Misc Exam Tips and Security Best Practices Flashcards Preview

AWS misc tips > Misc Exam Tips and Security Best Practices > Flashcards

Flashcards in Misc Exam Tips and Security Best Practices Deck (60):
1

Directory Service AD Connector
vs
Simple AD

Simple AD is cheap AD compatible service with commons directory features

AD Connector lets you connect local AD to AWS

2

How do you create Cross-Account access with IAM?

create an IAM role with two policies attached

permissions policy grants user of the role permissions to carry out tasks on the resource

Trust policy specifies which trusted accounts are allowed to grant its users permissions for the role

Trust policy on the role in the trusting account is 1/2 of the permissions. Other half is a permissions policy attached to the user in the trusted account allowing that user to switch to or assume the role

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

3

Have a good understanding of how Route53 supports all of the different DNS record types, and when you would use certain ones over others.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

4

Know when Elastic IP's are free or not

If you add EIP's to an instance you are charged for each of them per hour.

Even charged when these addresses are associated with stopped instance or unattached interface. to encourage people to use them efficiently

5

High level areas that Trusted Advisor covers

https://aws.amazon.com/premiumsupport/trustedadvisor/

Cost Optimization
Fault Tolerance
Performance
Security
Service Limits

6

How to troubleshoot timeout error when connecting to instance in a VPC

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL's must allow inbound, outbound traffic

7

How to troubleshoot timeout error when connecting to instance in a VPC

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL's must allow inbound, outbound traffic

8

Know some use cases for Simple Workflow Services

https://aws.amazon.com/swf/faqs/

Amazon SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts.

9

Know how to setup consolidated billing and cross-account access so department resources are isolated from each other but accounting can oversee it all

http://jayendrapatil.com/aws-consolidated-billing/

10

Know how to make changes to AutoScaling Group

Know what you can, can't change

Can specify only one launch configuration for ASG at a time

Cannot modify launch config after creating it

If you need to change it, create a new one and update your ASG with the new one. Existing instances aren't affected but new ones use the new config

11

How do DynamoDB, Elasticache, S3 compare to each other for durability and latency

DynamoDB - durable, can pay for strong consistency

Elasticache - great speed, not so durable

S3 - eventual consistency, lower latency

https://d0.awsstatic.com/whitepapers/AWS%20Storage%20Services%20Whitepaper-v9.pdf

12

Compare bucket policies, IAM policies, ACLS for use in S3 and examples of when to use each

IAM Policies
grants users fine granular control to S3 bucket or objects while retaining control over what users do

Bucket Policies
rules apply broadly to all S3 resources
Can restrict access access based on IP address, HTTP referrer

ACLs
Grant specific permissions (read, write, full control) to specific users for individual bucket or object

13

When and how to encrypt snapshots

public snapshots of encrypted volumes NOT supported

can share encrypted snapshot with specific accounts

14

How to use ELB cross-zone load balancing to evenly distribute traffic to EC2 instances in multiple AZ's

http://jayendrapatil.com/tag/elastic-load-balancer/

15

Autoscaling Lifecycle Hooks

Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. For example, while your newly launched instance is paused, you could install or configure software on it.

Each Auto Scaling group can have multiple lifecycle hooks. However, there is a limit on the number of hooks per Auto Scaling group.

16

Where does bastion host (jump server) reside

public subnet

17

How do you establish cross-account access?

In the trusting account (A) create IAM policy that grants trusted account (B) access to the resources.

Account B can delegate that access to its IAM users

Account B cannot delegate more access to its users than it has been granted by account A

18

Steps for Identity Federation

Enterprise user access identity broker application

identity broker authenticates users against corporate identity store

identity broker has permission to access AWS security token service to request temporary credentials

Enterprise users can get a temporary URL that gives them access to API's or Management Console.

19

Describe EC2 key usage for AWS Linux AMI

When new linux instance is created, EC2 asymmetric key pairs are generated. Or you can create your own

When instance is launched, public key is appended to local user's ~/.ssh/authorized_keys file

User authenticates using the private key on their computer

20

Describe EC2 key usage for AWS Windows AMI

When new Windows instance launched the EC2CONFIG service creates random Windows Administrator password and encrypts it with the EC2 Public Key

User gets the password from the AWS Console or CLI and providing the correct EC2 Private Key to decrypt it

The password authenticates to Windows

21

Describe a Resource Policy

Where the user creates resources and then wants to allow other users to access them.

The policy is attached to the resource and describes who can do what with it

The user is control of the resource

22

Describe a Capability policy (AKA user-based permissions in the IAM documentation)?

Used to enforce company-wide access policies

Assigned to IAM users directly or through an IAM Group

Can be assigned to a role that's assumed at run time

Define what capabilities the user is allowed or denied tt perform

they can override resource based policies by explicit denying them

23

Can IAM policies restrict access to a specific source IP address range, or certain days and times?

Yes

24

Are resource and capability policies cumulative?

Yes

A user's effective permissions are the union of a resource policy and the capability permissions granted directly or through group membership

25

What is AWS Cloud HSM?

Amazon's tamper-proof Hardware Security Modules in the cloud for storing & managing encryption keys

Gives you dedicated single-tenant access to a CloudHSM appliance(s)

You manage the cryptographic domain, not AWS

You can have it in multiple AZ's with replication for HA

26

6 ways to protect data at rest on S3

(PVR-BEE)
Permissions
Versioning
Replication
Backup
Encryption Server-Side (AWS managed)
Encryption Client-Side (Customer managed)

27

8 ways to protect data at rest on EBS


Replication (in addition to auto replication for HW failure)
Backup
Encryption: Microsoft Windows EFS
Encryption: Microsoft
Windows Bitlocker (only with password, not TPM)
Encryption: Linux dm-crypt
Encryption: Truecrypt
Encryption: Safenet

28

Describe EBS (Elastic Block Store)
(Security best practices.pdf 2016)

AWS Abstract block storage service

You get an EBS volume raw, unformatted like a new HD

You partition it, create software RAID arrays, format partitions with any file system you choose and protect the volume

These actions are all opaque to AWS operations

29

Protecting data at rest on Amazon RDS

RDS uses same secure infrastructure as EC2

Can encrypt data at rest at the application layer using built-in encryption function and keys.

Can encrypt at the platform layer using MySQL crypto functions

30

3 Ways of protecting data in RDS

My SQL crypto functions

Oracle transparent data encryption if you bring your own license

Microsoft Transact-SQL data protections

31

How is data on Glacier encrypted?

All data is encrypted automatically

Each glacier archive has a unique key and the archive is encrypted with AES-256

The key is also encrypted with a master key which is rotated regularly

Can encrypt your data before uploading for extra protection

32

How do you protect data at rest with DynamoDB?

same as RDS

33

How do you protect data at rest with EMR?
(Hadoop cluster)

Store data in S3 and use server side encryption
Store data in S3 and use client side encryption
Encrypt at at the application level, entire file
Encrypt at at the application level, individual fields
Hybrid mix of the above

34

AWS Recommendations to secure operating systems

Disable root API access keys and secret key
Restrict access to limited IP ranges using Security Groups
Password protect .pem files on user computers
Delete keys from ~/.ssh/authorized_keys file when no longer needed
Rotate credentials
Regularly run least privilege checks with IAM User Access Advisor and IAM user Last Used Access Keys
Use bastion hosts

35

What can you bootstrap AMI's with?

Chef, Puppet, Capistrano, Cloud-init, Cfn-init

Powershell, Bash scripts

36

Access Control Methods to Build Network Segments

Use VPC to define isolated network for each workload or organizational entity

Use Security Groups (stateful firewalls) to manage access to instances with similar functions

Use NACLS (stateless firewalls) for granular control of IP protocols and per-source/destination addresses. These can work with Security Groups and act before them

Use host-based firewalls

Create threat-protection layer and force all traffic through it

Apply ACL's at other layers (applications and services)

37

6 Guidelines for securing DNS

Separate admin level access. Separate roles

monitoring, alerting, audit trail

network layer access control. Restrict access to only those that need it

Latest stable software with patches

continuous security testing

all other security controls in place

38

6 Potential layers of AWS security

VPC
firewall rules at hypervisor layer
NACLs
Security Groups
host-based firewalls
IDS/IPS

39

VPC Features that support threat protection layer technologies

Support for multiple layers of load balancers
use external and internal load balancers for threat management and HA

Support for multiple IP adresses on single network interface

Support for multiple Elastic Network Interfaces
ENI's allow multiple network interfaces on several instance types, for multi-zone security features

40

If you can't use inline threat management devices because of latency or other reasons, what two alternatives can you use?

Distributed threat protection system
Agents installed on individual instances with central threat management server

Overlay network threat protection solution
build an overlay network on top of your VPC with things like GRE tunnels, VTUN interfaces or forwarding traffic on another ENI for centralized network traffic analysis and IDS

41

How can Cloudfront help against a DOS/DDOS attack?

A cloud front edge location sits in front of the back end server and receives most of what an attacker is likely to send, absorbing the extra requests.

There are more charges as you get more traffic, but weigh them against your other options and the costs the attacker may have

42

What's a privilege escalation gateway

Instead of directly making calls to the AWS infrastructure all requests are performed by proxy systems that are trusted intermediaries.

They can improve logging, audit trails, password management, etc.

43

What's the maximum response time for business level premium support case?

1 hour

44

Can you force a failover for any RDS that has multi-AZ configured?

yes.

rebooted one in the lab

45

with new RDS Db instances, automated backups are enabled by default. True or False?

true

46

when using a Custom VPC and putting EC2 instance into a public subnet, it will be automatically internet accessible? True or false

False

47

RDS doesn't support increasing storage on an active ________ instance?

SQL Server

48

Is it possible to perform actions on an existing Amazon EBS Snapshot?

Yes, through the AWS APIs, CLI, and AWS Console.

49

What's the maximum retention period for RDS Backups?

35 days

50

Can you move a reserved instance from one region to another?

No

51

When creating a new Security Group, all inbound traffic is allowed by default. True or False?

False

52

When I create a new security group, all outbound traffic is allowed by default. True or False?

True

53

Which set of RDS database engines is currently available?

Oracle, SQL, MySQL, Postgres

54

If an EBS Volume is an additional partition (not root) can you detach it without stopping the instance?

Yes

55

In RDS What's the max size for a MS SQL instance running SQL Express?

300Gb for the instance

SQL Express database limited to 10Gb

56

If you want your application to check RDS for an error, have it look for an ______ node in the response from RDS API

Error

(not exit, not abort, not incorrect)

57

In RDS changes to backup windows take effect when?

immediately

58

How many copies of your data does Aurora store by default?

6

59

What are the types of conditions you can allow/block with the Web Application Firewall?

cross-site scripting

ip match

geographic match

size constraint

sql injection

string match

regex (regular expression)

60

Describe the Auto Scaling Group default termination policy

If instances in multiple AZ's, select AZ with most instances and at least one instance not protected from scale-in. If more than one AZ with this number of instances, select the one with instances using older launch configuration

Determine which unprotected instances in the selected AZ use the oldest launch configuration. If there is one, terminate it

If multiple instances use the oldest launch configuration, determine which unprotected instances are closest to next billing hour. If there is one, terminate it.

If there is one more than one unprotected instance closest to next billing hour, select one at random