Security Domain

Question 1

I: SECURE 3-TIER APP

Answer 1

Presentation tier

S3 Bucket: Bucket ACLs (read/write, etc.), Encryption (object) – custom key or Amazon default key
CloudFront: OAI (origin access identity), Geo restrictions, Custom headers, Signed URLs, Signed cookies, HTTPS & DDoS

Application tier

API Gateway: Resource policies, Identity pools, Client certificates, Usage plans, Throttling, Caching, API Keys
Lambda: Lambda triggers, Lambda role, Lambda security group, SSM parameter store

Data tier

Amazon RDS: DB security group, DB encryption, Private endpoint, KMS

Additional security

WAF: Layer 7 firewall

Question 2

I: STATEFUL FIREWALL

Answer 2

Stateful firewall (Security groups) this means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened. Security group support allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection.

Question 3

I: WAF

Answer 3

WAF (layer 7) is an advanced Firewall system which offers the security from threats, malware, and other vulnerable attacks.

Question 4

I: IDS

Answer 4

is a system that monitors network traffic for suspicious activity and issues alerts when such activity is discovered.

FireEye
CrowdStrike
Zeek
Snort

Question 5

I: SSL/TLS HANDSHAKE

Answer 5

Client Hello Server. I want to establish secure communication between the two of us. Here are my cipher suits and compatible SSL/TLS version.

Server Hello Client. I have checked your cipher suits and SSL/TLS version. I think we’re good to go ahead. Here are my certificate file and my public key.

Client Let me verify your certificate. Okay, it seems fine, but I need to verify your private key. What I’ll do is, I will generate and encrypt a pre-master (shared secret key) key using your public key. Decrypt it using your private key and we’ll use this master key to encrypt and decrypt the information

Server Done. Now that both the parties know who they’re talking to, the information transferred between them will be secured using the master-key. Keep in mind that once the verification part is over, the encryption takes place through the master-key only. This is symmetric encryption.

Client I’m sending you this sample message to verify that our master-key works. Send me the decrypted version of this message. If it works, our data is in safe hands

Server Yeah, it works. I think we’ve accomplished what we were looking for.

Question 6

I: HTTP

Answer 6

used for transferring data over a network. Most information that is sent over the Internet, including website content and API calls, uses the HTTP protocol. There are two main kinds of HTTP messages: requests and responses.

Question 7

I: TLS/SSL PROCESS

Answer 7

is public key encryption: there are two keys, a public key and a private key, and the public key is shared with client devices via the server’s SSL certificate. When a client opens a connection with a server, the two devices use the public and private key to agree on new keys, called session keys, to encrypt further communications between them.

All HTTP requests and responses are then encrypted with these session keys, so that anyone who intercepts communications can only see a random string of characters, not the plaintext.

Question 8

I: TLS TERMINATION

Answer 8

SSL should terminate at the load balancer is because it offers a centralized place to correct SSL attacks such as CRIME or BEAST. If SSL is terminated at a variety of web servers, running on different OS’s you’re more likely to run into problems due to the additional complexity. Keep it simple, and you’ll have fewer problems in the long run.

Question 9

I: HASHING

Answer 9

Meant to verify that a file or piece of data hasn’t been altered, in other words, a checksum.

MD4
MD5
SHA
RIPEM
WHIRLPOOL
TIGER

Question 10

I: AT REST

Answer 10

it is not traveling within the system or network, and it is not being acted upon by any application or third-party. It’s something that has reached a destination, at least temporarily.

Question 11

I: CERTIFICATES PROCESS

Answer 11

Your web browser downloads the web server’s certificate, which contains the public key of the web server. It uses this public key to verify that the web server’s certificate was indeed signed by the trusted certificate authority. The certificate contains the domain name and/or ip address of the web server.

Question 12

I: PKI

Answer 12

is a set of processes, policies, and technology for associating cryptographic keys with the entity to whom those keys were issued.

PKI is made of several elements which are:

Certification Authority (CA) 
Registration Authority (RA) 
Certificate Revocation List (CRL) 
Certification Practice Statement (CPS)
Transport Layer Security (TLS)

Question 13

I: SECURE LOGINS

Answer 13

Secure digital certificates

encryption standards

zero-interaction zuthentication (ZIA)

fingerprint readers

account key feature

trust score system

persona-based authentication

advanced biometrics.

Question 14

I: SYMMETRIC ENCRYPTION

Answer 14

is a type of encryption where only one key (a secret key) is used to both encrypt and decrypt electronic information.

RC4,
AES
DES
3DES
QUAD
Blowfish, etc.

Question 15

I: CUSTOMER KEYS

Answer 15

Customer master keys (CMKs) You can use a CMK to encrypt and decrypt up to 4 KB (4096 bytes) of data. Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. This strategy is known as envelope encryption. AWS KMS will store keys.

Question 16

I: MFA

Answer 16

is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs into an AWS Management Console, they will be prompted for their username and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.

Question 17

I: DOS (denial of service)

Answer 17

is a denial of service attack where a computer (or computers) is used to flood a server with TCP and UDP packets.

Question 18

I: ANTIVIRUS

Answer 18

Anti-virus is to detect, neutralize or eradicate malware (malicious software). AV software not only will identify and destroy the computer virus, but it’s also designed to fight off other kinds of threats such as phishing attacks, worms, Trojan horses, rootkits and more.

• Norton
• AVG
• Avast
• McAfee
• Kaspersky
• TrendMicro

Question 19

I: IAM Roles

Answer 19

IAM Role is an IAM identity that you can create in your account that has specific permissions.

Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

When you assume a role, it provides you with temporary security credentials for your role session.

Question 20

I: AUTHENTICATION

Answer 20

Authentication is the process of verifying a user’s identity. Most commonly, users authenticate with a username (which identifies the user) and a password (which confirms the user is who he claims).

Question 21

I: SSO

Answer 21

SSO, allows a user to access multiple applications using a single set of credentials. Typically, employees sign on to multiple business applications to do their jobs, such as messaging and email accounts, HR functions, intranet sites, financial records, etc. With SSO, they can access all of the resources they need with one set of login credentials, eliminating the need to remember or enter a unique password for each account

Question 22

I: FEDERATED SSO

Answer 22

refers to the establishment of a trusted relationship between separate organizations and third parties, such as application vendors or partners, allowing them to share identities and authenticate users across domains.

FIM is achieved through the use of standard protocols like SAML, OAuth, OpenID Connect and SCIM.

Question 23

I: DevSecOps

Answer 23

integrates application and infrastructure security seamlessly into Agile and DevOps processes and tools. It addresses security issues as they emerge, when they’re easier, faster, and less expensive to fix and before they are put into production.

Question 24

I: STATELESS FIREWALL

Answer 24

Stateless firewalls (Network ACLs) this means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic. Network ACL support allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection.

Question 25

I: FIREWALL

Answer 25

Firewall (layer 3/4) is to control the access and to monitor the web traffic across the network. It also authorizes the outbound sessions.

Question 26

I: IPS

Answer 26

An intrusion prevention system (IPS) is like an intrusion detection system but differs in that an IPS can be configured to block potential threats.

Monitor, log and report activities
Also be configured to stop threats without the involvement of a system administrator

Question 27

I: HTTPS

Answer 27

HTTPS stands for “secure.” HTTPS uses TLS (or SSL) to encrypt HTTP requests and responses, so in the example above, instead of the text, an attacker would see a bunch of seemingly random characters

Question 28

I: ENCRYPTION

Answer 28

is the practice of scrambling information in a way that only someone with a corresponding key can unscramble and read it.

Question 29

I: IN-TRANSIT

Answer 29

is data transmission going on between the server and the client.

Question 30

I: COMPROMISED LOGINS

Answer 30

Compromised credential stuffing, phishing, password spraying, brute force, local discovery, extortio

Question 31

I: ASYMMETRIC ENCRYPTION

Answer 31

encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key.’ Together, they’re called a ‘Public and Private Key Pair.’

Diffie-Hellman
RSA

Question 32

I: DDOS (dynamic denial of service)

Answer 32

is where multiple systems target a single system with a DoS attack. The targeted network is then bombarded with packets from multiple locations.

Question 33

I: AUTHORIZATION

Answer 33

is the process of granting users’ access to specific resources after they have been authenticated.

Question 34

I: SECURITY GROUPS

Answer 34

Security Groups are associated with EC2 instances and provide security at the protocol and port access level. Each security group — working much the same way as a firewall — contains a set of rules that filter traffic coming into and out of an EC2 instance.

Question 35

I: NACLs/ACLs

Answer 35

NACLs/ACLs is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Question 36

I: TLS AUTHENTICATION

Answer 36

ensures that traffic is both secure and trusted in both directions between a client and server. It allows requests that do not log in with an identity provider to demonstrate that they can reach a given resource.

Question 37

I: FEDERATION

Answer 37

is the trust relationship that exists between organizations; it is concerned with where the user’s credentials are actually stored and how trusted third parties can authenticate against those credentials without actually seeing them.