1
Q
What is a DDoS Attack?
A
A Distributed Denial of Service (DDoS) Attack is an attack that attempts to make your website or application unavailable to your end users.
This can be achieved through multiple mechanisms, such as large packet floods, but using a combination of reflection and amplification techniques, or by using large botnets.
2
Q
What is a Layer 4 DDoS Attack?
A
A Layer 4 DDoS Attack is often referred to as a “SYN flood”. It works at the transport layer (TCP).
To establish a TCP connection a 3-way handshake takes place. The client sends a SYN packet to a server, the server replies with a SYN-ACK, and the client then responds to that with an ACK.
After the “3-way handshake” is complete, the TCP connection is established. After this, applications begin sending data using Layer 7 (application layer protocol), such as HTTP, etc.
A SYN Flood uses the built-in patience of the TCP stack to overwhelm a server by sending a large number of SYN packets and then ignoring the SYN-ACKs returned by the server. This causes the server to use up resources waiting for a set amount of time for the anticipated ACK that should come from a legitimate client.
3
Q
What happens to the server when it is under a SYN Attack?
A
There are only so many concurrent TCP connections that a web server or application server can have open, so if an attacker sends enough SYN packets to a server, it can easily eat through the allowed number of TCP connections.
This then prevents legitimate requests from being answered by the server.
4
Q
What is an Amplification Attack?
A
Amplification/reflection attacks can include things such as NTP, SSDP, DNS, CharGEN, SNMP attacks, etc.
This is where an attacker may send a third-party server (such as an NTP, or Network Time Protocols, server) a request using a spoofed IP address.
That server then responds to that request with a greater payload than the initial request (usually within the region of 28-54 times larger than the request) to the spoofed IP address.
This means the attacker sends a packet with a spoofed IP address of 64 bytes, the NTP server would respond with up to 3,456 bytes of traffic.
Attackers can coordinate this and use multiple NTP servers as second to send legitimate NTP traffic to the target.
5
Q
What is a Layer 7 Attack?
A
A Layer 7 attack occurs where a web server receives a flood of GET or POST requests, usually from a botnet or a large number of compromised computers.
6
Q
What is AWS CloudTrail?
A
AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls and storing the logs in S3.
You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
This of CloudTrail as CCTV monitoring for your AWS account.
7
Q
What is an example of activity that is not recorded in AWS CloudTrail?
A
RDP or SSH traffic
8
Q
What information is logged in AWS CloudTrail?
A
- Metadata around API calls
- The identity of the API caller
- The time of the API call
- The source IP address of the caller
- The request parameters
- The response elements returned by the service
9
Q
What are the benefits of AWS CloudTrail?
A
- After-the-fact incident investigation
- Near real-time intrusion detection (by integrating CloudTrail with Lambda)
- Industry and regulatory compliance
10
Q
What is AWS Shield?
A
It is free DDoS protection
- Protects all customers on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53.
- It protects against SYN/UDP floods, reflection attacks, and other Layer 3 and 4 attacks
11
Q
What is AWS Shield Advanced?
A
It provides enhanced protections for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated DDoS attacks.
- Offers always-on, flow-based monitoring of network traffic and active application monitoring to provide near-real-time notifications of DDoS attacks
- Gives you 24/7 access to the DDoS Response Team (DRT) to help manage and mitigate application-layer DDoS attacks.
- Protects your AWS bill against higher fees due to Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 usage spikes during a DDoS attack.
12
Q
What are the costs related to AWS Shield Advanced?
A
Shield Advanced costs $3,000 USD per month
13
Q
What layers does AWS Shield protect against?
A
Layer 3 and Layer 4 attacks
14
Q
What is AWS WAF?
A
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.
AWS WAF also lets you control access to your content.
You can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for the request to be allowed.
The Application Load Balancer or CloudFront will either allow this content to be received or give an HTTP 403 status code.
15
Q
What layer does AWS WAF operate at?
A
Layer 7
16
Q
If you are given a scenario that talks about Layer 4 attacks, what service would you recommend?
A
AWS Shield
17
Q
If you are given a scenario that talks about Layer 7 attacks, what service would you recommend?
A
AWS WAF
18
Q
What are the behaviors of AWS WAF?
A
- Allows all requests except the ones you specify
- Blocks all requests except the ones you specify
- Count the requests that match the properties you specify
19
Q
What characteristics of web requests can you use to define conditions in AWS WAF?
A
- IP addresses that requests originate from
- Country that requests originate from
- Values in request headers
- Presence of SQL code that is likely to be malicious (called SQL injection)
- Presence of a script that is likely to be malicious (known as cross-site scripting)
- Strings that appear in requests - either specific strings or strings that match regular expression (regex) patterns
20
Q
What type of attacks can AWS WAF protect against?
A
- Layer 7 DDoS attacks
- SQL injection
- Cross-site scripting
21
Q
What is Amazon GuardDuty?
A
GuardDuty is a threat detection service that uses machine learning to continuously monitor for malicious behavior, like:
- Unusual API calls, or calls from known malicious IP addresses
- Attempts to disable CloudTrail logging
- Unauthorized deployments
- Reconnaissance by would-be attackers
- Port scanning, failed logins
22
Q
What are the features of Amazon GuardDuty?
A
- Alerts appear in the GuardDuty Console and CloudWatch Events
- Receives feeds from third parties like ProofPoint and CloudStrike, as well as AWS Security, about known malicious domains and IP addresses, etc.
- Monitors CloudTrail logs, VPC Flow Logs, and DNS logs
- Centralize threat detection across multiple AWS accounts
- Automated response using CloudWatch Events and Lambda
- Machine learning and anomaly detection
23
Q
How does the threat detection using AI work in Amazon GuardDuty?
A
It takes 7-14 days to set a baseline - what is normal behavior in your account?
Once active, you will see findings in GuardDuty console and in CloudWatch Events only if GuardDuty detects behavior is considered a threat.
24
Q
What are the fees related to using AWS GuardDuty?
A
The first 30 days are free!
And then your charges are based on:
- Quantity of CloudTrail events
- Volume of DNS and VPC Flow Logs
25
If you are given a scenario that is talking about using AI and automation to protect your whole AWS account, and to monitor things like CloudTrail, VPC Flow Logs and DNS logs, what service would you recommend?
AWS GuardDuty
26
What is AWS Firewall Manager?
AWS Firewall Manager is a security management service in a single pane of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.
You can create new AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront Distributions.
You can also mitigate DDoS attacks using AWS Shield Advanced for your Application Load Balancers, Elastic IP Addresses, CloudFront Distributions, and more.
27
What are the benefits of using AWS Firewall Manager?
1. Simplify management of firewall rules across your accounts - one single pane of glass allows you to manage security across multiple AWS services and accounts
2. Ensure compliance of existing and new applications - Firewall Manager automatically enforces security policies that you create across existing and newly created resources, across multiple accounts
28
If you are given a scenario where it talks about needing to manage the resources that need to be secured across multiple accounts, what service would you recommend?
AWS Firewall Manager
29
What is PII?
Personally Identifiable Information
1. Personal data used to establish a person's identity
2. This data could be exploited by criminals, used in identity theft, and financial fraud
3. Home address, email address, Social Security Number, Passport Number, drivers license number, date of birth, phone number, bank account number, credit card number, etc.
30
What is Amazon Macie?
Macie uses machine learning and pattern matching to discover sensitive data stored in S3.
1. Uses AI to recognized if your S3 objects contain sensitive data, such as PII, PHI and financial data
2. Alerts you to unencrypted buckets
3. Alerts you about public buckets
4. Can also alert you about buckets shared with AWS accounts outside of those defined in your AWS Organization
5. Great for frameworks such as HIPAA (governs the way healthcare information is stored in the US) and GDPR (governs the way PII is stored in the UK)
31
How can you use alerts from Amazon Macie?
1. You can filter and search Macie alerts on the console.
2. Alerts sent to Amazon EventBridge can be integrated with your security incident and event management or CM systems
3. Can be integrated with AWS Security Hub for a broader analysis of your organization's security posture
4. Can also be integrated with other AWS services, such as Step Functions, to automatically take remediation actions
32
If you are given a scenario where it is talking about PII and how you can prevent this from being leaked accidentally in S3, what service would you recommend?
Amazon Macie
33
What is Amazon Inspector?
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
It is used to perform vulnerability scans on both EC2 instances and VPCs.
34
How are assessment findings handled in Amazon Inspector?
After an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.
These findings can be reviewed directly or as part of detailed assessment reports that are available via the Amazon Inspector console or API.
35
What are the two types of assessments performed in Amazon Inspector?
1. Network Assessments - network configuration analysis to check for ports reachable outside the VPC (Inspector agent is not required)
2. Host Assessments - vulnerable software (CVE), host hardening (CIS, or Center of Information Security, Benchmarks) and security best practices (Inspector agent is required)
36
How do you set up Amazon Inspector?
1. Create assessment target
2. Install agents on EC2 instances - AWS automatically installs the agent for instances that allow System Manager Run Command
3. Create assessment template
4. Perform assessment run
5. Review findings against the rules
You can choose to run the assessment once or run them weekly.
37
If you are given a scenario that talks about vulnerability scans, what service would you recommend?
Amazon Inspector
38
What is AWS KMS?
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
39
What services does AWS KMS integrate with?
1. EBS
2. S3
3. RDS
and more...
40
How are encryption keys controlled in AWS KMS?
AWS provides you with centralized control over the lifecycle and permissions of your keys.
You can create new keys whenever you wish, and you can control who can manage the keys separately from who can use them.
41
What is a Customer Managed Key (CMK) in AWS KMS?
A Customer Managed Key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description and key state.
The CMK also contains the key material used to encrypt and decrypt data.
42
What are the three ways to generate a Customer Managed Key (CMK) in AWS KMS?
You request the creation of the CMK, and also control the lifecycle of the CMK as well who can use it and manage it.
1. AWS creates a CMK for you. The key material for a CMK is generated within HSMs managed by AWS KMS.
2. Import key material from your own key management infrastructure and associate it with a CMK.
3. Have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS
43
What is an HSM?
A hardware security module (HSM) is a physical computing device that safeguards and managed digital keys and performs encryption and decryption functions.
An HSM contains one or more secure cryptoprocessor chips.
44
How does key rotation work in AWS KMS?
You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within the AWS KMS HSMs.
Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.
45
How do you manage access to AWS KMS keys?
The primary way to manage access to your AWS KMS CMKs is with policies. Policies are documents that describe who has access to what.
Policies attached to an IAM identity are called identity-based policies (or IAM policies), and policies attached to other kinds of resources are called resource-based policies.
46
What are Key Policies in AWS KMS?
In AWS KMS, you must attach resource-based policies to your customer managed keys (CMKs). These are called key policies.
All KMS CMKs have a key policy.
47
What are the three ways to control permissions of keys in AWS KMS?
1. Use the key policy - controlling access this way means the full scope of access to the CMK is defined in a single document (the key policy)
2. Use IAM policies in combination with the key policy - controlling access this way enables you to manage all the permissions for your IAM identities in IAM
3. Use grants in combination with the key policy - controlling access this way enables you to allow access to the CMK in the key policy as well as allow users to delegate their access to others
48
What is CloudHSM?
AWS CloudHSM is a cloud-based HSM that enables you to easily generate and use your own encryption keys on the AWS Cloud
It's a physical device, entirely dedicated to you, that can be deployed in a highly available fashion
49
What is the difference between KMS and CloudHSM?
KMS
1. Shared tenancy of underlying hardware
2. Automatic key rotation
3. Automatic key generation
CloudHSM
1. Dedicated HSM to you
2. Full control of underlying hardware
3. Full control of users, groups, keys, etc.
4. No automatic key rotation
50
What is Secrets Manager?
Secrets Manager is a service that securely stores, encrypts, and rotates your database credentials and other secrets.
1. It has encryption in transit and at rest using KMS
2. Automatically rotates credentials
3. Apply fine-grained access control using IAM policies
4. Costs money but is highly scalable
Your application makes an API call to Secrets Manager to retrieve the secret programmatically.
It reduces the risk of credentials being compromised.
51
What type of secrets can be stored in Secrets Manager?
1. RDS credentials
2. Credentials for non-RDS databases
3. Any other type of secret, provided you can store it as a key-value pair (SSH keys, API keys)
52
If you are given a scenario where you want to enable key rotation in Secrets Manager but your application might have the credentials hard-coded in it. What should be done first before enabling key rotation?
Ensure that all your applications that have the hard-coded credentials are updated to retrieve the credentials from the secret using Secrets Manager.
53
What is Parameter Store?
Parameter Store is a capability of AWS Systems Management that provides secure, hierarchical storage for configuration data management and secrets management
You can store things such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data.
54
What is the cost of using Parameter Store?
It is free!
55
What are the 2 key limitations of using Parameter Store vs Secrets Manager?
1. There is limit to the number of parameters you can store (currently 10,000)
2. There is no key rotation provided
56
If you are given a scenario where you need to store secrets but are trying to minimize costs, what service would you recommend?
Parameter Store
57
If you are given a scenario where you have more than 10,000 parameters, need key rotation or the ability to generate passwords using CloudFormation, what service would you recommend?
Secrets Manager
58
When using S3 to store objects, what are the default privacy settings?
All objects in S3 are private by default.
Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned url, using their own security credentials, to grant time-limited permission to download the objects.
59
What are presigned URLS in S3?
When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name and an object key, and indicate the HTTP method (or GET to download the object) as well as the expiration date and time.
The presigned URLs are valid only for the specified duration.
60
What access is allowed to those you have a presigned URL from S3?
Anyone who receives the presigned URL can then access the object.
For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL.
61
If you are given a scenario where you need to share a file from S3 but it is in a private bucket, what would you recommend doing to share the file?
Use a presigned URL
62
What are presigned cookies?
This can be useful when you want to provide access to multiple restricted files. The cookie will be saved on the user's computer, and they will be able to browse the entire contents of the restricted content.
63
If you are given a scenario where you are building a photo template website and you have many photos in a restricted bucket in S3. Your users have to sign up to your website, create an account, and pay money and once they have enabled their subscription, they are free to download any photo template file. What would you recommend to allow access to all the photo templates in the restricted bucket?
Use presigned cookies in S3
64
What is the structure of an AWS ARN?
arn:partition:service:region:account_id:
And end with:
resource
resource_type/resource
resource_type/resource/qualifier
resource_type/resource:qualifier
resource_type:resource
resource_type:resource:qualifier
Example:
arn:aws:iam::123456789012:user/ryan
arn:aws:s3:::my_awesome_bucket/image.png
arn:aws:dynamodb:us-east-1:123456789012:table/orders
arn:aws:ec2:us-east-1:123456789012:instance/*
65
What are IAM policies?
1. JSON document that defines permissions
2. They have no affect until they are attached
3. They are a list of statements - each statement matches and AWS API request
4. If you don't explicitly allow something, then it is implicitly denied
5. If you have an explicit denial for something, it trumps everything else
6. You can have multiple policies joined to a specific resource
7. There are both AWS managed and customer managed policies
66
What are the two types of policies?
1. Identity policy - used for applying policies to users and groups
2. Resource policy - used for controlling access to things like S3 buckets or to our KMS CMKs, etc.
67
What is the SID in a policy in AWS IAM?
The SID is a human readable string to tell you what the policy is going to do
68
What is the Effect in a policy in AWS IAM?
An effect is either "Allow" or "Deny'
69
What are Actions in a policy in AWS IAM?
The actions allowed or denied by the policy.
70
What is the Resource in a policy in AWS IAM?
The resource the action is against
71
What are Permission Boundaries?
1. Used to delegate administration to other users
2. Prevent privilege escalation or unnecessarily broad permissions
3. Control maximum permissions and IAM policy can grant
Use Cases:
1. Developers creating roles for Lambda functions
2. Application owners creating roles for EC2 instances
3. Admins creating ad-hock users
72
What is AWS Certificate Manager?
AWS Certificate Manager allows you to create, manage and deploy public and private SSL certificates for use with other AWS services
It integrates with other services - such as Elastic Load Balancing, CloudFront distributions and API Gateway - allowing you to easily manage and deploy SSL certificates in your AWS environment.
73
What are the benefits of AWS Certificates Manager?
1. Cost - no more paying for SSL certificates because AWS Certificates Manager provisions both public and private certificates for free - you will still pay for the resources that utilize your certificates (such as Elastic Load Balancing)
2. Automated renewals and deployment - Certificates Manager automates the renewal of your SSL certificate and then automatically updates the new certificate with ACM-integrated services, such as Elastic Load Balancing, CloudFront and API Gateway
3. Easier to set up - Removes a lot of the manual processes, such as generating a key pair or creating a certificate signing request (CSR) - you can create your own SSL certificate with just a few clicks in the AWS console
74
What is Audit Manager?
With it, you can continuously audit your AWS usage to make sure you stay compliant with industry standards and regulations.
Audit Manager is an automated service that produces reports specific to auditors for PCI compliance, GDPR and more.
75
What are use cases for Audit Manager?
1. Transition from manual to automated evidence collection - it allows you to produce automated reports for auditors and reduces the need to compile these reports manually
2. Continuous auditing and compliance - it works on a continuous basis so that, as you AWS environment evolves and adapts, you can produce automated reports to evaluate your environment against industry standards (such as PCI compliance)
3. Internal risk assessments - you can create a new framework from the beginning or customize prebuilt frameworks - you can also launch assessments to automatically collect evidence, helping you to validate if your internal policies are being followed
76
If you see a scenario about HIPAA or GDPR compliance that asks about continuous auditing or automating audit reports, what service would you recommend?
Audit Manager
77
What is AWS Artifact?
Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements
78
What is available in AWS Artifact?
There are a huge number of compliance reports available, such as AWS Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and GDPR reports, as well as other certifications (including ISO reports, HIPAA and more).
79
What is Amazon Cognito?
Cognito provides authentication, authorization and user management for your web and mobile apps in a single service without the need for custom code. Your users can sign in directly with a username and password they create or through a third party (e.g., Facebook, Amazon, Google and Apple).
80
What features does Amazon Cognito provide?
1. Sign-up and Sign-in options for your app
2. Access for guest users
3. Acts as an identity broker between your application and web ID providers, so you don't need to write any custom code
4. Synchronizes user data across multiple devices
5. Recommended for all mobile applications that call AWS services
81
What are use cases for Amazon Cognito?
1. Authentication - users can sign in using a user pool or a third-party identity provider, such as Facebook
2. Third-Party Authentication - users can authenticate using identity pools that require and identity provider (IdP) token
3. Access Server-Side Resources - a signed-in user is given a token that allows them access to resources that you specify
4. Access AWS AppSync Resources - users can be given access to AppSync resources with tokens received from a user or identity pool in Cognito
82
What are the two main components in Cognito?
User Pools and Identity Pools
83
What are User Pools in Cognito?
User Pools are directories of users that provide sign-up and sign-in options for your application users
84
What are Identity Pools in Cognito?
Identity Pools allow you to give your users access to other AWS resources. You can use Identity Pools and User Pools separately or together.
85
What are the sequence of events for Amazon Users and Identity Pools?
1. Authenticate and get tokens - you've got your device you're connecting to Cognito to a User Pool you're authenticating and getting a token
2. Exchange tokens and get AWS credentials - you are then taking that token and sending that token to an identity pool and that identity pool will then give you AWS credentials
3. Access AWS resources using credentials - use those credentials to access S3 or DynamoDB
Decks in class (16)
# Cards
-
Identity and Access Management (IAM)16
-
Simple Storage Service (S3)57
-
Elastic Compute Cloud (EC2)71
-
Elastic Block Storage (EBS)54
-
Relational Database Service (RDS)84
-
Virtual Private Cloud (VPC)59
-
Route 5338
-
Elastic Load Balancing (ELB)33
-
Monitoring33
-
Decoupling Workflows85
-
Big Data48
-
Horizontal vs. Vertical Scaling33
-
Serverless71
-
Security85
-
Governance62
-
Data & Analytics53
