Misc Exam Tips and Security Best Practices Flashcards

1
Q

Directory Service AD Connector
vs
Simple AD

A

Simple AD is cheap AD compatible service with commons directory features

AD Connector lets you connect local AD to AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you create Cross-Account access with IAM?

A

create an IAM role with two policies attached

permissions policy grants user of the role permissions to carry out tasks on the resource

Trust policy specifies which trusted accounts are allowed to grant its users permissions for the role

Trust policy on the role in the trusting account is 1/2 of the permissions. Other half is a permissions policy attached to the user in the trusted account allowing that user to switch to or assume the role

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Have a good understanding of how Route53 supports all of the different DNS record types, and when you would use certain ones over others.

A

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Know when Elastic IP’s are free or not

A

If you add EIP’s to an instance you are charged for each of them per hour.

Even charged when these addresses are associated with stopped instance or unattached interface. to encourage people to use them efficiently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

High level areas that Trusted Advisor covers

A

https://aws.amazon.com/premiumsupport/trustedadvisor/

Cost Optimization
Fault Tolerance
Performance
Security
Service Limits
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How to troubleshoot timeout error when connecting to instance in a VPC

A

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL’s must allow inbound, outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How to troubleshoot timeout error when connecting to instance in a VPC

A

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL’s must allow inbound, outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Know some use cases for Simple Workflow Services

A

https://aws.amazon.com/swf/faqs/

Amazon SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Know how to setup consolidated billing and cross-account access so department resources are isolated from each other but accounting can oversee it all

A

http://jayendrapatil.com/aws-consolidated-billing/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Know how to make changes to AutoScaling Group

Know what you can, can’t change

A

Can specify only one launch configuration for ASG at a time

Cannot modify launch config after creating it

If you need to change it, create a new one and update your ASG with the new one. Existing instances aren’t affected but new ones use the new config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do DynamoDB, Elasticache, S3 compare to each other for durability and latency

A

DynamoDB - durable, can pay for strong consistency

Elasticache - great speed, not so durable

S3 - eventual consistency, lower latency

https://d0.awsstatic.com/whitepapers/AWS%20Storage%20Services%20Whitepaper-v9.pdf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Compare bucket policies, IAM policies, ACLS for use in S3 and examples of when to use each

A

IAM Policies
grants users fine granular control to S3 bucket or objects while retaining control over what users do

Bucket Policies
rules apply broadly to all S3 resources
Can restrict access access based on IP address, HTTP referrer

ACLs
Grant specific permissions (read, write, full control) to specific users for individual bucket or object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When and how to encrypt snapshots

A

public snapshots of encrypted volumes NOT supported

can share encrypted snapshot with specific accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How to use ELB cross-zone load balancing to evenly distribute traffic to EC2 instances in multiple AZ’s

A

http://jayendrapatil.com/tag/elastic-load-balancer/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Autoscaling Lifecycle Hooks

A

Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. For example, while your newly launched instance is paused, you could install or configure software on it.

Each Auto Scaling group can have multiple lifecycle hooks. However, there is a limit on the number of hooks per Auto Scaling group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where does bastion host (jump server) reside

A

public subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How do you establish cross-account access?

A

In the trusting account (A) create IAM policy that grants trusted account (B) access to the resources.

Account B can delegate that access to its IAM users

Account B cannot delegate more access to its users than it has been granted by account A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Steps for Identity Federation

A

Enterprise user access identity broker application

identity broker authenticates users against corporate identity store

identity broker has permission to access AWS security token service to request temporary credentials

Enterprise users can get a temporary URL that gives them access to API’s or Management Console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe EC2 key usage for AWS Linux AMI

A

When new linux instance is created, EC2 asymmetric key pairs are generated. Or you can create your own

When instance is launched, public key is appended to local user’s ~/.ssh/authorized_keys file

User authenticates using the private key on their computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Describe EC2 key usage for AWS Windows AMI

A

When new Windows instance launched the EC2CONFIG service creates random Windows Administrator password and encrypts it with the EC2 Public Key

User gets the password from the AWS Console or CLI and providing the correct EC2 Private Key to decrypt it

The password authenticates to Windows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Describe a Resource Policy

A

Where the user creates resources and then wants to allow other users to access them.

The policy is attached to the resource and describes who can do what with it

The user is control of the resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Describe a Capability policy (AKA user-based permissions in the IAM documentation)?

A

Used to enforce company-wide access policies

Assigned to IAM users directly or through an IAM Group

Can be assigned to a role that’s assumed at run time

Define what capabilities the user is allowed or denied tt perform

they can override resource based policies by explicit denying them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Can IAM policies restrict access to a specific source IP address range, or certain days and times?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Are resource and capability policies cumulative?

A

Yes

A user’s effective permissions are the union of a resource policy and the capability permissions granted directly or through group membership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is AWS Cloud HSM?
Amazon's tamper-proof Hardware Security Modules in the cloud for storing & managing encryption keys Gives you dedicated single-tenant access to a CloudHSM appliance(s) You manage the cryptographic domain, not AWS You can have it in multiple AZ's with replication for HA
26
6 ways to protect data at rest on S3
``` (PVR-BEE) Permissions Versioning Replication Backup Encryption Server-Side (AWS managed) Encryption Client-Side (Customer managed) ```
27
8 ways to protect data at rest on EBS
``` Replication (in addition to auto replication for HW failure) Backup Encryption: Microsoft Windows EFS Encryption: Microsoft Windows Bitlocker (only with password, not TPM) Encryption: Linux dm-crypt Encryption: Truecrypt Encryption: Safenet ```
28
``` Describe EBS (Elastic Block Store) (Security best practices.pdf 2016) ```
AWS Abstract block storage service You get an EBS volume raw, unformatted like a new HD You partition it, create software RAID arrays, format partitions with any file system you choose and protect the volume These actions are all opaque to AWS operations
29
Protecting data at rest on Amazon RDS
RDS uses same secure infrastructure as EC2 Can encrypt data at rest at the application layer using built-in encryption function and keys. Can encrypt at the platform layer using MySQL crypto functions
30
3 Ways of protecting data in RDS
My SQL crypto functions Oracle transparent data encryption if you bring your own license Microsoft Transact-SQL data protections
31
How is data on Glacier encrypted?
All data is encrypted automatically Each glacier archive has a unique key and the archive is encrypted with AES-256 The key is also encrypted with a master key which is rotated regularly Can encrypt your data before uploading for extra protection
32
How do you protect data at rest with DynamoDB?
same as RDS
33
How do you protect data at rest with EMR? | Hadoop cluster
Store data in S3 and use server side encryption Store data in S3 and use client side encryption Encrypt at at the application level, entire file Encrypt at at the application level, individual fields Hybrid mix of the above
34
AWS Recommendations to secure operating systems
Disable root API access keys and secret key Restrict access to limited IP ranges using Security Groups Password protect .pem files on user computers Delete keys from ~/.ssh/authorized_keys file when no longer needed Rotate credentials Regularly run least privilege checks with IAM User Access Advisor and IAM user Last Used Access Keys Use bastion hosts
35
What can you bootstrap AMI's with?
Chef, Puppet, Capistrano, Cloud-init, Cfn-init Powershell, Bash scripts
36
Access Control Methods to Build Network Segments
Use VPC to define isolated network for each workload or organizational entity Use Security Groups (stateful firewalls) to manage access to instances with similar functions Use NACLS (stateless firewalls) for granular control of IP protocols and per-source/destination addresses. These can work with Security Groups and act before them Use host-based firewalls Create threat-protection layer and force all traffic through it Apply ACL's at other layers (applications and services)
37
6 Guidelines for securing DNS
Separate admin level access. Separate roles monitoring, alerting, audit trail network layer access control. Restrict access to only those that need it Latest stable software with patches continuous security testing all other security controls in place
38
6 Potential layers of AWS security
``` VPC firewall rules at hypervisor layer NACLs Security Groups host-based firewalls IDS/IPS ```
39
VPC Features that support threat protection layer technologies
Support for multiple layers of load balancers use external and internal load balancers for threat management and HA Support for multiple IP adresses on single network interface Support for multiple Elastic Network Interfaces ENI's allow multiple network interfaces on several instance types, for multi-zone security features
40
If you can't use inline threat management devices because of latency or other reasons, what two alternatives can you use?
Distributed threat protection system Agents installed on individual instances with central threat management server Overlay network threat protection solution build an overlay network on top of your VPC with things like GRE tunnels, VTUN interfaces or forwarding traffic on another ENI for centralized network traffic analysis and IDS
41
How can Cloudfront help against a DOS/DDOS attack?
A cloud front edge location sits in front of the back end server and receives most of what an attacker is likely to send, absorbing the extra requests. There are more charges as you get more traffic, but weigh them against your other options and the costs the attacker may have
42
What's a privilege escalation gateway
Instead of directly making calls to the AWS infrastructure all requests are performed by proxy systems that are trusted intermediaries. They can improve logging, audit trails, password management, etc.
43
What's the maximum response time for business level premium support case?
1 hour
44
Can you force a failover for any RDS that has multi-AZ configured?
yes. rebooted one in the lab
45
with new RDS Db instances, automated backups are enabled by default. True or False?
true
46
when using a Custom VPC and putting EC2 instance into a public subnet, it will be automatically internet accessible? True or false
False
47
RDS doesn't support increasing storage on an active ________ instance?
SQL Server
48
Is it possible to perform actions on an existing Amazon EBS Snapshot?
Yes, through the AWS APIs, CLI, and AWS Console.
49
What's the maximum retention period for RDS Backups?
35 days
50
Can you move a reserved instance from one region to another?
No
51
When creating a new Security Group, all inbound traffic is allowed by default. True or False?
False
52
When I create a new security group, all outbound traffic is allowed by default. True or False?
True
53
Which set of RDS database engines is currently available?
Oracle, SQL, MySQL, Postgres
54
If an EBS Volume is an additional partition (not root) can you detach it without stopping the instance?
Yes
55
In RDS What's the max size for a MS SQL instance running SQL Express?
300Gb for the instance SQL Express database limited to 10Gb
56
If you want your application to check RDS for an error, have it look for an ______ node in the response from RDS API
Error | not exit, not abort, not incorrect
57
In RDS changes to backup windows take effect when?
immediately
58
How many copies of your data does Aurora store by default?
6
59
What are the types of conditions you can allow/block with the Web Application Firewall?
cross-site scripting ip match geographic match size constraint sql injection string match regex (regular expression)
60
Describe the Auto Scaling Group default termination policy
If instances in multiple AZ's, select AZ with most instances and at least one instance not protected from scale-in. If more than one AZ with this number of instances, select the one with instances using older launch configuration Determine which unprotected instances in the selected AZ use the oldest launch configuration. If there is one, terminate it If multiple instances use the oldest launch configuration, determine which unprotected instances are closest to next billing hour. If there is one, terminate it. If there is one more than one unprotected instance closest to next billing hour, select one at random