

Center for Internet Security(CIS) benchmarks

security best practices for amazon inspector

27
Q

Amazon GuardDuty

A

continuous security monitoring service that analyzes supported data sources using AL,ML, and a threat intelligence feed

identifies unexpected and unauthorized activity then notify or starts event-driven protection/remediation

28
Q

What is the price tag for Shield Standard ?

A

$3,000 per/month

29
Q

How does WAF work ?

A

Rules are added to a WebACL and evaluated which traffic arrives

30
Q

How can CloudHSM be accessed ?

A

Accessed through Industry standard APIs- PKCS#11 , Java Cryptography Extensions (JCE), Microsoft CryptoNG (CNG) libraries

31
Q

Can CloudHSM be integrated with other AWS resources ?

A

No native AWS integration .. e.g no s3 SSE

32
Q

What is the Resiliency of CloudHSM ? How can you design an HA system using CloudHSM ?

A

By default CloudHSM operates in one AZ mutiple HSMs one in each subnet it’s required.

33
Q

Where does CloudHSM run from ?

A

runs from within an AWS CloudHSM VPC that we have no exposure to

34
Q

How does AWS Macie work ?

A

you set an discovery schedule which launches a discovery job which then uses a mix of custom identifiers and managed identifiers

which then generate finds or finding events which gets sent to EventBridge

35
Q

How does AWS inspector work ?

A

Assessment of varying Length.. 15mins, 1 hour, 8/12 hours or 1 day

provides a report of findings ordered by priority

36
Q

How is AWS Macie managed ?

A

centrally managed either via AWS ORG or one Macie account inviting other accounts

37
Q

How is AWS GaurdDuty Managed ?

A

supports multiple accounts(master and member)