Security in the Cloud Flashcards
A Distributed Denial of Service is an attack that attempts to make your website ______ to your end-users
A Distributed Denial of Service is an attack that attempts to make your website unavailable to your end-users
What are the three most common DDOS attacks, and at which layer do they operate?
SYN flood & NTP Amplification attack: Layer 4
GET/POST requests: Layer 7
What are CloudTrail’s three main benefits?
Near real-time _________ _________
_________ & _________ compliance
After-the-fact incident _________
What are CloudTrail’s three main benefits?
Near real-time intrusion detection
Industry & regulatory compliance
After-the-fact incident investigation
CloudTrail logs all ___ _____ made to your AWS account and stores these logs in ___
CloudTrail logs all API calls made to your AWS account and stores these logs in S3
What are the differences in cost between AWS Shield and AWS Shield Advanced?
AWS Shield: Free
AWS Shield Advanced: $3k a month & 1 yr commitment
What does AWS Shield Advanced offer that AWS Shield does not?
What does AWS Shield Advanced offer that AWS Shield does not?
A dedicated 24/7 DDOS response team
AWS WAF has three different behaviors:
- *______** all requests except the ones you specify
- *______** all requests except the ones you specify
- *_____** the requests that match the properties you specify
AWS WAF has three different behaviors:
Allow all requests except the ones you specify
- *Block** all requests except the ones you specify
- *Count** the requests that match the properties you specify
AWS WAF operates at which Layer, and which three attacks can it block?
Layer __
- *____** attacks
- *___** injection
- *_____-____** Scripting
AWS WAF
Layer 7
- *DDOS** attacks
- *SQL** injection
- *Cross-Site** Scripting
Which service allows you to block specific countries or IP addresses?
Which service allows you to block specific countries or IP addresses?
AWS WAF
How does AWS Guard Duty determine what normal behavior is in your account?
It uses __ to learn what normal behavior is in your account and alerts you of any ________ or _______ behavior.
AWS Guard Duty
It uses AI to learn what normal behavior is in your account and alerts you of any abnormal or malicious behavior.
AWS Guard Duty updates a database of known malicious domains using ______ ____ from _____ _______
AWS Guard Duty updates a database of known malicious domains using external feeds from third-parties.
What does logs does Guard Duty monitor? (3)
What does Guard Duty monitor?
Cloud Trail Logs, VPC Flow Logs, and DNS Logs
AWS Macie uses AI to analyze data in __ to help _______ and ______ the leak of data from which three pieces of information? (3)
AWS Macie uses AI to analyze data in S3 to help identify and prevent the leak of data from which three pieces of information?
- *PII Personal Identifiable Information**
PHI Personal Health Information
Financial Data
Macie alerts can be sent to Amazon _____________ and integrated with your _______ ____________ system
Macie alerts can be sent to Amazon Eventbridge and integrated with your event management system
AWS Inspector is used to run vulnerability scans on ___ _________ and _____
AWS Inspector is used to run vulnerability scans on both EC2 instances and VPCs
What are the two AWS Inspector scans called?
What are the two AWS Inspector scans called?
Host Assessment
Network Assessment
AWS Key Management Service is a managed service that makes it easy for you to _____ and ______ the encryption keys used to _______ your data
AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
You initiate KMS services by requesting the creation of a _______ ______ Key
You initiate KMS services by requesting the creation of a Customer Master Key (CMK)
The first way to generate a CMK is if AWS creates the CMK for you by generating the CMK within a _________ ________ module
The first way is AWS created the CMK for you by generating the CMK within a Hardware Security Modules
The second way to generate a CMK by importing your own ____ __________ Infrastructure and _____________ it with a CMK
The second way to generate a CMK is by importing your own Key Management Infrastructure and associating it with a CMK
The third way to generate a CMK is to have the key material generated and used in an AWS ________ cluster as part of the custom key store feature in AWS ___
The third way to generate a CMK is to have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS
What are the three ways to control permissions within KMS?
The ___ Policy
- *___** policies in combination with ___ policies
- *______** in combination with ___ policies
What are the three ways to control permissions within KMS?
The Key Policy
- *IAM** policies in combination with Key policies
- *Grants** in combination with Key policies
A Key Policy allows you to ________ the full scope of _____ to the CMK via a single ________
A Key Policy allows you to control the full scope of access to the CMK via a single document
Using ____ policies in combination with ___ policies enables you to manage all the permissions for your IAM identities in IAM
Using IAM policies in combination with Key policies enables you to manage all the permissions for your IAM identities in IAM
Grants in combination with Key policies enable you to allow _____ to the CMK as well as allow users to ________ their access to others
Grants in combination with Key policies enable you to allow access to the CMK as well as allow users to delegate their access to others
Between KMS or CloudHSM, which offers automatic Key Rotation?
Between KMS or CloudHSM, which has automatic Key Rotation?
KMS: automatic key rotation
CloudHSM: no automatic key rotation
What is the difference in Tenancy Rules regarding KMS vs. CloudHSM:
KMS: ______ Tenancy
CloudHSM: ________ host to you and you have full control of ________ ________
What is the difference in Tenancy Rules regarding KMS vs. CloudHSM:
KMS: Shared Tenancy
CloudHSM: Dedicated host to you, and you have full control of underlying hardware
CloudHSM offers full control of users, ______, and _____
CloudHSM offers full control of users, groups, and keys
Secrets Manager can be used to securely store (3)
________ credentials
Passwords
___/___ Keys
Secrets Manager can be used to securely store (3)
- *Database** credentials
- *Passwords**
- *API/SSH** Keys
When enabled, Secrets Manager will _______ credentials __________. If applications and instances are not properly configured, you won’t be able to access your __________
When enabled, Secrets Manager will rotate credentials immediately. If applications and instances are not properly configured, you won’t be able to access your resources
Parameter Store and Secrets Manager offer similar services when should you use one versus the other?
If you are trying to ________ cost use _________
Parameter Store and Secrets Manager offer similar services when should you use one versus the other?
If you are trying to minimize cost use the parameter store
Secrets Manager is perfect if you need more than 10,000 __________, key ________ or the need to generate passwords using _____________
Secrets Manager is perfect if you need more than 10,000 parameters, key rotations, or need to generate passwords using CloudFormation
Presigned URLs let you _____ _______ files from your S3 bucket
Presigned URLs let you share private files from your S3 bucket
When it comes to IAM policies, if something is not explicitly allowed it is ______ _____
When it comes to IAM policies if something is not explicitly allowed it is implicitly denied
An IAM policy needs to be ________ before it can have an _____
An IAM policy needs to be attached before it can have an effect
AWS Managed Microsoft AD is the best choice if you have more than _____ users and/or need a ____ relationship setup
AWS Managed Microsoft AD is the best choice if you have more than 5000 users and/or need a trust relationship setup
AD Connector is the best choice when you want to use an existing _____ ________ with AWS Services
AD Connector is the best choice when you want to use an existing Active Directory with AWS Services
AD Connector comes in two sizes what are they, and what are the user maximum counts?
AD Connector comes in two sizes what are they, and what are the user maximum counts?
Small: designed for orgs w/up to 500 users
Large: designed for orgs w/up to 5000 users
What type of connection do you require, when using AWS Managed Microsoft AD or AD connector?
What type of connection do you require when using AWS Managed Microsoft AD or AD connector?
VPN or Direct Connect
Simple AD is the most inexpensive AD service and is the best option if you have less than ___ users and don’t need ________ AD features
Simple AD is the most inexpensive AD service and is the best option if you have less than 500 users and don’t need advanced AD features
Simple AD features
Manage users, groups, and _______
_______-based SSO
Supports joining _____ or ________-based EC2 instances
Simple AD features
Manage users, groups, and policies
Kerberos-based SSO
Supports joining Linux or Windows-based EC2 instances
Rules contain a statement that defines the __________ ______, and an ______ to take if a web request meets the ______
Rules contain a statement that defines the inspection criteria, and an action to take if a web request meets the criteria
What type of encryption does KMS support (2)
Symmetric and Asymmetric encryption
Customer Master Key (CMK) contains the ___ _______ used to ______ and ______ data
Customer Master Key (CMK) contains the key material used to encrypt and decrypt data
What is the data size limit that CMK can encrypt?
CMK can encrypt up to 4KB in size
What type of key would you use if you wanted to encrypt a large amount of data?
Data encryption key
CloudHSM is a cloud-based _________ _________ module
CloudHSM is a cloud-based hardware security module
With CloudHSM you ________ and use your own ________ ___
With CloudHSM you generate and use your own encryption key
With CloudHSM you retain _______ of your encryption keys. AWS has no ________ of your encryption keys
With CloudHSM you retain control of your encryption keys. AWS has no visibility of your encryption keys
What services does AWS Certificate Manager integrate with (5)
Elastic ____ _________
Elastic _________
Cloud_________
Cloud_____
____ Enclaves
Elastic Load Balancing
Elastic Beanstalk
CloudFormation
Cloudfront
Nitro Enclaves
A ___ ______ tells AWS WAF what to do with a web request when it matches the ______ defined in the ____
A rule action tells AWS WAF what to do with a web request when it matches the criteria defined in the rule
AWS KMS allows you to control Key usage across AWS _______ and __________
AWS KMS allows you to control Key usage across AWS services and applications
Parameter Store provides secure hierarchical storage for configuration ____ and _______
Parameter Store provides secure hierarchical storage for configuration data and secrets
What type of data does Parameter Store maintain as values?
_________
_________ strings
________ Codes
What type of data does Parameter Store maintain as values?
Passwords
Database strings
License Codes
Parameter Store can store values in two forms, what are they?
Parameter Store can store values in two forms; what are they?
Plaintext (unencrypted)
Ciphertext (encrypted)
Secrets Manager rotates secrets safely without the need for ____ __________
Secrets Manager rotates secrets safely without the need for code deployments
Secrets Manager offers an automatic rotation of credentials (built-in) for which three AWS Services?
Amazon ___
Amazon ________
Amazon __________
Secrets Manager offers an automatic rotation of credentials (built-in) for:
Amazon RDS
Amazon Redshift
Amazon DocumentDB
AWS WAF lets you create rules to filter web traffic based on conditions like __ _________, ____ headers, and _____
AWS WAF lets you create rules to filter web traffic based on conditions like IP address, HTTP headers, and URL’s
AWS Shield supports _____ mitigation & protection against Layer _____ & ____ attacks.
AWS Shield supports DDOS mitigation & protection against Layer three & four attacks.
AWS KMS key can do what 3 things to data keys?
AWS KMS key can be use to generate, encrypt and decrypt data keys
What is the Automatic rotational period for AWS & Customer managed KMS keys?
Automatic Rotation Cycles
Customer Managed KMS key: 365 days
AWS Managed KMS key: 1095 days/ 3yrs
To share snapshots with another account, you must specify which two permissions.
To share snapshots with another account you must specify Decrypt and CreateGrant permissions
The kms:ViaService condition key can be used to limit what ?
The kms:ViaService condition key can be used to limit key usage to specific AWS services
What is the API action removes key material?
You must use the DeletelmportedKeyMaterial API to remove the key material
An Amazon Cognito User Pool is a directory for managing _________ & _____________ for mobile applications
An Amazon Cognito User Pool is a directory for managing sign-in and sign-up for mobile applications
Cognito Identity pools are used to obtain ____________ and _________ ______________ for AWS services
Cognito Identity pools are used to obtain temporary, & limited-privilege credentials for AWS services
What two locations can Cognito Identities come from?
Identities can come from a Cognito user pool
Identities can also come from social Identity providers (IdPs)
