Security

Question 1

What is the shared responsibility model?

Answer 1

Defines customer and AWS’s role of security in the cloud

Customer- Responsible for security IN the cloud
AWS- Responsible for security OF the cloud

Question 2

What is the principle of least privilege?

Answer 2

The principle that states that you give users (or services) nothing more than those privileges required to perform their intended function (and only when they need them)

Question 3

What are the 4 security facets of the cloud?

Answer 3

1) Identity
2) Authentication
3) Authorization
4) Trust

Question 4

Define what the identity facet is? and provide an example…

Answer 4

Identify facet- Who are you?

e.g. Root account user, IAM user, temporary security credentials

Question 5

Define what the authentication facet is? and provide an example…

Answer 5

Prove that you are who you say you are…

e.g. MFA or client-side SSL certificate

Question 6

Define what the authorization facet is? and provide an example…

Answer 6

Are you allowed to do this?

e.g. IAM policies

Question 7

Define what the trust facet is? and provide an example…

Answer 7

Do other entities that I trust say they trust you?

e.g. Cross account access, SAML-based federation and web identity federation

Question 8

What are the 7 steps in a typical authentication flow (SAML)?

Answer 8

1) User-agent requests access from the service provider
2) The service provider tells the user-agent to request access from the identity provider
3) The user agent requests access from the identity provider
4) The identity provider says please authenticate e.g. password or SSL cert
5) User-agent provides password
6) The identity provider tells the service provider to let them in
7) The service provider tells the user agent it can access the service

Question 9

What is SAML 2.0? and can it be used to authorise and authenticate?

Answer 9

SAML 2.0 is an XML based standard for exchanging authorization and authentication identities between security domains.

Question 10

What is SAML 2.0 best suited for?

Answer 10

Single sign-on for enterprise users

Question 11

What is OAuth 2.0? and can it be used to authorise and authenticate?

Answer 11

OAuth 2.0 is a JSON web token (JWT) based standard for exchanging authorization NOT AUTHENTICATION

It works by issuing a token to a client. The application then validates the token with authorization server. Supports delegate access.

Question 12

What is OAuth 2.0 best suited for?

Answer 12

Best suited for API authorization between apps

Question 13

What is OpenID connect? and can it be used to authorise and authenticate?

Answer 13

Identity layer built ontop of OAuth 2.0 adding AUTHENTICATION.

Uses REST/JSON message flows. Supports web clients, mobile clients and javascript clients

Question 14

What is OpenID connect best suited for?

Answer 14

Single sign on for customers…. Think mobile apps!

Question 15

name 5 tools used for account management…

Answer 15

1) AWS organisations
2) Service control policies- Sub-account restrictions
3) Tagging
4) Resource groups
5) Consolidated billing

Question 16

Name and describe 5 different account structures…

Answer 16

1) Identity account structure
2) Logging account structure
3) Publishing account structure (common repo for AMI, containers, code)
4) IT security account (consolidated security and logging)
5) Central IT account structure (define and share services and standardise assets)

Question 17

What is AWS organisations?

Answer 17

Policy-based management for multiple AWS Accounts. Accounts are split into organisational units. simplifies things!

e.g. HR, automotive, consumer products

Question 18

What is consolidated billing?

Answer 18

A way to consolidate billing across multiple organisational units

Question 19

What is consolidated security?

Answer 19

A way to consolidate security across multiple organisational units

Question 20

What is a service control policy?

Answer 20

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.

Question 21

What is a security group? and what is meant by a default security group?

Answer 21

A virtual firewall for individual assets (e.g. EC2, RDS, AWS workspaces…)

Default SG:
Allows all inbound traffic from other instances associated with the default security group. The security group specifies itself as a source security group in its inbound rules.

Allows all outbound traffic from the instance.

Question 22

Does a security control inbound or outbound traffic or both? and which protocols are included?

Answer 22

Both!

TCP, UDP, ICMP or custom protocols

Question 23

How are inbound rules defined?

Answer 23

By SOURCE IP, subnet or other security group

Question 24

How are outbound rules defined?

Answer 24

By DESTINATION IP, subnet or other security group

Question 25

Is a security group stateful or stateless? and what does this mean?

Answer 25

Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Question 26

What is a NACL?

Answer 26

Network Access Control List

An additional level of security got a VPC that acts as a firewall

Question 27

What traffic does the default NACL allow?

Answer 27

All inbound and outbound traffic

Question 28

Are NACLs stateless or stateful? and what does this mean?

Answer 28

Stateless- means that outbound traffic simply obeys the outbound rules - no connection is maintained

Question 29

Why use both a SG and a NACL?

Answer 29

NACLs provide a good back up if you forget to apply a SG… part of the principle of least privilege!

Question 30

name and describe 5 AWS directory services…

Answer 30

1) AWS cloud directory- cloud native directory for access and control to Hierarchical data between applications
2) Amazon Cognito- Sign up and sign in functionality to scale with federation to public social media services
3) AWS directory service for Microsoft Active directory- AWS managed full Microsoft AD
4) AD connector- Allows on-prem users to log into their EXISTING AD and allows EC2 instances to join AD domain
5) Simple AD- Low scale, low cost AD implementation based on samba

Question 31

What scenario is best suited to… AWS Cloud directory

Answer 31

Cloud applications that need hierarchical data with complex relationships

Question 32

What scenario is best suited to… Amazon Cognito

Answer 32

Developing consumer apps or Saas- you don’t have to create your own sign in and sign off

Question 33

What scenario is best suited to… AWS directory service for Microsoft Active directory

Answer 33

Enterprises that want hosted Microsoft AD or you need LDAP for Linux apps

Question 34

What scenario is best suited to… AD connector

Answer 34

Single sign-on for on-prem employees and for adding EC2 instances to the domain

Question 35

What scenario is best suited to… Simple AD

Answer 35

Simple user directory or when you need LDAP compatibility

Question 36

What is the use case for choosing AD connector… (3 points)

Answer 36

1) Must have an existing AD
2) Have existing AD users that want access to AWS assets via IAM roles
3) Would like MFA via existing RADIUS-based MFA infrastructure

Question 37

What is the use case for choosing simple AD? (5 points)

Answer 37

1) Require a stand-alone AD based on SAMBA
2) Require support for user accounts, groups, group policies and domains
3) would like kerberts-based SSO
4) Don’t require MFA (not-supported)
5) Don’t require trust relationships

Question 38

What is the token vending machine (TVM) concept in AWS?

Answer 38

A common way to issue temporary credentials for mobile app development.

Question 39

What is anonymous TVM?

Answer 39

Used as a way to provide access to AWS services only. Does NOT store user identity

Question 40

What is identity TVM?

Answer 40

Used for registration and login and authorizations (outdated- use Cognito)

Question 41

What is AWS secrets manager?

Answer 41

A service to store passwords, encryption kets, API keys, SSH keys and PGP keys.

Alternative to storing passwords or keys in a “vault” either physical or virtual

Question 42

What benefit does AWS secret manager provide for databases?

Answer 42

Automatically rotates RDS database credentials for mySQL, Postgres and Aurora

Question 43

What are the 2 types of encryption? and provide examples…

Answer 43

1) Encryption at rest- encrypted where it is stored e.g. EBS, S3 and SQS
2) Encryption in transit- Encryption as it flows through a network or process such as SSL/TLS for HTTPS, or IPSEC for VPN connections

Question 44

What is the key management service used for?

Answer 44

Encryption key storage, management and auditing

Remember- Multi tenanted HA

Validated with many compliance schemes e.g. DCI DSS level 1 and FIPS

Question 45

How does KMS differ from secrets manager?

Answer 45

KMS is purpose-built for encryption key management

Question 46

What solution would you need if KMS was NOT robust (maybe needed single tenanted) enough for your requirements? also, define it…

Answer 46

CloudHSM- Dedicated hardware device, SINGLE tenanted unlike KMS and can be accessed via VPC peering. It is not HA though this must be managed by you.

Question 47

What is the drawback of CloudHSM?

Answer 47

Not integrated with many services like KMS, may need scripting.

Question 48

What is the cost model for CLoudHSM?

Answer 48

pay per hour, with no upfront cost. The classic version costs $5000

Question 49

What is certificate manager?

Answer 49

Encryption in transit service that allows you to provision, manage and deploy private and public SSL certificates.

Question 50

What are the benefits of using certificate manager?

Answer 50

1) Free public certificates to use within AWS
2) supports wild cards to cover all subdomains
3) Manages certificate renewal!

Question 51

What is phising?

Answer 51

Someone trying to get you to part with financial information

Question 52

What is a Distributed Denial Of Service attack (DDOS)?

Answer 52

A method compromising a system that overwhelms/exposes private information

Question 53

Name 2 common DDOS attacks… provide examples

Answer 53

1) Amplification or reflection attack- Bad actor spoofs a packet to manipulate the destination address e.g. MONLIST returning 600 last IP addresses overwhelms a target device
2) Application attack (layer 7)- A bad actor floods a device with lots of HTTP GET requests which slow or stop a web server

Question 54

What are the 5 best practices to reduce the risk of suffering from a DDOS attack? and which AWS service do these relate to?

Answer 54

1) Minimise your attack surface- NACLs, SG, VPC design
2) Scale to absorb attack- Autoscaling groups, AWS CloudFront and static web content S3. DynamoDB scales rapidly…
3) Safeguard exposed resources- Route53, WAF, AWS Shield
4) Learn normal behaviour- AWS guardDuty, CloudWatch
5) Have a plan!

Question 55

What is IDS? Active or passive?

Answer 55

Intruder Detection System- Watches the network to and systems for suspicious activity that might indicate someone is trying to compromise a system….

Passive

Question 56

What is IPS? Active or passive?

Answer 56

Intruder Prevention System- Tries to prevent exploits by sitting behind firewalls and scanning and analysing suspicious content for threats.

Active! Dynamically watching network

Question 57

What is CloudWatch? (5 points)

Answer 57

1) Logs events across AWS services… think operations
2) High-level comprehensive monitoring and eventing
3) Log form multiple accounts
4) Logs stored indefinitely
5) Alarms history kept for 14 days

Question 58

What is CloudTrial? (5 points)

Answer 58

1) Logs API activity across AWS services… think activities
2) Low-level… granular
3) Log from multiple accounts
4) Logs stored in S3 or CloudWatch indefinitely
5) No native alarming, but can use with CloudWatch alarms

Question 59

What is the service catalog?

Answer 59

Helps users organise AWS environment and is useful for central IT to put together services that are pre-defined and organised. Allows IT to have granular control over which users have access to which offerings

Question 60

What are the 3 types of constraints that can be applied in AWS catalog? describe…

Answer 60

1) Launch constraint- IAM role that service catalog assumes when an end-user launches a product
2) Notification constraint- Specifies the Amazon SNS topic to receive notifications about stack events
3) Template constraint- One or more rules that narrow allowable values an end-user can select

Question 61

Why would you want to use a launch constraint in AWS catalog?

Answer 61

Without a launch constraint the end-user must have ALL the permissions needed within their own IAM credentials

Question 62

Why would you want to use a notification constraint in AWS catalog?

Answer 62

So you can get notifications when products are launched or have problems

Question 63

Why would you want to use a template constraint in AWS catalog?

Answer 63

To adjust product attributes based on the choice a user makes (e.g. only allow certain instance types for DEV env)

Question 64

What happens if we share a catalog from the master account to a sub account?

Answer 64

The launch role is shared (the IAM role that launched the service on behalf of the user that requested it) so it will launch the service in the master account. To avoid this a local admin must override this by creating a local catalog and create a new launch constraint that uses a localised launch role.

Question 65

At what level are the launch constraints defined?

Answer 65

At the product level, not the portfolio level!

Question 66

What can you use a service control policy for?

Answer 66

To restrict the regions your organisation can use (for compliance reasons)

Question 67

When you cannot use secrets manager, what is the best way to store credentials?

Answer 67

Using an encrypted file on S3 and proving an IAM role with access to it assigned to the EC2 instance

Question 68

Can you configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account?

Answer 68

Yes

Question 69

Does Elasticache memchached offer native encryption?

Answer 69

Nope, but redis does!