Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Solutions Architect > Tech Fundamentals > Flashcards

Tech Fundamentals Flashcards

1
Q

YAML (YAML ain’t markup language)

A

It’s a language for definning data or configuration, which is designed to be human readable.

  • Is one of the languages which CloudFormation uses for its templates

YAML Document is an unordered collection of key-value pairs separated by a colon, each key has a value

key: value &raquo_space;»»»> cat1: roffle (keys and values are strings)

YAML also supports number (1 or 2…), floating point (1.337), boolean (true or false), and null

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

YAML Introduction - List

A

YAML supports orther types and one of those are lists known as Arrays.

A list is an ordered set of values, and in YAML we can represent a list by having a key, in this care “adrianscats” and then as a value we might have something that looks like this:

adriancats: [“roffle”, “truffles”, “penny”, “winkie”] = a comma separated a set of values inside square brackets (this is known as inline format, where the list is placed where you expect the value to be after the key and the colon)

Also can be represented like this:

adrianscats:
- “roffle”
- “truffles”
- “penny”
- “winkie”

Indentation matters in YAML, it shows “roffle”, “truffles”, “penny” and “winkie” are part of the value for adrianscats

The “-“ means each item is a member of a list, same indentation = same list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

YAML Introduction - Structure

A

A dictionary is just a data structure, it’s a collection of one or more key value pairs, which are unordered.

adrianscats:
- name: roffle
color: [black, white]
- name: truffles
color: “mixed”
numbereyes: 1

Using YAML - key:value pairs, Lists and Dictionaries allows you to build complex data structures in a way which is human readable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

JavaScript Object Notation (JSON)

A

Is a lightweight data-interchange format. It’s easy for humans to read and write. It’s easy for machines to parse and generate.

Is an alternative format, In AWS is only used for CloudFormation and other things such as policy documents, which are used within AWS for permissions.

JSON doesn’t care about indentation because everything is enclosed in some things, braces or brackets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

There are two main elements that you need to understand if you want to be competent with JSON:

A
  • Object = Unordered set of key:value pairs enclosed by { & }:
    {“roffle: “cat”, “sparky”: “dog”}

YAML dictionary = JSON object

-Array = Ordered collection of values, separated by commas & Enclosed in [ & ]:
[ “cat”, “cat”, “chicken”, “cat”]

YAML list = JSON Array

Values = string, object, number, array, true, false, null

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Encryption Approaches

A
  • Encryption at Rest = Is designed to protect against physical theft and physical tampering (One entity involved)
  • Encryption in Transit = Aimed at protecting data while it’s being transferred between two places (Multiple individuals or systems)

Encryption does not prove identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Encryption Concepts

A
  • Plaintext = Is un-encrypted data, it can be text, documents, images or an application. Plaintext is data that you can load into an application and use, or you can load and inmediately read that data.
  • Algorithm = Is a piece of code or a piece of maths which takes plain text and an encryption key, and it generates encrypted data. When an algorithm is being used, it needs the plain text and a key. (AES,DES)
  • Key = Is technically a password. When an algorithm takes plain text and the key, the output that it generates is ciphertext.
  • Ciphertext = Isn’t always text data, is just encrypted data

So the relationship between all these things is that encryption, it takes plain text, it uses an algorithm and a key, and it uses those things to create a ciphertext

Decryption is just the reverse, it takes ciphertext, it takes a key and it generates plaintext

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Symmetric & Asymmetric

A
  • Symmetric = keys are used as part of a symmetric encryption process. The same key is used for both the encryption and decryption processes. (great for local file encryption, not useful where the data needs to be transferred between two parties, because arranging the transit of the key is the problem)
  • Asymmetric = The keys used in asymmetric encryption are themselfs asymmetric. These are formed of two parts, a public key and a private key (in order to transfer, both sides need both keys).

A public key can be used to generate ciphertext, which can ONLY be decrypted by the private key. (used where two or more parties are involved)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Signing & Steganography

A
  • Signing = Person 1, uses his private key to sign a document and then sends it to Person2, after that, Person2 uses Person1’s public key to verify that the document was signed using its matching private key. (generally used for ID verification and certain log on systems)
  • Steganography =The problem of encryption is that, if you use it, it’s obvious that you’ve used it. Steganography is a method of hiding something in something else, like a ciphertext in an image.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

OSI 7-Layer Model

A
  • Networking Stack = All 7 layers of the OSI model
  • Media Layers = Layers 1-3

Dealing with how data is moved between point A and point B, and these could be in the same local network or on opposite sides of the planet.

  • Host Layers = Layers 3-7

How the data is chopped up and reassembled for transport, and how it’s formatted so that it’s understandable by both sides of a network connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Layer 1 - Physical

A
  • Physical shared medium
  • Standards for transmitting onto the medium (voltage levels, timing, rates, distances, modulation and connectors.)
  • Standards for receiving from the medium
  • There are no individual device addresses
  • All data is processed by all devices
  • No media access control and no collision detection

If multiple things transmit on the same layer one physical medium, then collisions occur and render all of the information useless.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Layer 2 - Data Link

A
  • Allows multiple devices to coexist
  • Identify devices using MAC addresses for every device on a network (48 bits) (Globally unique)
  • Uses Layer 1 to perform the physical communication
  • Provides frames = are a format for sending information over a layer 2 network
  • Provides control access (sharing)
  • Collision detection = Checks for any carrier before it instructs Layer 1 to transmit (avoiding collisions) but if they both trasmit at the same time and a collision is detected, then a jam signal is sent by all of the devices which detect it and then a random back off occurs, after this the transmission is retried.
  • Unicast communication (1 to 1)
  • Broadcast communication (ALL)
  • Switches undestand frames and MAC addresses. They maintain a MAC address table which starts off empty. As the switch receives frames on its ports, it learns which devices are connected and populates the mac address table.
    -Each port on the switch has a separate collision domain

Encapsulation = process of taking some data, wrapping it in something else.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Layer 3 - Network

A
  • Internet Protocol (IP), is a Layer-3 protocol which adds cross-network IP addressing and routing to move data between Local Area Networks without direct P2P links
  • ARP - Find the MAC address, for this IP
  • Routers move packets from SRC to DST accross different networks, they remove frame encapsulation and add new frame encapsulation at every hop. (encapsulation means that an IP packet is put inside an ethernet frame for that part of the journey, then when it needs to be moved into a new network, that particular frame is removed, a new one is added around the same packet and it’s moved onto the next local network)
  • Route Tables - Multiple Routes
  • Allows communication device to device over the internet

Layer 3 - Problems

  • No ordering mechanism
  • Different packets can experience different delays
  • No method for channels of communications - packets have a source and destination IP but no method of splitting by ARP or CHANNEL
  • No flow control, if the source transmit faster than the destination can receive it can saturate the destination causing packet loss
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

IP Addressing (v4)

A

Ip addressing is what identifies a device which uses layer 3 IP networking

They are formed by two different parts
* The network which states which IP network the IP address belongs to
* The host which represents hosts on that network

  • The entire IP address is 32 bits in size, so four sets of eight bits, and each of these eight bits is known as an octet.
  • Default Gateway is an IP address on the local network which packets are forwarded to generally if the intended destination is not a local IP address.
  • Subnet Mask = Allows a host to determine if an IP address needs to communicate with is local or remote - which influences if it needs to use a gateway or can communicate locally.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Route Tables & Routes /// Address Resolution Protocol (ARP)

A
  • Route Tables & Routes

A route table is a collection of routes, each row in the table will have a destination field and next to it will have a new hop or a target field. The router compares packet destination IP and route table for matching destinations. The more specific prefixes are preferred (0 lowest, 32 highest)

Routing as a process is where packets are forwarded or routed hop by hop across the internet from source to destination (route tables enables this)

  • Address Resolution Protocol (ARP)

This protocol is used generally when you have a layer 3 packet and you want to encapsulate it inside a frame and then send that frame to a MAC address. ARP will give you the MAC address for a given IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Layer 4 - Transport

A
  • Transmission Control Protocol (TCP) = Is a connection-oriented protocol, you need to set up a connection between two devices and once set up, it creates a bidirectional channel of communications

Reliability, error correction and ordering of data. It’s used for most of the important application layer protocols, such as HTTP, HTTPS, SSH and so on.

  • User Datagram Protocol (UDP) = Is faster and less reliable because it doesn’t have the TCP overhead required for the reliable delivery of data

Both of these run on top of IP and both of them add a collection of features depending on which one of them is used. (they use IP as transit)

17
Q

TCP Segments

A

Is just a container for data, like packets and frames before them. They are contained in which is known as encapsulated within IP packets.

  • TCP segments add source and destination ports and this gives the combined TCP IP protocol the ability to have multiple streams of conversations at the same time between two devices.
  • Also have a sequence number which is a way of uniquely identifying a particular segment within a particular connection so that both sides can make observations about it.
  • The acknowledgement field is the way that one side can indicate that it’s received up to and including a certain sequence number, every segments which is transmitted needs to be acknowledged.
  • Flags are used to close the connection or to synchronize sequence numbers.
  • Window defines the number of bites that you indicate that you’re willing to receive between acknowledgements. Once reached, the sender will pause until you acknowledge that amount of data, and this is how flow control is implemented, it lets the receiver control the rate at which the sender sends data
  • Checksum are used for error checking.

All of these fields together are known as “TCP Header”

18
Q

TCP 3-Way Handshake

A

Flags can be set to alter the connection. FIN can be used to close, ACK for acknowledgments, SYN to synchronise sequence numbers.

  1. Client > SYN > Server = Send a segment with SYN sequence set ‘cs’ (ISN) Initial sequence number
  2. Server > SYN-ACK > Client = Pick random ISN sequence ‘ss’ Sends Segment - SYN & ACK Acknowledge set to ‘cs+1’
  3. Client > ACK > Server = Sends segment with ACK set to ‘ss+1’, I’ve received ‘ss’, send ‘ss+1’ Sequence set to cs+1
19
Q

Network Address Translation (NAT)

A

NAT’s a process which is designed to address the growing shortage of IP version 4 addresses, these are either publicly routable or private address.

  • Translate IPv4 addresses to Public
  • Publicly routable addresses are assigned by a central agency and regional agencies, which in turn assign them to ISP’s and these ISP’s allocate them to business or consumer end users (they need to be globally unique)
  • Private addresses, such as those in the 10.0.0.0 range, can be used in multiple places, but can’t be routed over the internet and so to give internet access to private devices, we need to use network address translation (NAT)
20
Q

Types of NAT

A
  • Static NAT = translate from 1 private address to 1 (fixed) public address (IGW) (giving that private address access to the public internet). The router maintains a NAT table to translate. (AWS Internet Gateway) (Permanent Public IP)
  • Dynamic NAT = translate from 1 private address to 1st available Public address (you have a pool of public ip addresses to use and these are allocated as needed). This method of NAT is used when you have a large number of private addresses and want them all to have internet access via public IPs, but when you have less public IP addresses than private IP addresses. (Temporarily Public IP)
  • Port Address Translation (PAT) = Allows a large number of private devices to share one public address. (AWS NAT Gateway)

The NAT Device records the source (Private) IP and Source Port. It replaces the source IP with the single Public IP and a public sources port allocated from a pool which allows IP Overloading (many to one)

21
Q

IPv4 Address Space

A
  • Class A = Generally used for huge networks, these were allocated to huge businesses or organizations which had an internet presence in the early days of the internet

Start 0.0.0.0 - End 127.255.255.255

  • Class B = Used for larger businesses which didn’t need a Class A allocation, these are now generally allocated to the regional authorities and they manage them and allocate them out to any organization who requests and can justify addresses in this range

Start 128.0.0.0.0 - End 191.255.255.255

  • Class C = Start 192.0.0.0 - End 191.255.255.255
  • Class D = Used for multicast
  • Class E = Is reserved
22
Q

Private IPv4 Address Space

A

Often used within cloud environments, and it’s generally chopped up into smaller sub networks

  • 10.0.0.0 - 10.255.255.255 (1 x Class A Network)
  • 172.16.0.0 - 172.31.255.255 (16 x Class B Network)
  • 192.168.0.0 - 192.168.255.255 (256 x Class C Network)

When possible, you should always aim to allocate non-overlapping ranges to all of your networks

23
Q

IP Subnetting

A

Subnetting is the process of breaking networks up into smaller pieces

“The larger the prefix value, the smaller the network”

Example: 10.16.0.0/16 > Split network in 2 > 10.16.0.0/17
> 10.16.128.0/17

24
Q

Distributed Denial of Service (DDoS)

A

Distributed Denial of Service (DDoS)

-Attacks designed to overload websites
-Compete against ‘legitimate connections’
-Distributed - hard to block individual IPs/Ranges

Common Attacks:

-Application Layer - HTTP Flood = These take advantage of the imbalance of preprocessing between client and server

-Protocol Attack - SYN Flood = Takes advantage of the connection based nature of requests. SYN floods spoof a source IP address and initiate the connection attempt with a server, the server tries to perform step two of the handshake, but i can’t contact the source address because is spoofed. (this consumes network resources)

-Volumetric - DNS Aplification = Attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

-DDoS attacks are often orchestrated by one or small number of people who are in control of huge botnets. Botnets are constructed machines such as your laptop, infected with malware.

25
Q

SSL and TLS (L4)

A

SSL (Secure Sockets Layer)

TLS (Transport Layer Security) = Newer and more secure version of SSL

  • Provide privacy and data integrity between client & server
    -Ensures privacy - communitacions are encrypted

-Asymmetric encryption (Clients can encrypt data that only the server can decrypt) and then symmetric encryption (Allows for this trustless encryption where you don’t need to arrange for the transfer of keys, over a different secure medium)

-Identity verification (server or client/server)
-Ensures a reliable connection - protect against alteration of data in transit

26
Q

When a client initiates communications with a server and TLS is used, there are main phases to initiate secure communication:

A

“We already have a TCP connection”

  1. Cipher Suites = Is a set of protocols used by TLS. To communicate, the client and server have to agree a Cipher Suite to use.

Client HELLO (SSL/TLS Version, list of supported Cipher Suites, Session ID, Extensions)
»Server HELLO (SSL/TLS Version, list of supported Cipher Suites, Server Certificate)

At this point, the client and server have agreed how to communicate and the client has the “server certificate”. The certificate cointains the server “public key”. (Asymmetric)

  1. Authentication = Ensure the server certificate is authentic, verifying the server as legitimate.

The client validates that the Public trusted Certificate Authority (CA) (your OS/Browser trusts this) signed that certificate. They make sure that the certificate is valid (signed by specific CA, date, hasn’t been revoked) and that the DNS name matches the name on the cert.

Next, the client attempts to encrypt some random data and send it to the server using the public key within the cert, and this makes sure that the server has the corresponding Private key.

  1. Key Exchange = Move from Asymmetric to Symmetric keys in a secure way and begin encryption process, because it’s much easier to encrypt and decrypt data at high speeds.

The client generates the pre-master key, encrypts it with the servers publilc key and sends it to the server, hten the server decrypts the pre-master key, using its private key. (both sides now have the exact same Pre-Master key)

Both sides use the same pre-master key to generate the master key which is used to generate the ongoing session keys which encrypt and decrypt data. (both sides now have the same master secret)

27
Q

Hash Functions & Hashing

A

Hashing = Is a process where an algorithm is used to turn any piece of data to a fixed length representation of that data. Any change no matter how minor, will result in a different hash value.

-Hashing is 1-way, a hash will never give you the document used to create it
-Same document = SAME HASH
-Different data = Different HASH
- Used to verify downloaded data

Hash Functions = MD5 - SHA2-256

Hashing Weakness - Collision = Two different pieces of data generate the same hash value (Weakness of MD5)

28
Q

VLANS, Trunks & Q-in-Q

A

VLANS = Allows you to create separate L2 network segments. (Virtual Network)

-Provite traffic isolation
-Separate broadcast domains

Frame Tagging

802.1Q - Dot1q = Allows multiple Vlans to operate over the same L2 physical network. Each has a separate broadcast domain and is isolated from all others

It changes the frame format of a standard ethernet frame, by adding a new 32-bit field (Vlan-ID). (Customer Tag)

802.1Q switches set ports as either ACCESS ports (ONE VLAN ID) or TRUNK ports.

Q-in-Q (802.1AD)= Provider bridging or stacked VLANS. this adds another space in the frame for another VLAN field (another 802.1Q) called Service Tag, this means that the service provider can use VLANs to isolate their customer traffic, while allowing each customer to also use VLANs internally

Q in-Q tends to be used for larger, more complex networks, and Dot1q is used in smaller networks, as well as cloud platforms, such as AWS.

Trunk = A trunk port is a connection between two Dot1q capable devices, it carries all VIDs WITH TAGGING

29
Q

Digital Signatures

A
  • Verfies INTEGRITY (WHAT) & AUTHENTICITY (WHO)
  • HASH of the data is taken, original data remains unaltered (integrity)
  • This allows normal use without worrying about hashing(keys
  • Digitally sign the HASH(using private key), Authenticates the hash.
  • Public key can be widely distributed and trusted
  • .. hash cannot be changed as nobody else has the private key
  • Document cannot be changed as this invalidates the HASH
  • Trust public key > trust private key > trust entity > trust data
  • The wider the distribution of the public key, the easier it is to spot if any of them have been modified
30
Q

DNS (Domain Name Service)

A

DNS (Domain Name Service)

  • Is a huge database that converts DNS names into IP addresses

Why do we need lots of DNS servers?
Why not ONE server?

  • Risk problem
  • Almost everyone uses DNS globally (scaling problem)
  • There are ~341 million domains, each domains = Many Records
  • Data volume problem

DNS Key Terms

  • DNS Zone = It’s like a database that has, for example, netflix.com and that’s the zone, inside that zone are DNS records, for example, www.netflix.com, as well as many others. That zone is stored on a ZoneFile
  • ZoneFile = File containing a zone
  • DNS NameServers (NS) = a DNS server which hosts 1 or more Zones.. and stores 1 or more ZoneFiles. They answer queries that you have about the IP address of www.netflix.com
  • Authoritative = contains real/genuine records (boss for a particular domain). There are 1 or more NameServers, which can give authoritative answers for www.netflix.com
  • Non-authoritave/cached = Copies of records/zones stored elsewhere to speed things up
31
Q

DNS Hierarchical Design

A
  1. DNS Root (the boss) = It’s a zone that is hosted on DNS NameServers, so the DNS root zone runs on the DNS root servers. It’s the point that every DNS client knows about and trusts, I’ts where queries start at the root of DNS.

There are 13 root server IP addresses which host the root zone, these IP addresses are distributed geographically and the hardware is managed by independent organizations.

  • The root zone contains high level info on Top Level Domains (TLDs) of DNS
  • The job of the root zone is just to point at these TLD registries.
  1. Top Level Domains (TLDs) = TLD is everything that follows the final dot of a domain name (.com)
  • They point at Authoritative Name Servers
  • Stores info only on domains in that TLD
  1. NameServers = Authoritative Name Servers Host 1+ Zones for domains (google.com)
  • These servers host the ZoneFile which stores the data for that zone (contains records within google.com, for example, drive.google.com)
32
Q

What do we want from DNS?

A

The job of DNS is to help you locate and get a query response from the authoritative zone which hosts the DNS records(s) you need.

How DNS actually works?

  1. Checks local cache & Hosts file
  2. Queries DNS Resolver, this is a type of DNS server, often running on a home router or within an internet provider, and it will do the query on our behalf
  3. DNS Resolver checks local cache (it might be able to return a non-authoritative answer)
  4. DNS Resolver asks DNS root for www.netflix.com
  5. The DNS root zone will return the details of the .com name servers
  6. DNS Resolver asks .com TLD NS for www.netflix.com
  7. TLD returns netflix.com NS
  8. DNS Resolver asks netflix.com NS for www.netflix.com
  9. Netflix DNS NS returns DNS record for www.netflix.com > IP
  10. DNS Resolver caches the result in order to improve performance
  11. DNS Resolver returns the result to the Client
  • No one NS has all the answers
  • Every query gives you the next step
33
Q

How a domain is registered?

A
  1. Client pays for cats.com on a Domain Registrar (Route 53) (they let you buy available domains and also register the domain with the registry)
  • We’re going to need a DNS zone for the domain being registered and this zone needs to be hosted on some DNS NS.
  • Registrar and Hosting Provider can be the SAME or DIFFERENT companies
  1. If same company, a zone is created and hosted automatically
  2. If different company, you’ll be asked for NS info where the zone is hosted already
  • At this point, we have a domain being registered, we have a DNS zone ready to go, hosted on some NS
  1. The registrar communicates this to the registry for the TLD (.com Verisign)
  2. TLD adds cats.com NS to the .com TLD zone
  3. cats.com domain is live
34
Q

DNSSEC

A

DNSSEC is a secure add-on for DNS, it provides additional functionality.

DNSSEC Benefits

  • Data Origin Authentication = Allows you to verify that the data that you receive is from the zone that you think it is
  • Data Integrity Protection =The data hasn’t been modified in transit

It does both of these things by establishing a chain of trust between the DNS root and DNS records and it does this in a cryptographically-verifiable way

  • DNSSEC Uses public key cryptography to secure itself
  • DNSSEC it’s additive, it adds to DNS; It doesn’t replace it
  • DNSSEC will verify the result from a query and will be able to identify that records have been changed or they come from a different origin
  • It doesn’t show you what the result should be
35
Q

How DNSSEC Works within a Zone

A

How it allows a DNSSEC Resolver or Client to validate any resource Record within a zone.

DNSSEC - RRSET

Zone - icann.org

Resource Records

  • www - CNAME (CNAMEs point at other records)
    > www.vip (A Record - IPv4)
    > www.vip (AAAA Record - IPv6)
  • 4 MX Records (icann.org) pointing at 4 different mail exchange servers
    (Each of these are Resource Records - 7)

Resource RecordSet

Is any records of the same name and the same type (Sets of Resource Records). They make it easier to deal with records in groups versus single records

  • www - CNAME
    > www.vip (A Record - IPv4) > This means each of them ir their own RRSET
    > www.vip (AAAA Record - IPv6)
  • 4 MX Records (icann.org)
  • They all have the same name and they’re all MX record and this means that all four of these are inside one RRSET

RRSIG = Stores a digital signature of an RRSET using public and private pairs of keys (Zone Signature Keys - ZSK). This uses digital signing and hashing,

  • If the RRSET changes, the RRSIG has to be regenerated in order to be valid
  • If the RRSET changes, without a corresponding change to the RRSIG, the result is an invalid signature
  • Only the private key of the ZSK, can be used to sign RRSETS. (They are supposed to be not public so you trust them)
36
Q

How can a client or resolver verify the RRSIG?

A

They need the public part of the ZSK, to be able to verify signatures or RRSIGs

-The DNSKEY Record inside a Zone stores public keys, they are used to verify any RRSIG in the zone.

-DNSKEY record contains public ZSK or KSK (Key Signing Key)

The DNSKEY requires a signature, a matching RRSIG Record validates that it hasn’t been changed and they are signed using the KSK

ZSK = Is used for signing everything in a zone. So to create most RRSIG Records, except the DNSKEY Records

-We can change the ZSK without requiring any changes to the parent zone

KSK = Are used to sign the DNSKEY Record

  • Referenced from the parent zone so you can trusts them
  • KSK allows you to trust the ZSK stored in the zone

Private KSK = Is used to sign the DNSKEY
Public KSK = This zone is linked to the parent zone by cryptographic trust

37
Q

DNSSEC Chain of Trust

A

Zone - .org

DS Records (Delegated Signer Records) = This is how a DNSSEC creates a chain of trust between parent and child

-Contains a HASH of the child domains public KSK - Links the parent trust to the child

How can we trust the DS?

-An RRSIG is created from the DS using .org DNSKEY ZSK and then to trust this key, a RRSIG is created from the DNSKEY ZSK using the private KSK.
-If you trust the zone’s public KSK then you trust everything in the .org zone, including the trust delegation to the icann.org child zone
-This same way is used to trust the parent zone of the .org zone (Root Zone)

38
Q

DNSSEC - Validation Flow

A

Trust within a DNS Zone is normally provided via the parent zone of that zone. The parent zone has a DS record, which is a hash of the public KSK of the child zone, and that’s how the trust chain is created.

In the case of the Root Zone, there is no parent zone and there’s nothing to provide that trust.

The TRUST Anchor

Locked away within two secure locations, is what amounts to the Keys of the internet, the private DNS root KSK.

-These are locked away, protected & never exposed - HSMs

The public DNS root KSK, verifies the absolute trust (with this key you can verify anything signed by the private key)

The ZSK of the Root Zone controls the security of the zone

-Private ZSK > Public ZSK/KSK DNSKEY > Signature Public ZSK/KSK RRSIG DNSKEY

Key Ceremony

-Take the Root KSK that everything trust
-Sign Root ZSKs which can be used operationally and these can be used to sign individual Resource Record sets within the Root Zone and it’s that public and private ZSK pair, which is then used to create the chain of trust, which allows trust in top level domains and onwards.

39
Q

RPO & RTO

A

Recovery Point Objective

Maximum amount of data expressed time that can be lost during a disaster recovery situation before that loss will exceed what the organization can tolerate

If an organization tells you that they have an RPO of six hours, it means the organization cannot tolerate, more than six hours of data loss when recovering from a disaster like this server failure.

In order to recover data from the failed server, we need to restore a backup. Succesfull backups are known as recovery points. You need to make sure these backups happen more often than the RPO value provided by the organization

Lower RPO = More Frequent Backups = Higher Cost

Recovery Time Objective

Is the maximum tolarable length of time that a system can be down after a failure or a disaster occurs. Recovery Time begins at the moment of failure and ends when the system is operational and handed back to the business in a fully tested state.

Considerations

-The recovery only starts when you’re made aware that the system has failed
-Investigate the issue - Quick fix or restore?
-What type of backup do we have? because some take longer to restore
-What are we restoring on? Spare server? Phisical or Virtual ?
-Business Testing - User Testing - Final Handover

As an Solutions Architect, you need to understand which systems are critical and which can tolerate more data loss or recovery outages, and by appropriately designing systems to match the true business requirements, you can deliver a system which meets those requirements in a cost-effective way.

As you’re going through the course consider how you think products and services being discussed would affect the RPO and RTOs of systems designed utilizing those products.

AWS Solutions Architect (23 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions