Security

Question 1

What is the Shared Responsibility Model?

Answer 1

AWS is responsible for the infrastructure of the cloud

The customer for everything on the cloud

Question 2

IAM: What is the precedence of a policy item?

Answer 2

Per default everything is denied.
Only an explicit allow leads to an allow.
An explicit deny will always deny.

Question 3

What is Amazon Inspector?

Answer 3

Automatically assesses applications for vulnerabilities or deviations from best practices.
Gives out a detailed list sorted by severity.

Question 4

How are API calls secured?

Answer 4

API calls are signed by the AWS secret access key

Question 5

How is EBS secured?

Answer 5

Access is restricted by the creating IAM account of IAM users with granted access.
EBS volumes are replicated in multiple locations but within the same AZ
Volumes and Snapshots can be encrypted (AES-256)

Question 6

How does the Elastic LB handle requests?

Answer 6

For HTTPS requests the ELB generated short term session key between the server and the browser (using a long term session key)

Question 7

Cloudfront: Can HTTPS be enforced?

Answer 7

Yes, HTTP requests will automatically be redirected

Question 8

S3: What are the four options for data access?

Answer 8

IAM Policies
ACLs
Bucket Policies
Query String Authentification order

Question 9

DynamoDB: How are requests secured?

Answer 9

The requester needs database and user permissions and every request needs to be signed using HMNAC-SHA-256.

The AWS SDK automatically uses it but HTTP Requests need to contain the signature in the header

Question 10

RDS: How to secure the database?

Answer 10

Access Control
Security Groups
Network isolation
Encryption
Create automatic backups and patches
Multi AZ Deployments

Question 11

SNS: Who initially has access to a topic

Answer 11

Only the user who created the topic

Question 12

EMR: How are EMR Security Groups created?

Answer 12

One group the the master nodes and one for the slaves

Question 13

EMR: Can the data be encrypted?

Answer 13

Data needs to be encrypted at rest in S3 and EMR needs a decryption step at the beginning of the process

Question 14

IAM: What is the default lifespan of a role?

Answer 14

12hrs

Question 15

IAM: How is a call with a temp. role structured?

Answer 15

The call is signed with the secret key and includes the access key and the security token

Question 16

What is AWS Cognito?

Answer 16

Simplifies the task of authenticating users, storing, managing credentials and sycning data across platforms and devices.
It uses OAuth or OpenID

Question 17

What are Amazon Workspaces?

Answer 17

Managed desktop service.
Connects users with Active Directory credentials via PCoIP to AWS.
The Data is shown via videostream and not with actual transmissions

Question 18

How many keys will each AWS Resource integrated with an AWS KMS (Key Management Service) receive by default?

Answer 18

1

Question 19

Which of these is the scope of use for an AWS KMS key?

Answer 19

All AWS KMS keys are region-specific, they will only work with the AWS Resources of the same region. The AWS KMS key will only be accessible within the region it was created.

Question 20

With AWS Trusted Advisor, how many core checks do all customers have access to?

Answer 20

All customers have access to 7 core checks with AWS Trusted Advisor. The 7 core checks are assessing S3 Bucket permissions, Security Group - specific ports unrestricted, IAM Use, MFA on the root account, EBS public snapshots, RDS public snapshots, and finally service limit checks.

Question 21

Which of these is a required prerequisite to enabling MFA Delete on an S3 Bucket?

Answer 21

Versioning must be enabled to enable MFA Delete on an S3 Bucket. Only the root user may use MFA Delete.

Question 22

Which of the following do WAF rules span?

Answer 22

The WAF rules span an AWS Region.

Question 23

What AWS Service manages temporary credentials of IAM Roles?

Answer 23

STS

Question 24

What is an envelope key and which service does use it?

Answer 24

It encrypts the encryption key - it is used in SSE-KMS

Question 25

What is the parameter to enforce encryption of S3 PUT requests?

Answer 25

x-amz-server-side-encryption
SSE-S3: x-amz-server-side-encryption: AES256
SSE-KMS: x-amz-server-side-encryption: ams:kms

Question 26

At what point in time can you encrypt data or buckets in S3?

Answer 26

At any time

Question 27

Which (one) AWS service protects against DDoS attacks?

Answer 27

AWS Shield

Question 28

Which services can be used to mitigate DDoS attacks?

Answer 28

CloudWatch
Route53
CloudFront
ELBs
WAFs

Question 29

What protection does WAF offer?

Answer 29

• Block IP addresses
• Block countries
• Block certain header information
• XSS protection in the request

Question 30

Which services does (not) WAF integrate?

Answer 30

yes: ALB, CloudFront, API Gateway
no: Classic/Network LBs (it needs to be application aware)

Question 31

What is AWS Artifact?

Answer 31

Repository for security and compliance documents

Question 32

When does AWS allow SSL certs to be stored in IAM?

Answer 32

When the region is not supportes by the AWS Certification Manager

Question 33

In which format can S3 Access Logs be encrypted?

Answer 33

SSE-S3 (not - KMS)

Question 34

KMS: What is the difference between symmetric and asymmetric encryption?

Answer 34

Symmetric: The same key is used for encrypting and decrypting the file. (is faster than Asymmetric)
Asymmetric: Two keys (public and private) are needed to decrypt a file. (Is more secure)

Question 35

KMS: Can the keys be used in all regions?

Answer 35

No, KMS is region specific

Question 36

KMS: What is the security issue left then rotating keys?

Answer 36

When the new key is created, this key will only be used for all new encryptions. Older files are still encrypted with the old key, so if that key is compromised those files can still be read.

Question 37

KMS: What is the flow to create encrypted data?

Answer 37

Key Management Service (KMS) to perform encryption. KMS uses Customer Master Keys (CMK) to create Data Encryption Keys (DEK), which enables data encryption across EBS and a range of AWS services.

Question 38

KMS: What is the full process to encrypt an EBS Volume?

Answer 38

1. A volume is defined as ‘encrypted’ in EBS
2. EBS calls KMS to request a Data Encryption Key
3. KMS generates a DEK from the specified Customer Master Key
4. The CMK encrypts the DEK
5. The DEK is then stored on the encrypted EBS volume as metadata
6. The EBS volume is then attached to an EC2 instance
7. EC2 sends a ‘decrypt’ request to KMS with the encrypted DEK from the volume
8. KMS decrypts the DEK into a plaintext DEK and sends it back to the EC2 instance
9. EC2 stores the plaintext DEK in its hypervisor memory for as long as the EBS volume is attached to the instance
10. EC2 uses the DEK to perform I/O encryption to the volume using the AES-256 algorithm

Question 39

How to encrypt an existing EBS volume?

Answer 39

1. Create a snapshot
2. Copy the snapshot with the “encryption” settings
3. Create a new volume

Question 40

Can you encrypt all EBS Volumes?

Answer 40

Yes, that not all EC2 Instances support the encryption o the volume

Question 41

What are the tenancy and symmetry settings for KMS and HSM

Answer 41

KMS: Multi tenancy - symmetric encryption
HSM: Single tenant - asymmetric and symmetric

Question 42

S3: What is the scope of the “block public access” policy?

Answer 42

All regions, for all buckets/files, all existing and future buckets/files

Question 43

IAM: What is the Access Advisor?

Answer 43

Information on in the “Users” section

Shows when a service was last accessed, and with which policy

Question 44

S3: How can a customer key be used?

Answer 44

Only with the CLI / SDK

Generate the key and attach it on uploading the file

Question 45

Which features apply to both Secrets Manager and Parameter Store?

Answer 45

• Can store credentials in hierarchical form
• Integrated with Identity and Access Management
• Supports encryption at rest using customer-owned KMS keys

Question 46

As an administrator, which of the following IAM tasks are critical to the security of your AWS environment?

Answer 46

• The application of an IAM password policy
• The activation of MFA on the root account
• The deletion of root access keys

Question 47

What is AWS Backup?

Answer 47

AWS Backup is a centralised place to create backups of your EBS, RDS, and EFS resources. There is no additional cost for setting up backup plans and retention policies, and this is a managed service so it’s a perfect option to present to your manager

Question 48

You need to identify any S3 buckets that are public. Which AWS service can you use to quickly determine this?

Answer 48

AWS Config

Question 49

Why can’t I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

Answer 49

The AWS account that uploads the object owns the object. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant the bucket owner access. (via the ACL e.g.)

https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/

Question 50

What services are integrated with WAF?

Answer 50

(Header knowing services)

CloudFront & Application Load Balancer

Question 51

What is special about DB Security Groups?

Answer 51

The only allow access to the database ports

Question 52

How to encrypt MySQL at rest?

Answer 52

RDS cannot handle encryption, it must be done by the application

Question 53

What should be done to prevent IP-Spoofing?

Answer 53

Nothing, EC2 instances cannot send spoofed traffic, because they cannot send traffic with a different source IP or MAC address.

Question 54

Which service allows using Microsoft Active Directory credentials
to authenticate to AWS?

Answer 54

AWS Single-Sign On (SSO)

Question 55

How many versions of a customer managed policy will IAM retain?

Answer 55

5

Question 56

What needs to be considered for outbound traffic on a NACL?

Answer 56

Usually all ports need to be allowed, because outbound traffic can come from ephemeral ports and not the same as the inbound.

Question 57

If a policy has been (accidentally) deleted, which service could still have the data?

Answer 57

CloudTrail

Question 58

What (keys/credentials) does the Security Token Service provide?

Answer 58

1. Secret access key

2. Short-term credentials

Question 59

If a data key gets leaked, what action needs to be taken?

Answer 59

Nothing, the data key is encrypted.

Only if also the Customer Master Key got leaked, then an action needs to be taken.

Question 60

You just created a customer master key in KMS. What’s the earliest you can delete it?

Answer 60

7 days

Question 61

. You just imported a customer master key into KMS. What’s the earliest you can delete it?

Answer 61

Immediately

Question 62

Where are keys in a KMS custom key store stored?

Answer 62

CloudHSM

Question 63

What is the monthly service-level agreement for KMS?

Answer 63

99.9 percent

Question 64

What is the monthly service-level agreement for CloudHSM?

Answer 64

99.99 percent

Question 65

Is it necessary to create a new certificate if a load balancer in a different region is created?

Answer 65

Yes, because ACM is a regional service, you’d have to create a new certificate in the other
region

Question 66

What are the two options to encrypt data in DynamoDB?

Answer 66

Encrypt the data before writing it & Use an AWS managed KMS key.

It is not possible to use a customer managed key.

Question 67

You’ve configured an instance profile role but want to make sure other IAM users can’t
assume the role. Which actions should be taken?

Answer 67

Ensure the role’s trust policy doesn’t allow users to assume the role.

Question 68

Can the principal of a trust policy be a wildcard?

Answer 68

No, it can be an AWS service or a

principal in the same account or another account

Question 69

What happens to EC2 instances when a region is disabled?

Answer 69

They still run, generate costs and cannot be terminated.

The region needs to be activated again.

Question 70

What needs to be done in order to allow certain IAM users to be able to change their passwords?

Answer 70

1. Identity-based to perform the
   iam:ChangePassword action.
2. Specify the resource arn:aws:iam::account-id:user/
   ${aws:username}.

Question 71

What is a managed session policy?

Answer 71

When assuming a role, you can specify a managed session policy to restrict the
permissions granted to the session

Question 72

Which two policies can only restrict access?

Answer 72

Service control policies

Session policies

Question 73

Which service is responsible for:

• Short term credentials
• Long term credentials
• Short term application secrets
• storing encryption keys

Answer 73

STS
IAM
Secret Manager
KMS

Question 74

What is the only reason a root key can fail?

Answer 74

Different time settings on the workstation

Question 75

KMS: What are the two methods the Customer Master Key (CMK) can be created? And what are the differences?

Answer 75

AWS Managed

• Named after the service the key is used for
• Cannot be deleted
• Cannot be used in roles
• Automatically rotated every three years

Customer Managed

• Custom name
• Can be deleted/disabled
• Can be used in roles
• Rotated manually or once a year

Question 76

KMS: What are the steps to create a Customer managed key?

Answer 76

• Name
• Origin (KMS, External, CloudHSM)
• Admin Access
• User Access

Question 77

KMS: Who can have admin / user access?

Answer 77

IAM users & roles

Question 78

KMS: If the origin is “Custom key store” - what is necessary?

Answer 78

A CloudHSM cluster

Question 79

KMS: What are the two types of key specs for “sign and verify”?

Answer 79

RSA & ECC

Question 80

KMS: How is KMS priced?

Answer 80

$1/month for every key created

ca. 0.03$ per request (encrypt/decrypt)
ca. 0.15$ per signing
ca. 1000$/month per CloudHSM instance