Security, Deployment, and Ops Flashcards
What is AWS Secrets Manager?
Product which can manage secrets within AWS that helps you protect access to your applications, services, and IT resources.
Secrets are:
- passwords
- API keys
- DB credentials
Secrets Manager can manage these and also rotate them automatically while keeping whatever product they are integrated with in sync.
What is the main product integration for Secrets Manager?
RDS
What is AWS Shield?
What are the 2 versions of Shield?
Projects AWS resources from DDoS attacks.
Shield Standard - comes free when using R53 or CFN
Shield Advanced:
- same as Standard but also includes resources like EC2, ELB, and Global Accelerator (on top of R53 and CFN)
- includes a DDoS response team
- includes DDoS financial insurance if resources are automatically spun up as a result of a DDoS attack
What is AWS WAF?
Web App Firewall
Operates at the application layer (L7) and understands HTTP/HTTPS
What is the main function within a WAF that gives permit/deny ability?
Web ACLs – these are basically rules.
When a WAF is integrated with ALB, API GW, or CF, you configure Web ACLs that are used to evaluate incoming traffic.
Can you use WAF and Shield together?
Yes - this way you have filtering @ L3, 4, and 7.
What is HSM? Can it be run on premise or in the cloud?
Yes - on-premise or in the cloud.
A physical appliance/piece of HW which creates/manages/secures cryptographic functions (keys); very similar to KMS.
What is the big difference between HSM and KMS?
KMS is a shared service i.e while your instance is isolated, behind the scenes you’re still using the KMS service which other AWS accounts also use at the same time.
AWS has a certain level of access with KMS.
AWS has ZERO access to HSM/Cloud HSM - completely isolated and tamper-proof.
Does AWS have any access to HSM? (Hardware Security Module)
No. AWS provisions the module and then has zero access to the unit once in the hands of the customer.
What level of FIPS certification is HMS?
Fully FIPS 140-2 Level 3 Overall compliant.
REVIEW:
Key points on HSM v KMS
- HSM is a true single tenant model
- Fully FIPS 140-2 Level 3 Overall compliant
- Uses industry standard API’s – PKCS, JCE, CNG
Cloud HSM v KMS
• No native integration between Cloud HSM and AWS products (such as S3) because it’s not accessed via standard AWS API’s
• Cloud HSM can offload SSL/TLS processing from web servers; much more efficient to perform the crypto functions versus doing in on a regular EC2 instance
WAF Provides what type of protections?
- L7 attacks
- SQL Injection
- Cross-Site Scripting
What is the difference between SSM Parameter Store and AWS Secrets Manager?
Parameter Store provides the option to store data unencrypted or to encrypt the data with a KMS key.
With Secrets Manager, the secrets are stored encrypted and there is no option to store unencrypted data. … Both services allow you to store values under a name or key.
What is AWS Config?
Service which records the configuration of resources over time (configuration items) into configuration histories.
This data is stored in an S3 bucket.
What are the 2 main jobs of AWS Config?
- Record any changes over time on resources
2. Audit any changes for compliance based on the defined standards (integrations with EventsBridge/Lambda/ect)
What is a Config Rule within AWS Config?
Evaluates resources against a defined standard to determine if they are Compliant or Non-Complaint.
Once the changes are checked against the rule, Config can send an update to another service like EventBridge to then invoke a Lambda function to take an action.
What is Amazon Macie?
Automated data security and data privacy service for S3 – Discovers, monitors, and protects data stored in S3 via ML and Pattern Matching
Examples:
PII
PHI
Financial
What are the 2 types on Data Identifiers in Macie?
Hint: the type of lists used by Macie to scan the S3 contents
Managed - predefined by AWS which is a growing list that covers all common types of sensitive data
Custom - proprietary to a CU business case. This could be something like Employee ID or badge number. Customer is REGEX-Based (Regular Expressions)
How do you tell Macie what to search and when?
What are the results from the query called?
Discovery Jobs
The result of a job is a “Finding” – this is what gets passed to something like EventBridge
What are the 2 types of Findings Macie produces?
Policy Findings - a finding that goes against the outlined policy.
Sensitive Data Findings - a finding that pinpoints a breach in sensitive data stored in an S3 bucket.
The main feature which Secrets Manager provides over SSM Parameter store is what?
Password Rotation
This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
What is a Rate-Based Rule for WAF?
What can it help against?
A rate-based rule tracks the rate of requests for each originating IP address and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span. You can use this type of rule to put a temporary block on requests from an IP address that’s sending excessive requests.
This helps if you’re getting a ton of illegitimate requests from IP’s that are changing.
This will also have a minimal impact on legit traffic coming from legit IP’s.
