Security 101

Question 1

What does CIA stand for ?

Answer 1

Confidentiality, Integrity and Availability

Question 2

What is confidentiality ?

Answer 2

It relates to the concept of keeping things (objects) private and available to only those people that have an requirement to know about it

Question 3

What is integrity ?

Answer 3

The assurance that assets have not been tampered with ? Hashing is a good example of a control that ensures integrity

Question 4

What is availability ?

Answer 4

Making sure that people can access those assets ? Hardware failure is a good example of something that undermines availability

Question 5

What is the AAA model ?

Answer 5

Extends the CIA triad with Authentication, Authorization and Accounting

Question 6

What services cover the AAA model ?

Answer 6

Authentication - IAM
Authorization - Permission Policies
Accounting - Cloudtrail

Question 7

What are the five main areas of Physical and Environmental Security covered by AWS ?

Answer 7

1. Fire Detection and Suppression
2. Power
3. Climate and Temperature
4. Management
   
   1. Storage Device Decommissioning

Question 8

What are the four areas of business continuity management handled by Amazon ?

Answer 8

1. Availability
2. Incident Response
3. Company Wide Executive Review
4. Communication

Question 9

What are the six areas of network security that are the responsibility of Amazon AWS ?

Answer 9

1. Secure Network Architecture
2. Secure Access Points
3. Transmission Protection
4. Amazon Corporate Segregation
5. Fault Tolerant Design
6. Network Monitoring and Protection

Question 10

What does the phrase Security is neither a product or a service mean ?

Answer 10

There is no single product or service that can act as a magic black box

Question 11

What does the phrase security is not a technology mean ?

Answer 11

Security does not depend on a single technology but a grouping of technologies to provide a defence in depth

Question 12

What doe the phrase security is not static mean ?

Answer 12

It is not something you do once and forget

Question 13

What does the phrase security is not a check box mean ?

Answer 13

It means that we should constantly be aware of why we are doing the security control

Question 14

What are the four main items that drive a security policy ?

Answer 14

1. Business Requirements/Objectives
2. Regulatory Requirements
3. Risk Evaluation (Agree Acceptable Level of Risk by Senior Execs)
4. Cost Benefit Analysis (Determines if the control cost is justified against the risk its protecting against)

Question 15

If the organizational policy is written in broad terms what are the four common document types that implement its vision in concrete terms ?

Answer 15

1. Standards (Mandatory rules and Regulations)
2. Guideline (Recommendation for areas not covered by standards)
3. Baseline (Define minimum level of security for a given system)
4. Procedures (step by step instructions)

Question 16

What are the eight most common attack types ?

Answer 16

1. Reconnaissance
2. Password
3. Eavesdropping
4. IP Spoofing
5. Man in the Middle
6. Denial of Service
7. Malware
8. Phishing

Question 17

What is the reconnaissance phase ?

Answer 17

Underlying goal is to obtain as much information as possible about targets with techniques such as ping sweep and social engineering

Question 18

What are password attacks ?

Answer 18

Either brute force or dictionary attacks aimed at creating a new priveleged account or compromising an existing account and elevating its privilege

Question 19

What is an eavesdropping attack ?

Answer 19

Aka sniffing such as port scans

Question 20

What is an IP Spoofing attack ?

Answer 20

Falisifying the IP origin of the attack to either remain incognito or place the blame on somebody else

Question 21

What is a Denial of Service attack ?

Answer 21

Level 8 TCP ACK Flood

Level 3 Smurf Attack

Level 2 Spanning Tree Protocol

Question 22

What are the 7 types of Malware attacks

Answer 22

1. Virus - replicates through infection of other code bases
2. Worm - self replicating
3. Trojan Horse - mascarading
4. Adware
5. Launcher - Downloads other malicious software
6. Keylogger
7. Ransomware

Question 23

What is the Shared Responsibility Model ?

Answer 23

AWS looks after security of the cloud while you the customer is responsible for security in the cloud

Question 24

Under the Shared Responsibility Model what are AWS responsibilities ?

Answer 24

Global Infrastructure

Networking Hardware and Software

Managed Services

Question 25

Under the Shared Responsibility Model what are the customers responsibilities ?

Answer 25

IAAS

Software/Patches

Configuration of the AWS provided firewall

Question 26

How does the shared responsibility model change for container services such as elastic beanstalk and emr and rds ?

Answer 26

Here ec2 instances are provisioned but you dont have access to them so patching and looking after the os becomes AWS responsibility but all the stuff you can control is still your responsibility.

Question 27

What AWS Service provides visibility of your assets for compliance ?

Answer 27

AWS Config

Question 28

What AWS Service helps with auditing ?

Answer 28

AWS Cloudtrail

Question 29

What are the two main services for Data Controlability ?

Answer 29

KMS and CloudHSM

Question 30

What is the prime difference between Cloud HSM and KMS ?

Answer 30

KMS is multi tenanted while Cloud HSM is not and id FIPS 140-2 compliant

Question 31

How would you enforce https access to S3 ?

Answer 31

Have a statement that allows everyone and a deny statement for everyone where the boolean condition aws:Securetransport is false

Question 32

For Cross Region Replication do you need a bucket policy or ACL ?

Answer 32

No it is always done by default via SSL

Question 33

Once an object is replicated in S3 can it be replicated again ?

Answer 33

No

Question 34

Can you replicate in S3 to multiple destinations ?

Answer 34

No only one

Question 35

What bucket feature needs to be switched on for Cross Region replication in S3 ?

Answer 35

Versioning

Question 36

Where in Cross region replication would you use the READ and READ_ACP acl permissions ?

Answer 36

Where the bucket owner need to replicate objects where they are not the owner of those objects

Question 37

Can you do Cross Region/Cross Account replication in S3 ?

Answer 37

Yes but the IAM Role needs to have permissions to the destination bucket within another account

Question 38

Can you in S3 replication across accounts create rules that changes the ownership of the replication item to the ownership of the destination account bucket ?

Answer 38

Yes

Question 39

Are encrypted objects replicated in Cross Region replication ?

Answer 39

Yes if the object is encrypted with SSE-S3 or SSE-KMS

Question 40

What else is replicated in S3 cross region replication ?

Answer 40

Object metadata, Object Tags, ACL

Question 41

What is not replicated in cross region replication ?

Answer 41

• Anything before replication is turned on
• Encrypted objected with SSE-C
• Object for which bucket owner does not have permissions for
• Deletes to a particular version of an object

Question 42

What is the main security concern with S3 and Cloudfront ?

Answer 42

The main issue that we are tackling here is in a situation where we have a S3 bucket sitting behind Cloudfront we want to force users to go through Cloudfront rather than directly to the S3 bucket.

Question 43

How do you force users to access S3 buckets through Cloudfront CDN urls rather than S3 urls before CDN is created§§?

Answer 43

This is done by clicking restrict-bucket access when setting up the Cloudfront CDN.

Question 44

Can a Cloudfront distribution use the same SSL certificate as your Loadbalancers ?

Answer 44

No they must be seperate

Question 45

What is an Origin Access Identity ?

Answer 45

This is the identity that all users assume when accessing S3 content from a CDN. You can do this after a CDN is created by clicking on the Restrict option, then choosing create Origin Access Identity and the select Yes Update Bucket Policy on the Grant Permissions option.

You normally have to be concerned about this is if you are trying to restrict access to S3 urls after the distribution has been created.

Question 46

Why would you need a custom ssl certificate with Cloudfront ?

Answer 46

You will need to use a custom SSL certificate with Cloudfront if you want to use your own domain name rather than the default one of Cloudfront.

Question 47

When using a custom certificate with Cloudfront what is the limitation of storing that certificate in ACM ?

Answer 47

Has to be stored in us-east-1

Question 48

What does the awscli command aws s3 presign / –expires-in 300 do ?

Answer 48

Creates a pre-signed url that lives for 300 seconds

Question 49

Whats the default time period for a pre-signed url ?

Answer 49

1 hour