Security, Deployment, and Ops

Question 1

What is AWS Secrets Manager?

Answer 1

Product which can manage secrets within AWS that helps you protect access to your applications, services, and IT resources.

Secrets are:

• passwords
• API keys
• DB credentials

Secrets Manager can manage these and also rotate them automatically while keeping whatever product they are integrated with in sync.

Question 2

What is the main product integration for Secrets Manager?

Answer 2

RDS

Question 3

What is AWS Shield?

What are the 2 versions of Shield?

Answer 3

Projects AWS resources from DDoS attacks.

Shield Standard - comes free when using R53 or CFN

Shield Advanced:

• same as Standard but also includes resources like EC2, ELB, and Global Accelerator (on top of R53 and CFN)
• includes a DDoS response team
• includes DDoS financial insurance if resources are automatically spun up as a result of a DDoS attack

Question 4

What is AWS WAF?

Answer 4

Web App Firewall

Operates at the application layer (L7) and understands HTTP/HTTPS

Question 5

What is the main function within a WAF that gives permit/deny ability?

Answer 5

Web ACLs – these are basically rules.

When a WAF is integrated with ALB, API GW, or CF, you configure Web ACLs that are used to evaluate incoming traffic.

Question 6

Can you use WAF and Shield together?

Answer 6

Yes - this way you have filtering @ L3, 4, and 7.

Question 7

What is HSM? Can it be run on premise or in the cloud?

Answer 7

Yes - on-premise or in the cloud.

A physical appliance/piece of HW which creates/manages/secures cryptographic functions (keys); very similar to KMS.

Question 8

What is the big difference between HSM and KMS?

Answer 8

KMS is a shared service i.e while your instance is isolated, behind the scenes you’re still using the KMS service which other AWS accounts also use at the same time.

AWS has a certain level of access with KMS.

AWS has ZERO access to HSM/Cloud HSM - completely isolated and tamper-proof.

Question 9

Does AWS have any access to HSM? (Hardware Security Module)

Answer 9

No. AWS provisions the module and then has zero access to the unit once in the hands of the customer.

Question 10

What level of FIPS certification is HMS?

Answer 10

Fully FIPS 140-2 Level 3 Overall compliant.

Question 11

REVIEW:

Key points on HSM v KMS

Answer 11

1. HSM is a true single tenant model
2. Fully FIPS 140-2 Level 3 Overall compliant
3. Uses industry standard API’s – PKCS, JCE, CNG

Cloud HSM v KMS
• No native integration between Cloud HSM and AWS products (such as S3) because it’s not accessed via standard AWS API’s

• Cloud HSM can offload SSL/TLS processing from web servers; much more efficient to perform the crypto functions versus doing in on a regular EC2 instance

Question 12

WAF Provides what type of protections?

Answer 12

• L7 attacks
• SQL Injection
• Cross-Site Scripting

Question 13

What is the difference between SSM Parameter Store and AWS Secrets Manager?

Answer 13

Parameter Store provides the option to store data unencrypted or to encrypt the data with a KMS key.

With Secrets Manager, the secrets are stored encrypted and there is no option to store unencrypted data. … Both services allow you to store values under a name or key.

Question 14

What is AWS Config?

Answer 14

Service which records the configuration of resources over time (configuration items) into configuration histories.

This data is stored in an S3 bucket.

Question 15

What are the 2 main jobs of AWS Config?

Answer 15

1. Record any changes over time on resources

2. Audit any changes for compliance based on the defined standards (integrations with EventsBridge/Lambda/ect)

Question 16

What is a Config Rule within AWS Config?

Answer 16

Evaluates resources against a defined standard to determine if they are Compliant or Non-Complaint.

Once the changes are checked against the rule, Config can send an update to another service like EventBridge to then invoke a Lambda function to take an action.

Question 17

What is Amazon Macie?

Answer 17

Automated data security and data privacy service for S3 – Discovers, monitors, and protects data stored in S3 via ML and Pattern Matching

Examples:
PII
PHI
Financial

Question 18

What are the 2 types on Data Identifiers in Macie?

Hint: the type of lists used by Macie to scan the S3 contents

Answer 18

Managed - predefined by AWS which is a growing list that covers all common types of sensitive data

Custom - proprietary to a CU business case. This could be something like Employee ID or badge number. Customer is REGEX-Based (Regular Expressions)

Question 19

How do you tell Macie what to search and when?

What are the results from the query called?

Answer 19

Discovery Jobs

The result of a job is a “Finding” – this is what gets passed to something like EventBridge

Question 20

What are the 2 types of Findings Macie produces?

Answer 20

Policy Findings - a finding that goes against the outlined policy.

Sensitive Data Findings - a finding that pinpoints a breach in sensitive data stored in an S3 bucket.

Question 21

The main feature which Secrets Manager provides over SSM Parameter store is what?

Answer 21

Password Rotation

This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Question 22

What is a Rate-Based Rule for WAF?

What can it help against?

Answer 22

A rate-based rule tracks the rate of requests for each originating IP address and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span. You can use this type of rule to put a temporary block on requests from an IP address that’s sending excessive requests.

This helps if you’re getting a ton of illegitimate requests from IP’s that are changing.

This will also have a minimal impact on legit traffic coming from legit IP’s.