Security Deployment and OPS Flashcards
How can you interact with Secrets Manger ?
console, CLI, API or SDK’s (integration)
Benefits of Secrets Mangers
supports automatic rotation using lambda
Direct integrates with some AWS product
( ..Like RDS** automatically rotates the instance in RDS)
What is the main use case for AWS Shield ?
Provides AWS resources with protection against Layer 3 and Layer 4 DDos Attacks
What does AWS Shield Standard cover?
Route53 and CloudFront
What are the other applications are covered with AWS Shield Advanced?
extend functionality to other AWS resources Like : EC2 , ELB, CloudFront, Global Accelerator & R53
Also provides DDos Response Team & Financial Insurance
What is AWS WAF stand for and what is it’s used for ?
Web Application Firewall
Layer 7 (Http/s) Firewall
Protects against complex layer 7 attacks/exploits
What kind of attacks does WAF protect against ?
SQL injections
Cross-Site Scripting
Geo Blocks
Rates Awareness
What AWS services can WAF be integrated with ?
ALB
API gateway
CloudFront
What is CloudHSM?
an appliance that creates manage and secures cryptographic material or keys
AWS provisioned Fully customer managed
CloudHSM difference from KMS
True “single Tenant” Hardware security model (HSM) : meaning that it’s isolated from amazon and is not shared under the hood
Fully FIPS 140-2 Level 3
KMS is L2 Overall, some L3
What is the benefit of using CloudHSM with KMS ?
KMS can use CloudHSM as a custom Key store
What are some main use cases for CloudHSM
offload the SSL/TLS processing from web servers
Enable transport Data Encryption(TDE) for oracle Databases
Protect the private keys for an issuing certificate authority(CA)
AWS Config
records configuration changes over time on resources
Auditing of changes, compliance with standards
Does not prevent changes happening.. no protection
AWS Config resiliency
Regional service.. supports cross-region and account aggregation
What AWS resources can AWS Config be integrated with ?
changes can generate SNS notifications and near-Realtime events via EventBridge & Lambda
Amazon Macie
Data security and Data Privacy Service
Discover, monitor and Protect Data … stored in S3
Automated discovery of data i.e. Pll, PHI , Finance
How does Amazon Macie protect your sensitive data ?
It uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Amazon Macie Data Identifiers
The patterns that are matched against your data .
Two types :
Managed Data identifiers-Built-in-ML/Patterns
Custom Data identifiers - Proprietary -Regex Based
What can Macie be integrated with ?
Integrates with security Hub
Macie can also generate ‘finding events’ to EventBridge
AWS Macie Custom data Identifiers: Maximum match Distance
how close keywords are regex pattern
AWS Macie Custom data Identifiers: Ignore Words
if regex match contains ignore words it’s ignored
Amazon Macie: Findings
Policy Finds - generated when the policy or settings for an S3 bucket are changed in a way that reduces the security of the bucket or it’s objects after Macie is enabled.
policy: IAMUser/S3BlovkPublicAccessDisabled
Sensitive Data Findings- generated when it discovers sensitive data in S3 objects that you configure it to analyze
Policy:
sensitiveData: s3Object/
Credentials
AWS Inspector
Scans EC2 instances & the instance OS
Vulnerabilities and deviations against best practice
What determines what is check with AWS inspector ?
Rules packages determine what is checked
Network assessment(Agentless)
checks exposure to instances from public networks and whether the OS is listening
Agent can provided additional OS visibility
check reachability end to end. EC2, ALB ,DX ,ELB ,ENI ,IGW ,ACLs ,RT’s ,SG’s, subnets , VPCs, VGWs &VPC Peering
RecognnizedPortWithListener , RecognizedPortNoListener , RecognizedPortNoAgent
unrecogizedPortWithListener
AWS inspector Assessments
Network assessment(Agentless)
Network & Host Assessment(Agent)
common vulnerabilities and exposure(CVE)
Center for Internet Security(CIS) benchmarks
security best practices for amazon inspector
Amazon GuardDuty
continuous security monitoring service that analyzes supported data sources using AL,ML, and a threat intelligence feed
identifies unexpected and unauthorized activity then notify or starts event-driven protection/remediation
What is the price tag for Shield Standard ?
$3,000 per/month
How does WAF work ?
Rules are added to a WebACL and evaluated which traffic arrives
How can CloudHSM be accessed ?
Accessed through Industry standard APIs- PKCS#11 , Java Cryptography Extensions (JCE), Microsoft CryptoNG (CNG) libraries
Can CloudHSM be integrated with other AWS resources ?
No native AWS integration .. e.g no s3 SSE
What is the Resiliency of CloudHSM ? How can you design an HA system using CloudHSM ?
By default CloudHSM operates in one AZ mutiple HSMs one in each subnet it’s required.
Where does CloudHSM run from ?
runs from within an AWS CloudHSM VPC that we have no exposure to
How does AWS Macie work ?
you set an discovery schedule which launches a discovery job which then uses a mix of custom identifiers and managed identifiers
which then generate finds or finding events which gets sent to EventBridge
How does AWS inspector work ?
Assessment of varying Length.. 15mins, 1 hour, 8/12 hours or 1 day
provides a report of findings ordered by priority
How is AWS Macie managed ?
centrally managed either via AWS ORG or one Macie account inviting other accounts
How is AWS GaurdDuty Managed ?
supports multiple accounts(master and member)