Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Solutions Architect Associate (SAA-C03) > Security > Flashcards

Security Flashcards

1
Q

DDOS

A

Distributed Denial of Service attack attempts to make your site or app unavailable

Common DDOS attacks include layer 4 attacks such as SYN floods or NTP amplifications

Common layer 7 attacks include floods or GET/POST requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cloud Trail Logging

A

After the fact incident investigation

Near real-trim intrusion detection

Industry & regulatory compliance

Remember CloudTrail is basically cctv for your AWS acct. It logs all API calls made to your AWS account and stores these logs in S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Shield

A

Shield protects against layer 3 & 4 attacks only

Remember that shield is used for DDOS protection of layer 3 & 4 attacks

Also there are 2 tiers free and paid

Free comes w/ all account

Paid costs 3k per month but gives a dedicated 24/7 DDOS response team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS WAF

A

Allow all requests except for the one you specify

Block all requests except the ones you specify

Count the requests that match the properties you specify

WAF operates @ layer 7

WAF can block layer 7 DDOS attacks as well as things like SQL injection & Cross Site Scripting

If you need to block across specific contrives IPs you can do this inWAF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Guard Duty

A

Uses AI learning to learn what is normal behavior in your AWS environment. It will then alert you to abnormal or malicious bahvior

Updates a DB of know malicious domains using external feeds from third parties

Monitors cloudtrail logs, Vpc flow logs, & dns logs

Findings appear in the guard duty dashboard

Cloud watch events can be used to trigger a lambda fxn to address a threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Macie

A

Macie crawls S3 buckets looking for PII, PHI & financial data using AI. & patter matching

Great for complying w/ frameworks like HIPAA, PCI, NIST, etc & preventing identity theft

Macie alerts can be sent to EventBridge & integrated w/ your event mgmt systems

Automate remediation actions using other AWS services such as step functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Inspector

A

Used to perform vulnerability scans on EC2 & VPC EC2 requires the agent, VPC does not

These are called Host Assesssments (EC2) & network assessments (VPC)

You can run these assessments once or alternatively weekly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

KMS

A

A managed service that makes it easy for you to create & control the encryption keys used to encrypt data

You start using the service by requesting the creation of a CMK. You control the lifecycle of the CMK as well as who can use it & who can manage it

Shared Tenancy

Automatic Key Rotation

Automatic Key Generation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Cloud HSM

A

Dedicated HSM to you

Full control of users, groups, keys, etc

No automatic Key Rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Three Ways to generate a CMK

A

AWS creates the CMK for you. They key material for a CMK is generated in HSMs managed by AWS KMS

Import key material from your own key management infrastructure & associate it w/ a CMK

Have the key material generated & used in an AWS Cloud HSM Cluster as part of the custom key store feature in AWS KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Three ways to control permissions in KMS/Cloud HSM

A

Use the key policy
Controlling access this way means the full scope of access to the CMK is defined in a single doc, key policy

Use IAM Policies in combo w/ the key policy. Controlling access this way enables you to manage all permissions for your IAM identities in IAM

Use grants in combo w/ the key policy
Controlling access this way enables you to allow access to the CMK in the key policy, as well as to allow users to delegate their access to others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Secretes Manager

A

Can be used to securely store your app secrets: db creeds, API keys, SSH Keys, PWs, etc.

Apps use secrets manager API

Rotating creds. Is easy, be careful

Apps w/ hard coded creds, don’t turn on rotation or it will change the password and shits gonna break

Make sure all apps are configured to use secrets manager before turning on rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Parameter Store vs. Secrets Manager

A

In the exam you will get scenario based questions:

If you are trying to minimize costs use parameter store

If you need more than 10k parameters, key rotation, or the ability to generate passwords using Cloud Formation use secrets manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Pre signed URLs

A

If you see a question about sharing private files in S3 think Presigned URLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Advanced IAM Policies

A

Not Explicitly Allowed == implicitly denied

Explicitly denied trumps allows

Only attached policies take effect

AWS joins all applicable assigned policies

AWS managed vs. customer managed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Certificate Manager

A

If you see a question on SSL certs & what services to integrate the w/ think Certificate Manager

Supported Services are:
ELB, Cloud Front, API Gateway

Benefits:
Cert Manager is a free service that saves time & $. Automatically renew your SSL certs & rotate the old certs w/ new certs on supported AWS Svcs

AWS Solutions Architect Associate (SAA-C03) (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions