KMS, Encryption SDK, SSM Parameter Store Flashcards by David Dugas

help with encryption (HTTPS)

SSL certificates

How well did you know this?

Not at all

Perfectly

What does KMS stand for?

Key Management Service

How well did you know this?

Not at all

Perfectly

Anytime you hear “encryption” for an AWS service
AWS manages encryption keys for us
Fully integrated with IAM for authorization
Easy way to control access to your data

KMS (Key Management Service)

How well did you know this?

Not at all

Perfectly

Able to audit KMS Key usage using _________?

CloudTrail

How well did you know this?

Not at all

Perfectly

KMS Key Encryption also available through ________?

API calls (SDK, CLI)

How well did you know this?

Not at all

Perfectly

Encrypted secrets can be stored in the ________?

code / environment variables

How well did you know this?

Not at all

Perfectly

KMS KeysTypes -
* Single encryption key that is used to Encrypt and Decrypt
* AWS services that are integrated with KMS use Symmetric CMKs
* You never get access to the KMS Key unencrypted (must call KMS API to use)

Symmetric (AES-256 keys)

How well did you know this?

Not at all

Perfectly

KMS KeysTypes -
* Public (Encrypt) and Private Key (Decrypt) pair
* Used for Encrypt/Decrypt, or Sign/Verify operations
* The public key is downloadable, but you can’t access the Private Key unencrypted
* Use case: encryption outside of AWS by users who can’t call the KMS API

Asymmetric (RSA & ECC key pairs)

How well did you know this?

Not at all

Perfectly

AWS Owned Keys (free): SSE-S3, SSE-SQS, SSE-DDB (default key)
AWS Managed Key: free (aws/service-name, example: aws/rds or aws/ebs)
Customer managed keys created in KMS: $1 / month
Customer managed keys imported (must be symmetric key): $1 / month
- pay for API call to KMS ($0.03 / 10000 calls)

Types of KMS Keys

How well did you know this?

Not at all

Perfectly

AWS-managed KMS Key: automatic every 1 year
Customer-managed KMS Key: (must be enabled) automatic every 1 year
Imported KMS Key: only manual rotation possible using alias

Automatic Key rotation

How well did you know this?

Not at all

Perfectly

Created if you don’t provide a specific KMS Key Policy
Complete access to the key to the root user = entire AWS account

Default KMS Key Policy

How well did you know this?

Not at all

Perfectly

Define users, roles that can access the KMS key
Define who can administer the key
Useful for cross-account access of your KMS key

Custom KMS Key Policy

How well did you know this?

Not at all

Perfectly

5 Steps to Copying Snapshots across accounts

Create a Snapshot, encr ypted with your own KMS Key (Customer Managed Key)
Attach a KMS Key Policy to authorize cross-account access
Share the encr ypted snapshot
(in target) Create a copy of the Snapshot, encrypt it with a CMK in your account
Create a volume from the snapshot

How well did you know this?

Not at all

Perfectly

Identical KMS keys in different AWS Regions that can be used interchangeably
They have the same key ID, key material, automatic rotation…

KMS Multi-Region Keys

How well did you know this?

Not at all

Perfectly

Encrypt in one Region and decrypt in other Regions
No need to re-encrypt or making cross-Region API calls

KMS Multi-Region Keys

How well did you know this?

Not at all

Perfectly

They are NOT global (Primary + Replicas)
Each one is managed independently

KMS Multi-Region Keys

How well did you know this?

Not at all

Perfectly

global client-side encryption, encryption on Global DynamoDB, Global Aurora

KMS Multi-Region Keys

How well did you know this?

Not at all

Perfectly

We can encrypt specific attributes client-side in our DynamoDB table using the ___________?

Amazon DynamoDB Encryption Client

How well did you know this?

Not at all

Perfectly

READ EVERYTHING
* Combined with Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the DynamoDB Global table, then clients in these regions can use low- latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key

DynamoDB Global Tables and KMS Multi- Region Keys Client-Side encryption

How well did you know this?

Not at all

Perfectly

READ EVERYTHING
* We can encrypt specific attributes client-side in our Aurora table using the AWS Encryption SDK
* Combined with Aurora Global Tables, the client-side encrypted data is replicated to other regions
* If we use a multi-region key, replicated in the same region as the Global Aurora DB, then clients in these regions can use low-latency API calls to KMS in their region to decrypt the data client-side
* Using client-side encryption we can protect specific fields and guarantee only decryption if the client has access to an API key, we can protect specific fields even from database admins

Global Aurora and KMS Multi-Region Keys Client-Side encryption

How well did you know this?

Not at all

Perfectly

READ EVERYTHING

Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
Objects encrypted with SSE-C (customer provided key) are never replicated
For objects encrypted with SSE-KMS, you need to enable the option
- Specify which KMS Key to encrypt the objects within the target
  bucket
- Adapt the KMS Key Policy for the target key
- An IAM Role with kms:Decrypt for the source KMS Key and
  kms:Encrypt for the target KMS Key
- You might get KMS throttling errors, in which case you can ask
  for a Service Quotas increase
You can use multi-region AWS KMS Keys, but they are currently treated as independent keys by Amazon S3 (the object will still be decrypted and then encr ypted)

S3 Replication
Encryption Considerations

How well did you know this?

Not at all

Perfectly

AMI in Source Account is encrypted with KMS Key from Source Account
Must modify the image attribute to add a Launch Permission which corresponds to the specified target AWS account
Must share the KMS Keys used to encrypted the snapshot the AMI references with the target account / IAM Role
The IAM Role/User in the target account must have the permissions to DescribeKey, ReEncrypted, CreateGrant, Decrypt
When launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volumes

AMI Sharing Process Encrypted via KMS

How well did you know this?

Not at all

Perfectly

Secure storage for configuration and secrets
Optional Seamless Encryption using KMS
Serverless, scalable, durable, easy SDK
Version tracking of configurations / secrets
Security through IAM
Notifications with Amazon EventBridge
Integration with CloudFormatio

SSM Parameter Store

How well did you know this?

Not at all

Perfectly

What are the 2 types of parameter tiers?

Standard
Advanced

How well did you know this?

Not at all

Perfectly

Total number of parameters allowed (per AWS account and Region)

Standard - 10,000 Advanced - 100,000

Maximum size of a parameter value

Standard - 4KB Advanced - 8KB

Parameter policies available

Standard - No Advanced - Yes

Cost

Standard - No additional charge Advanced - Charges Apply

Storage Pricing

Standard - Free Advanced - $0.05 per advanced parameter per month

* Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords * Can assign multiple policies at a time

Parameters Policies (for advanced parameters)

* Newer service, meant for storing secrets * Capability to force rotation of secrets every X days * Automate generation of secrets on rotation (uses Lambda) * Integration with Amazon RDS (MySQL, PostgreSQL, Aurora) * Secrets are encrypted using KMS * Mostly meant for RDS integration

AWS Secrets Manager

* Replicate Secrets across multiple AWS Regions * Secrets Manager keeps read replicas in sync with the primary Secret * Ability to promote a read replica Secret to a standalone Secret

AWS Secrets Manager – Multi-Region Secrets

multi-region apps, disaster recovery strategies, multi-region DB...

AWS Secrets Manager – Multi-Region Secrets

Easily provision, manage, and deploy TLS Certificates

AWS Certificate Manager (ACM)

Provide in-flight encryption for websites (HTTPS)

AWS Certificate Manager (ACM)

Supports both public and privateTLS certificates

AWS Certificate Manager (ACM)

Free of charge for publicTLS certificates

AWS Certificate Manager (ACM)

AutomaticTLS certificate renewal

AWS Certificate Manager (ACM)

Integrations with (loadTLS certificates on) * ElasticLoadBalancers(CLB,ALB,NLB) * CloudFront Distributions * APIs on API Gateway

AWS Certificate Manager (ACM)

Can you use ACM with EC2?

What does ACM stand for?

AWS Certificate Manager

4 steps to ACM – Requesting Public Certificates?

1. List domain names to be included in the certificate * Fully Qualified Domain Name (FQDN): corp.example.com * WildcardDomain:*.example.com 2. Select Validation Method: DNS Validation or Email validation * DNS Validation is preferred for automation purposes * Email validation will send emails to contact addresses in the WHOIS database * DNS Validation will leverage a CNAME record to DNS config (ex: Route 53) 3. It will take a few hours to get verified 4. The Public Certificate will be enrolled for automatic renewal * ACM automatically renews ACM-generated certificates 60 days before expiry

With ACM – Importing Public Certificates, what is the policy with renewals?

No automatic renewal, must import a new certificate before expiry

ACM sends daily expiration events starting _________ prior to expiration

45 days

With ACM sending out daily expiration events, can you configure the number of days?

YES

Where fo ACM sending out daily expiration events appear?

EventBridge

___________ has a managed rule named acm-certificate-expiration-check to check for expiring certificates (configurable number of days)

AWS Config

* Protects your web applications from common web exploits (Layer 7) * Layer 7 is HTTP (vs Layer 4 is TCP/UDP) * Deploy on * Application Load Balancer * API Gateway * CloudFront * AppSync GraphQL API * Cognito User Pool

AWS WAF – Web Application Firewall

* Define Web ACL (Web Access Control List) Rules: * IP Set: up to 10,000 IP addresses – use multiple Rules for more IPs * HTTP headers, HTTP body, or URI strings Protects from common attack - SQL injection and Cross-Site Scripting (XSS) * Size constraints, geo-match (block countries) * Rate-based rules (to count occurrences of events) – for DDoS protection * Web ACL are Regional except for CloudFront * A rule group is a reusable set of rules that you can add to a web ACL

AWS WAF – Web Application Firewall

WAF _________ support the Network Load Balancer (Layer 4)

does not

We can use _____________ for fixed IP and WAF on the ALB

Global Accelerator

Distributed Denial of Service – many requests at the same time

DDoS

* Free service that is activated for every AWS customer * Provides protection from attacks such as SYN/UDP Floods, Reflection attacks and other layer 3/layer 4 attacks

AWS Shield Standard

* Optional DDoS mitigation service ($3,000 per month per organization) * Protect against more sophisticated attack on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 * 24/7 access to AWS DDoS response team (DRP) * Protect against higher fees during usage spikes due to DDoS * The automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

AWS Shield Advanced:

* Manage rules in all accounts of an AWS Organization * Security policy: common set of security rules * WAF rules (Application Load Balancer, API Gateways, CloudFront) * AWS Shield Advanced (ALB, CLB, NLB, Elastic IP, CloudFront) * Security Groups for EC2, Application Load BAlancer and ENI resources in VPC * AWS Network Firewall (VPC Level) * Amazon Route 53 Resolver DNS Firewall * Policies are created at the region level * Rules are applied to new resources as they are created (good for compliance) across all and future accounts in your Organization

AWS Firewall Manager

are used together for comprehensive protection

WAF Shield Firewall Manager

Define your _________ rules in WAF

Web ACL

For granular protection of your resources, ___________ alone is the correct choice

WAF

If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use _______________

Firewall Manager with AWS WAF

adds additional features on top of AWS WAF, such as dedicated support from the Shield ResponseTeam (SRT) and advanced reporting.

Shield Advanced

If you’re prone to frequent DDoS attacks, consider purchasing _________________

Shield Advanced

* Web Application delivery at the edge * Protect from DDoS Common Attacks (SYN floods, UDP reflection...)

BP1 – CloudFront

* Access your application from the edge * Integration with Shield for DDoS protection * Helpful if your backend is not compatible with CloudFront

BP1 – Global Accelerator

* Domain Name Resolution atthe edge * DDoS Protection mechanism

BP3 – Route 53

* Protect Amazon EC2 against high traffic * That includes using Global Accelerator, Route 53, CloudFront, Elastic Load Balancing

Infrastructure layer defense (BP1, BP3, BP6)

Helps scale in case of sudden traffic surges including a flash crowd or a DDoS attack

Amazon EC2 with Auto Scaling (BP7)

Elastic Load Balancing scales with the traffic increases and will distribute the traffic to many EC2 instances

Elastic Load Balancing (BP6)

* CloudFront cache static content and serve it from edge locations, protecting your backend * AWS WAF is used on top of CloudFront and Application Load Balancer to filter and block requests based on request signatures * WAF rate-based rules can automatically block the IPs of bad actors * Use managed rules on WAF to block attacks based on IP reputation, or block anonymous Ips * CloudFront can block specific geographies

Detect and filter malicious web requests (BP1, BP2)

Shield Advanced automatic application layer DDoS mitigation automatically creates, evaluates and deploys AWS WAF rules to mitigate layer 7 attacks

ShieldAdvanced(BP1,BP2,BP6)

Using CloudFront, API Gateway, Elastic Load Balancing to hide your backend resources (Lambda functions, EC2 instances)

Obfuscating AWS resources (BP1, BP4, BP6)

* Use security groups and NACLs to filter traffic based on specific IP at the subnet or ENI-level * Elastic IP are protected by AWS Shield Advanced

Security groups and Network ACLs (BP5)

* Hide EC2, Lambda, elsewhere * Edge-optimized mode, or CloudFront + regional mode (more control for DDoS) * WAF + API Gateway: burst limits, headers filtering, use API keys

Protecting API endpoints (BP4)

AWS Best Practices for DDoS Resiliency Edge Location Mitigation (BP1, BP3)

BP1 – CloudFront BP1 – Global Accelerator BP3 – Route 53

AWS Best Practices for DDoS Resiliency Best practices for DDoS mitigation

Infrastructure layer defense (BP1, BP3, BP6) Amazon EC2 with Auto Scaling (BP7) Elastic Load Balancing (BP6)

AWS Best Practices for DDoS Resiliency Application Layer Defense

Detect and filter malicious web requests (BP1, BP2) ShieldAdvanced(BP1,BP2,BP6)

AWS Best Practices for DDoS Resiliency Attack surface reduction

Obfuscating AWS resources (BP1, BP4, BP6)

Intelligent Threat discover y to protect your AWS Account

Amazon GuardDuty

Uses Machine Learning algorithms, anomaly detection, 3rd party data

Amazon GuardDuty

One click to enable (30 days trial), no need to install software

Amazon GuardDuty

* Input data includes: * CloudTrail Events Logs – unusual API calls, unauthorized deployments * CloudTrailManagementEvents–createVPCsubnet,createtrail,... * CloudTrailS3DataEvents–getobject,listobjects,deleteobject,... * VPC Flow Logs – unusual internal traffic, unusual IP address * DNS Logs – compromised EC2 instances sending encoded data within DNS queries * Optional Features – EKS Audit Logs, RDS & Aurora, EBS, Lambda, S3 Data Events...

Amazon GuardDuty

Can setup EventBridge rules to be notified in case of findings

Amazon GuardDuty

EventBridge rules can target AWS Lambda or SNS

Amazon GuardDuty

Can protect against CryptoCurrency attacks (has a dedicated “finding” for it)

Amazon GuardDuty

* Automated Security Assessments * For EC2 instances * Leveraging the AWS System Manager (SSM) agent * Analyze against unintended network accessibility * Analyze the running OS against known vulnerabilities * For Container Images push to Amazon ECR * Assessment of Container Images as they are pushed * For Lambda Functions * Identifies software vulnerabilities in function code and package dependencies * Assessment of functions as they are deployed * Reporting & integration with AWS Security Hub * Send findings to Amazon Event Bridge

Amazon Inspector

Amazon Inspector evaluates only .........

EC2 instances Container Images Lambda functions

Amazon Inspector, continuous scanning of the infrastructure, only ___________

when needed

is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.

AWS Macie

helps identify and alert you to sensitive data, such as personally identifiable information (PII)

AWS Macie