Troubleshooting Security Scenarios Flashcards

1
Q

CloudWatch issues?

A
  1. Start with IAM user/role as possible cause. Look if cloudwatch:Get, cloudwatch:List is allowed in IAM policy
  2. Check if Cloudwatch agent is installed, running, and EC2 has role permission to write to Cloudwatch Logs
  3. Lambda automatically adds permission to allow itself to write to CloudWatch logs in addition to your permissions
  4. Lambda basic events are logged in CloudWatch but detailed logging is NOT enabled by default coz it is a lot
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CloudTrail logs missing?

A

Is CloudTrail enabled
S3 bucket name correct
S3 prefix correct/exists/not deleted
S3 bucket policy
S3 and Lambda Data events are NOT enabled by default, –enable them explicitly if needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What if auditor can’t access CloudTrail logs from CloudWatch?

A

Does their account have CloudTrailReadOnlyAccess

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Network Infrastructure / connectivity issues?

A
  1. Subnet
  2. Routing table
  3. SG rules
  4. NACL rules inbound+outbound
  5. NATGW
  6. IGW
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How to setup peering between VPC?

A

Update both routing tables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Quick win for Network Infrastructure / connectivity issues?

A

Check VPC flow logs for allow/reject messages for hint where it is getting blocked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Authentication/Authorization Issues

A

Evaluate least privilege- remember explicit allow overrides implicit deny, but explicit deny overrides all

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Authentication/Authorization Issues for Organizations?

A

check if service boundaries have policies blocking access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the STS roles and use cases?

A
  • STS:AssumeRoleWithWebIdentity = if user is authenticated by Meta (Facebook), Google etc Web Identity Provider
    • STS:AssumeRoleWithSAML = if authenticated by AD, SAML ID provider
    • STS:AssumeRole = if authenticated by AWS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cross Account Issues? User in dev wants to access prod account

A

Does dev have IAM Allow Action:sts:AssumeRole?
Does prod account have sts:AssumeRole allowed for dev ARN as the Principal?
Check Trust Relationships in IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What permissions to apply to KMS for cross-account access?

A

KMS Key policy in prod needs “Add other account” updated.
Dev account IAM policy should have kms:Decrypt/DescribeKey allowed for Resource ARN of prod account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

If Lambda unable to take action based on triggers?

A

check Lambda Execution role has right permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Lambda Function Policy?

A

What resources can trigger Lambda

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Lambda Execution role

A

What resources Lambda can acess

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How to use Lambda with Secrets Manager?

A

It needs to be explicitly given permissions to access Secrets Manager in Execution role to pull data from RDS etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly