Misc Exam Tips and Security Best Practices

Question 1

Directory Service AD Connector
vs
Simple AD

Answer 1

Simple AD is cheap AD compatible service with commons directory features

AD Connector lets you connect local AD to AWS

Question 2

How do you create Cross-Account access with IAM?

Answer 2

create an IAM role with two policies attached

permissions policy grants user of the role permissions to carry out tasks on the resource

Trust policy specifies which trusted accounts are allowed to grant its users permissions for the role

Trust policy on the role in the trusting account is 1/2 of the permissions. Other half is a permissions policy attached to the user in the trusted account allowing that user to switch to or assume the role

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Question 3

Have a good understanding of how Route53 supports all of the different DNS record types, and when you would use certain ones over others.

Answer 3

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

Question 4

Know when Elastic IP’s are free or not

Answer 4

If you add EIP’s to an instance you are charged for each of them per hour.

Even charged when these addresses are associated with stopped instance or unattached interface. to encourage people to use them efficiently

Question 5

High level areas that Trusted Advisor covers

Answer 5

https://aws.amazon.com/premiumsupport/trustedadvisor/

Cost Optimization
Fault Tolerance
Performance
Security
Service Limits

Question 6

How to troubleshoot timeout error when connecting to instance in a VPC

Answer 6

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL’s must allow inbound, outbound traffic

Question 7

How to troubleshoot timeout error when connecting to instance in a VPC

Answer 7

Need a security group allowing inbound traffic from public IP on proper port

Need a route sending outbound traffic to the internet gateway for the VPC

Network ACL’s must allow inbound, outbound traffic

Question 8

Know some use cases for Simple Workflow Services

Answer 8

https://aws.amazon.com/swf/faqs/

Amazon SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts.

Question 9

Know how to setup consolidated billing and cross-account access so department resources are isolated from each other but accounting can oversee it all

Answer 9

http://jayendrapatil.com/aws-consolidated-billing/

Question 10

Know how to make changes to AutoScaling Group

Know what you can, can’t change

Answer 10

Can specify only one launch configuration for ASG at a time

Cannot modify launch config after creating it

If you need to change it, create a new one and update your ASG with the new one. Existing instances aren’t affected but new ones use the new config

Question 11

How do DynamoDB, Elasticache, S3 compare to each other for durability and latency

Answer 11

DynamoDB - durable, can pay for strong consistency

Elasticache - great speed, not so durable

S3 - eventual consistency, lower latency

https://d0.awsstatic.com/whitepapers/AWS%20Storage%20Services%20Whitepaper-v9.pdf

Question 12

Compare bucket policies, IAM policies, ACLS for use in S3 and examples of when to use each

Answer 12

IAM Policies
grants users fine granular control to S3 bucket or objects while retaining control over what users do

Bucket Policies
rules apply broadly to all S3 resources
Can restrict access access based on IP address, HTTP referrer

ACLs
Grant specific permissions (read, write, full control) to specific users for individual bucket or object

Question 13

When and how to encrypt snapshots

Answer 13

public snapshots of encrypted volumes NOT supported

can share encrypted snapshot with specific accounts

Question 14

How to use ELB cross-zone load balancing to evenly distribute traffic to EC2 instances in multiple AZ’s

Answer 14

http://jayendrapatil.com/tag/elastic-load-balancer/

Question 15

Autoscaling Lifecycle Hooks

Answer 15

Lifecycle hooks enable you to perform custom actions by pausing instances as an Auto Scaling group launches or terminates them. For example, while your newly launched instance is paused, you could install or configure software on it.

Each Auto Scaling group can have multiple lifecycle hooks. However, there is a limit on the number of hooks per Auto Scaling group.

Question 16

Where does bastion host (jump server) reside

Answer 16

public subnet

Question 17

How do you establish cross-account access?

Answer 17

In the trusting account (A) create IAM policy that grants trusted account (B) access to the resources.

Account B can delegate that access to its IAM users

Account B cannot delegate more access to its users than it has been granted by account A

Question 18

Steps for Identity Federation

Answer 18

Enterprise user access identity broker application

identity broker authenticates users against corporate identity store

identity broker has permission to access AWS security token service to request temporary credentials

Enterprise users can get a temporary URL that gives them access to API’s or Management Console.

Question 19

Describe EC2 key usage for AWS Linux AMI

Answer 19

When new linux instance is created, EC2 asymmetric key pairs are generated. Or you can create your own

When instance is launched, public key is appended to local user’s ~/.ssh/authorized_keys file

User authenticates using the private key on their computer

Question 20

Describe EC2 key usage for AWS Windows AMI

Answer 20

When new Windows instance launched the EC2CONFIG service creates random Windows Administrator password and encrypts it with the EC2 Public Key

User gets the password from the AWS Console or CLI and providing the correct EC2 Private Key to decrypt it

The password authenticates to Windows

Question 21

Describe a Resource Policy

Answer 21

Where the user creates resources and then wants to allow other users to access them.

The policy is attached to the resource and describes who can do what with it

The user is control of the resource

Question 22

Describe a Capability policy (AKA user-based permissions in the IAM documentation)?

Answer 22

Used to enforce company-wide access policies

Assigned to IAM users directly or through an IAM Group

Can be assigned to a role that’s assumed at run time

Define what capabilities the user is allowed or denied tt perform

they can override resource based policies by explicit denying them

Question 23

Can IAM policies restrict access to a specific source IP address range, or certain days and times?

Answer 23

Yes

Question 24

Are resource and capability policies cumulative?

Answer 24

Yes

A user’s effective permissions are the union of a resource policy and the capability permissions granted directly or through group membership

Question 25

What is AWS Cloud HSM?

Answer 25

Amazon’s tamper-proof Hardware Security Modules in the cloud for storing & managing encryption keys

Gives you dedicated single-tenant access to a CloudHSM appliance(s)

You manage the cryptographic domain, not AWS

You can have it in multiple AZ’s with replication for HA

Question 26

6 ways to protect data at rest on S3

Answer 26

(PVR-BEE)
Permissions
Versioning
Replication
Backup
Encryption Server-Side (AWS managed)
Encryption Client-Side (Customer managed)

Question 27

8 ways to protect data at rest on EBS

Answer 27

Replication (in addition to auto replication for HW failure)
Backup
Encryption: Microsoft Windows EFS
Encryption: Microsoft
Windows Bitlocker (only with password, not TPM)
Encryption: Linux dm-crypt
Encryption: Truecrypt
Encryption: Safenet

Question 28

Describe EBS (Elastic Block Store)
(Security best practices.pdf 2016)

Answer 28

AWS Abstract block storage service

You get an EBS volume raw, unformatted like a new HD

You partition it, create software RAID arrays, format partitions with any file system you choose and protect the volume

These actions are all opaque to AWS operations

Question 29

Protecting data at rest on Amazon RDS

Answer 29

RDS uses same secure infrastructure as EC2

Can encrypt data at rest at the application layer using built-in encryption function and keys.

Can encrypt at the platform layer using MySQL crypto functions

Question 30

3 Ways of protecting data in RDS

Answer 30

My SQL crypto functions

Oracle transparent data encryption if you bring your own license

Microsoft Transact-SQL data protections

Question 31

How is data on Glacier encrypted?

Answer 31

All data is encrypted automatically

Each glacier archive has a unique key and the archive is encrypted with AES-256

The key is also encrypted with a master key which is rotated regularly

Can encrypt your data before uploading for extra protection

Question 32

How do you protect data at rest with DynamoDB?

Answer 32

same as RDS

Question 33

How do you protect data at rest with EMR?

Hadoop cluster

Answer 33

Store data in S3 and use server side encryption
Store data in S3 and use client side encryption
Encrypt at at the application level, entire file
Encrypt at at the application level, individual fields
Hybrid mix of the above

Question 34

AWS Recommendations to secure operating systems

Answer 34

Disable root API access keys and secret key
Restrict access to limited IP ranges using Security Groups
Password protect .pem files on user computers
Delete keys from ~/.ssh/authorized_keys file when no longer needed
Rotate credentials
Regularly run least privilege checks with IAM User Access Advisor and IAM user Last Used Access Keys
Use bastion hosts

Question 35

What can you bootstrap AMI’s with?

Answer 35

Chef, Puppet, Capistrano, Cloud-init, Cfn-init

Powershell, Bash scripts

Question 36

Access Control Methods to Build Network Segments

Answer 36

Use VPC to define isolated network for each workload or organizational entity

Use Security Groups (stateful firewalls) to manage access to instances with similar functions

Use NACLS (stateless firewalls) for granular control of IP protocols and per-source/destination addresses. These can work with Security Groups and act before them

Use host-based firewalls

Create threat-protection layer and force all traffic through it

Apply ACL’s at other layers (applications and services)

Question 37

6 Guidelines for securing DNS

Answer 37

Separate admin level access. Separate roles

monitoring, alerting, audit trail

network layer access control. Restrict access to only those that need it

Latest stable software with patches

continuous security testing

all other security controls in place

Question 38

6 Potential layers of AWS security

Answer 38

VPC
firewall rules at hypervisor layer
NACLs
Security Groups
host-based firewalls
IDS/IPS

Question 39

VPC Features that support threat protection layer technologies

Answer 39

Support for multiple layers of load balancers
use external and internal load balancers for threat management and HA

Support for multiple IP adresses on single network interface

Support for multiple Elastic Network Interfaces
ENI’s allow multiple network interfaces on several instance types, for multi-zone security features

Question 40

If you can’t use inline threat management devices because of latency or other reasons, what two alternatives can you use?

Answer 40

Distributed threat protection system
Agents installed on individual instances with central threat management server

Overlay network threat protection solution
build an overlay network on top of your VPC with things like GRE tunnels, VTUN interfaces or forwarding traffic on another ENI for centralized network traffic analysis and IDS

Question 41

How can Cloudfront help against a DOS/DDOS attack?

Answer 41

A cloud front edge location sits in front of the back end server and receives most of what an attacker is likely to send, absorbing the extra requests.

There are more charges as you get more traffic, but weigh them against your other options and the costs the attacker may have

Question 42

What’s a privilege escalation gateway

Answer 42

Instead of directly making calls to the AWS infrastructure all requests are performed by proxy systems that are trusted intermediaries.

They can improve logging, audit trails, password management, etc.

Question 43

What’s the maximum response time for business level premium support case?

Answer 43

1 hour

Question 44

Can you force a failover for any RDS that has multi-AZ configured?

Answer 44

yes.

rebooted one in the lab

Question 45

with new RDS Db instances, automated backups are enabled by default. True or False?

Answer 45

true

Question 46

when using a Custom VPC and putting EC2 instance into a public subnet, it will be automatically internet accessible? True or false

Answer 46

False

Question 47

RDS doesn’t support increasing storage on an active ________ instance?

Answer 47

SQL Server

Question 48

Is it possible to perform actions on an existing Amazon EBS Snapshot?

Answer 48

Yes, through the AWS APIs, CLI, and AWS Console.

Question 49

What’s the maximum retention period for RDS Backups?

Answer 49

35 days

Question 50

Can you move a reserved instance from one region to another?

Answer 50

No

Question 51

When creating a new Security Group, all inbound traffic is allowed by default. True or False?

Answer 51

False

Question 52

When I create a new security group, all outbound traffic is allowed by default. True or False?

Answer 52

True

Question 53

Which set of RDS database engines is currently available?

Answer 53

Oracle, SQL, MySQL, Postgres

Question 54

If an EBS Volume is an additional partition (not root) can you detach it without stopping the instance?

Answer 54

Yes

Question 55

In RDS What’s the max size for a MS SQL instance running SQL Express?

Answer 55

300Gb for the instance

SQL Express database limited to 10Gb

Question 56

If you want your application to check RDS for an error, have it look for an ______ node in the response from RDS API

Answer 56

Error

not exit, not abort, not incorrect

Question 57

In RDS changes to backup windows take effect when?

Answer 57

immediately

Question 58

How many copies of your data does Aurora store by default?

Answer 58

6

Question 59

What are the types of conditions you can allow/block with the Web Application Firewall?

Answer 59

cross-site scripting

ip match

geographic match

size constraint

sql injection

string match

regex (regular expression)

Question 60

Describe the Auto Scaling Group default termination policy

Answer 60

If instances in multiple AZ’s, select AZ with most instances and at least one instance not protected from scale-in. If more than one AZ with this number of instances, select the one with instances using older launch configuration

Determine which unprotected instances in the selected AZ use the oldest launch configuration. If there is one, terminate it

If multiple instances use the oldest launch configuration, determine which unprotected instances are closest to next billing hour. If there is one, terminate it.

If there is one more than one unprotected instance closest to next billing hour, select one at random