Misc Exam Tips and Security Best Practices Flashcards Preview

AWS misc tips > Misc Exam Tips and Security Best Practices > Flashcards

Flashcards in Misc Exam Tips and Security Best Practices Deck (60):

Directory Service AD Connector
Simple AD

Simple AD is cheap AD compatible service with commons directory features

AD Connector lets you connect local AD to AWS


How do you create Cross-Account access with IAM?

create an IAM role with two policies attached

permissions policy grants user of the role permissions to carry out tasks on the resource

Trust policy specifies which trusted accounts are allowed to grant its users permissions for the role

Trust policy on the role in the trusting account is 1/2 of the permissions. Other half is a permissions policy attached to the user in the trusted account allowing that user to switch to or assume the role



Have a good understanding of how Route53 supports all of the different DNS record types, and when you would use certain ones over others.



Know when Elastic IP's are free or not

If you add EIP's to an instance you are charged for each of them per hour.

Even charged when these addresses are associated with stopped instance or unattached interface. to encourage people to use them efficiently


High level areas that Trusted Advisor covers


Cost Optimization
Fault Tolerance
Service Limits


How to troubleshoot timeout error when connecting to instance in a VPC

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL's must allow inbound, outbound traffic


How to troubleshoot timeout error when connecting to instance in a VPC

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL's must allow inbound, outbound traffic


Know some use cases for Simple Workflow Services


Amazon SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts.


Know how to setup consolidated billing and cross-account access so department resources are isolated from each other but accounting can oversee it all



Know how to make changes to AutoScaling Group

Know what you can, can't change

Can specify only one launch configuration for ASG at a time

Cannot modify launch config after creating it

If you need to change it, create a new one and update your ASG with the new one. Existing instances aren't affected but new ones use the new config


How do DynamoDB, Elasticache, S3 compare to each other for durability and latency

DynamoDB - durable, can pay for strong consistency

Elasticache - great speed, not so durable

S3 - eventual consistency, lower latency



Compare bucket policies, IAM policies, ACLS for use in S3 and examples of when to use each

IAM Policies
grants users fine granular control to S3 bucket or objects while retaining control over what users do

Bucket Policies
rules apply broadly to all S3 resources
Can restrict access access based on IP address, HTTP referrer

Grant specific permissions (read, write, full control) to specific users for individual bucket or object


When and how to encrypt snapshots

public snapshots of encrypted volumes NOT supported

can share encrypted snapshot with specific accounts


How to use ELB cross-zone load balancing to evenly distribute traffic to EC2 instances in multiple AZ's



Autoscaling Lifecycle Hooks

Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. For example, while your newly launched instance is paused, you could install or configure software on it.

Each Auto Scaling group can have multiple lifecycle hooks. However, there is a limit on the number of hooks per Auto Scaling group.


Where does bastion host (jump server) reside

public subnet


How do you establish cross-account access?

In the trusting account (A) create IAM policy that grants trusted account (B) access to the resources.

Account B can delegate that access to its IAM users

Account B cannot delegate more access to its users than it has been granted by account A


Steps for Identity Federation

Enterprise user access identity broker application

identity broker authenticates users against corporate identity store

identity broker has permission to access AWS security token service to request temporary credentials

Enterprise users can get a temporary URL that gives them access to API's or Management Console.


Describe EC2 key usage for AWS Linux AMI

When new linux instance is created, EC2 asymmetric key pairs are generated. Or you can create your own

When instance is launched, public key is appended to local user's ~/.ssh/authorized_keys file

User authenticates using the private key on their computer


Describe EC2 key usage for AWS Windows AMI

When new Windows instance launched the EC2CONFIG service creates random Windows Administrator password and encrypts it with the EC2 Public Key

User gets the password from the AWS Console or CLI and providing the correct EC2 Private Key to decrypt it

The password authenticates to Windows


Describe a Resource Policy

Where the user creates resources and then wants to allow other users to access them.

The policy is attached to the resource and describes who can do what with it

The user is control of the resource


Describe a Capability policy (AKA user-based permissions in the IAM documentation)?

Used to enforce company-wide access policies

Assigned to IAM users directly or through an IAM Group

Can be assigned to a role that's assumed at run time

Define what capabilities the user is allowed or denied tt perform

they can override resource based policies by explicit denying them


Can IAM policies restrict access to a specific source IP address range, or certain days and times?



Are resource and capability policies cumulative?


A user's effective permissions are the union of a resource policy and the capability permissions granted directly or through group membership


What is AWS Cloud HSM?

Amazon's tamper-proof Hardware Security Modules in the cloud for storing & managing encryption keys

Gives you dedicated single-tenant access to a CloudHSM appliance(s)

You manage the cryptographic domain, not AWS

You can have it in multiple AZ's with replication for HA


6 ways to protect data at rest on S3

Encryption Server-Side (AWS managed)
Encryption Client-Side (Customer managed)


8 ways to protect data at rest on EBS

Replication (in addition to auto replication for HW failure)
Encryption: Microsoft Windows EFS
Encryption: Microsoft
Windows Bitlocker (only with password, not TPM)
Encryption: Linux dm-crypt
Encryption: Truecrypt
Encryption: Safenet


Describe EBS (Elastic Block Store)
(Security best practices.pdf 2016)

AWS Abstract block storage service

You get an EBS volume raw, unformatted like a new HD

You partition it, create software RAID arrays, format partitions with any file system you choose and protect the volume

These actions are all opaque to AWS operations


Protecting data at rest on Amazon RDS

RDS uses same secure infrastructure as EC2

Can encrypt data at rest at the application layer using built-in encryption function and keys.

Can encrypt at the platform layer using MySQL crypto functions


3 Ways of protecting data in RDS

My SQL crypto functions

Oracle transparent data encryption if you bring your own license

Microsoft Transact-SQL data protections


How is data on Glacier encrypted?

All data is encrypted automatically

Each glacier archive has a unique key and the archive is encrypted with AES-256

The key is also encrypted with a master key which is rotated regularly

Can encrypt your data before uploading for extra protection


How do you protect data at rest with DynamoDB?

same as RDS


How do you protect data at rest with EMR?
(Hadoop cluster)

Store data in S3 and use server side encryption
Store data in S3 and use client side encryption
Encrypt at at the application level, entire file
Encrypt at at the application level, individual fields
Hybrid mix of the above


AWS Recommendations to secure operating systems

Disable root API access keys and secret key
Restrict access to limited IP ranges using Security Groups
Password protect .pem files on user computers
Delete keys from ~/.ssh/authorized_keys file when no longer needed
Rotate credentials
Regularly run least privilege checks with IAM User Access Advisor and IAM user Last Used Access Keys
Use bastion hosts


What can you bootstrap AMI's with?

Chef, Puppet, Capistrano, Cloud-init, Cfn-init

Powershell, Bash scripts


Access Control Methods to Build Network Segments

Use VPC to define isolated network for each workload or organizational entity

Use Security Groups (stateful firewalls) to manage access to instances with similar functions

Use NACLS (stateless firewalls) for granular control of IP protocols and per-source/destination addresses. These can work with Security Groups and act before them

Use host-based firewalls

Create threat-protection layer and force all traffic through it

Apply ACL's at other layers (applications and services)


6 Guidelines for securing DNS

Separate admin level access. Separate roles

monitoring, alerting, audit trail

network layer access control. Restrict access to only those that need it

Latest stable software with patches

continuous security testing

all other security controls in place


6 Potential layers of AWS security

firewall rules at hypervisor layer
Security Groups
host-based firewalls


VPC Features that support threat protection layer technologies

Support for multiple layers of load balancers
use external and internal load balancers for threat management and HA

Support for multiple IP adresses on single network interface

Support for multiple Elastic Network Interfaces
ENI's allow multiple network interfaces on several instance types, for multi-zone security features


If you can't use inline threat management devices because of latency or other reasons, what two alternatives can you use?

Distributed threat protection system
Agents installed on individual instances with central threat management server

Overlay network threat protection solution
build an overlay network on top of your VPC with things like GRE tunnels, VTUN interfaces or forwarding traffic on another ENI for centralized network traffic analysis and IDS


How can Cloudfront help against a DOS/DDOS attack?

A cloud front edge location sits in front of the back end server and receives most of what an attacker is likely to send, absorbing the extra requests.

There are more charges as you get more traffic, but weigh them against your other options and the costs the attacker may have


What's a privilege escalation gateway

Instead of directly making calls to the AWS infrastructure all requests are performed by proxy systems that are trusted intermediaries.

They can improve logging, audit trails, password management, etc.


What's the maximum response time for business level premium support case?

1 hour


Can you force a failover for any RDS that has multi-AZ configured?


rebooted one in the lab


with new RDS Db instances, automated backups are enabled by default. True or False?



when using a Custom VPC and putting EC2 instance into a public subnet, it will be automatically internet accessible? True or false



RDS doesn't support increasing storage on an active ________ instance?

SQL Server


Is it possible to perform actions on an existing Amazon EBS Snapshot?

Yes, through the AWS APIs, CLI, and AWS Console.


What's the maximum retention period for RDS Backups?

35 days


Can you move a reserved instance from one region to another?



When creating a new Security Group, all inbound traffic is allowed by default. True or False?



When I create a new security group, all outbound traffic is allowed by default. True or False?



Which set of RDS database engines is currently available?

Oracle, SQL, MySQL, Postgres


If an EBS Volume is an additional partition (not root) can you detach it without stopping the instance?



In RDS What's the max size for a MS SQL instance running SQL Express?

300Gb for the instance

SQL Express database limited to 10Gb


If you want your application to check RDS for an error, have it look for an ______ node in the response from RDS API


(not exit, not abort, not incorrect)


In RDS changes to backup windows take effect when?



How many copies of your data does Aurora store by default?



What are the types of conditions you can allow/block with the Web Application Firewall?

cross-site scripting

ip match

geographic match

size constraint

sql injection

string match

regex (regular expression)


Describe the Auto Scaling Group default termination policy

If instances in multiple AZ's, select AZ with most instances and at least one instance not protected from scale-in. If more than one AZ with this number of instances, select the one with instances using older launch configuration

Determine which unprotected instances in the selected AZ use the oldest launch configuration. If there is one, terminate it

If multiple instances use the oldest launch configuration, determine which unprotected instances are closest to next billing hour. If there is one, terminate it.

If there is one more than one unprotected instance closest to next billing hour, select one at random