Security Flashcards
When using SSE-C, what request headers must you use?
x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be “AES256”.
x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.
What headers are needed to upload data to a S3 bucket requiring server side encryption with customer provided keys (SSE-C)?
x-amz-server-side-encryption-customer-algorithm - This header specifies the encryption algorithm. The header value must be “AES256”.
x-amz-server-side-encryption-customer-key - This header provides the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
x-amz-server-side-encryption-customer-key-MD5 - This header provides the base64-encoded 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.
What is STS used for in AWS?
AWS STS is an AWS service that allows you to request temporary security credentials for your AWS resources, for IAM authenticated users and users that are authenticated in AWS such as federated users via OpenID or SAML2.0. NOT used for Lambda authorizers.
Describe these deployment methods: Immutable, All at once, Rolling and Rolling with additional batch
-All at once – Deploy the new version to all instances simultaneously. All instances in your environment are out of service for a short time while the deployment occurs. This is the method that provides the least amount of time for deployment.
-Rolling – Deploy the new version in batches. Each batch is taken out of service during the deployment phase, reducing your environment’s capacity by the number of instances in a batch.
-Rolling with additional batch – Deploy the new version in batches, but first launch a new batch of instances to ensure full capacity during the deployment process.
-Immutable – Deploy the new version to a fresh group of instances by performing an immutable update.
What can you use to encrypt data in transit and rest for DynamoDB?
DynamoDB Encryption Client (now AWS Database Encryption SDK). You can encrypt selected items or attribute values in a table.
Client-side encryption provides end-to-end protection for your data, in transit and at rest, from its source to storage in DynamoDB. Your plaintext data is never exposed to any third party, including AWS.
What is symmetric encryption?
Symmetric encryption, also dubbed single key encryption, is the type of encryption where a single key can be used to encrypt and decrypt information.
What is asymmetric encryption?
Asymmetric or public key cryptography is the form of encryption that involves using PUBLIC and PRIVATE keys for encryption and decryption. In asymmetric encryption, the sender uses the public key to encode the information in a non-readable form, which can only be decrypted or read with a secret key. In sending encrypted data from the public key scheme, the receiver needs a secret key to access the encrypted data.
Why would the sam deploy command return the following error:
Invalid (or missing) template file (path must be workspace-relative, or absolute)
dev is not in the root directory. He needs to change the working directory to the root of the application that was created by sam build. By default, sam deploy assumes that the current working directory is the project’s root directory and tries to locate the template.yaml file either in the .aws-sam subfolder or in the root of the current working directory.
What to know about adding a role to an EC2 instance?
Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of Amazon Web Services because of eventual consistency . To force the change, you must disassociate the instance profile and then associate the instance profile , or you can stop your instance and then restart it.
What is WAF?
is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources. You can protect the following resource types:
Amazon CloudFront distribution
Amazon API Gateway REST API
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool
AWS App Runner service
AWS Verified Access instance
You can use AWS WAF web access control lists (web ACLs) to help minimize the effects of a Distributed Denial of Service (DDoS) attack. For additional protection against DDoS attacks, AWS also provides AWS Shield Standard and AWS Shield Advanced.
What are the two different types of Shield?
AWS Shield Standard - additional protection against DDoS attacks, it is automatically included at no extra cost beyond what you already pay for AWS WAF and your other AWS services.
AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route53 hosted zones, and AWS Global Accelerator standard accelerators. (NOT API Gateway directly) AWS Shield Advanced incurs additional charges.
