Other Security Services Relevant to Security Exam

Question 1

What does Macie do?

Answer 1

identifies PII in S3, can also be used to analyze Cloudtrail logs to audit who is accessing sensitive data

Question 2

How does Maci classify data?

Answer 2

1) content type 2) file extensions 3) themes (eg: AmEx, Visa) 4) keywords or regex

Question 3

What IAM permissions does Macie need?

Answer 3

IAM permissions for S3 and Cloudtrail, and need to explicitly click Integration and Start Analyzing

Question 4

What does GuardDuty do?

Answer 4

monitors unusual API calls, disable Cloudtrail logging, unauthorized deployments, compromised instances, port scanning, failed logins. Can monitor across multiple accounts

Question 5

To what two places does GuardDuty send alerts to?

Answer 5

It’s own console and CloudWatch events.

Question 6

How long does GuardDuty need to establish baseline?

Answer 6

7-14 days

Question 7

How can applications retrieve credentials?

Answer 7

By making API calls to Secret manager to programmatically retrieve credentials

Question 8

What is the difference between Secrets Manager vs Parameter store?

Answer 8

Secrets Manager has built-in encryption for RDS, auto-rotate RDS secrets, everything is KMS encrypted, built-in integration with RDS (MySQL, PostgreSQL, Aurora), replicate secrets to other regions, PAID

SSM Parameter Store stores all user-defined parameters, can be plaintext or encrypted, no replication of parameters to other regions but is free

Question 9

What is the thing about secrets in Secrets Manager?

Answer 9

Have a waiting period of min 7 days to delete a secret

Question 10

Can SM secrets be replicated to another region, and what happens if you do?

Answer 10

Secrets can be replicated to another region for multi-region apps and DR. Replicated secret cannot be edited but can be promoted to a standalone secret.

Question 11

What is secrets resource policy handy for?

Answer 11

Cross-account access

Question 12

What do secrets have attached?

Answer 12

Versions and labels

Question 13

What is AD Federation?

Answer 13

Allows logging into AWS using existing corporate logins and SSO

Question 14

What is SAML?

Answer 14

Security Assertion Markup Language - enables SSO for AWS accounts

Question 15

What are the AD Federation steps?

Answer 15

1. In AWS, ADFS is added as a trusted provider
2. In ADFS< AWS is configured as Relying Party Trust

Question 16

What is AD Federation login process?

Answer 16

1. User sings into ADFS with corp login
2. ADFS sends a SAML token to AWS sign-in page
3. AWS Sign-in calls STS AssumeRoleWithSAML API to get a temp token
4. User is sent a redirect link to AWS console

Question 17

If you already have on-prem AD, what’s easiest way to give everyone access to AWS?

Answer 17

Configure Active Directory Federation Services (ADFS) in the on-premises data center and configure a two way trust. This is called AWS Federated Authentication

Question 18

What is AWS Security Hub?

Answer 18

Centralized place to aggregate and manage alerts from other security services: GuardDuty, Macie, Inspector, IAM Access Analyzer, Firewall Manager, 3rd party tools. NO Config or CloudTrail!

Question 19

How can Security Hub be used?

Answer 19

Send violations to CloudWatch Events - trigger Lambda/SNS for remediations

Question 20

What needs to be enabled before security hub works?

Answer 20

AWS Config