What I learned from the quizzes: IAM stuff: What can you attach iam policy to? Iam roles and groups. How long can vault locks be modified for after creation? 0 days. Vault locks cannot be changed once locked. Bucket policies for replication.. Source and destination? Just destination. Owner of destination needs to grant source access to replicate. You can attach inline policies to users Cross account access is supported by STS, and Azure, and Web identity federation, and AD, but not kubernetes. Logging and Monitoring: Can you encypt cloudtrail logs? Yes with kms it is default. Cloudwatch can trigger lambda functions, yes via cloudwatch events. AWS config using SNS can notify you if SSH is enabled from the world. The rules in the Common Vulnerabilities and Exposures package does not check for instances which enable root login over SSH but CIS benchmark does. KMS KMS can only be used in the region in which it was created with customer import, it cannot be shared to another region. AWS managed keys are rotated every 3 years. Security groups only allow traffic not block. AWS WAF is for sqli and xss, shield is for ddos. VPCs VPC Peering allows vpcs to talk to each other without via internet, but privatelink works too Updates are downloaded via ephemeral ports 1024-65545 inbound. Vpc flow logs allow you to analyze ip traffic flow into and out of your vpcs, enis, and subnets. WAF integrates with ALB and CF, not route53 or ec2 directly. Real World Cloudfront, route53, elb, waf, autoscaling, cloudwatch to mitigate ddos. 10000 requests per second throttle - 429 too many requests FIPS 140-2 rated 1-4 and cloudhsm meets 3. AWS doesn’t provide any pen testing services… What is CORS? Cross-origin resource sharing for one domain to interact with another. IAM can store https certs KMS doesn't store certs, but cloudfront has a standard one. Parameter store is good for storing license codes. Systems Manager Run Command lets you apply patches and join instances to windows domain remotely. AWS practice exam: To access secrets in parameter store, you need perms to read systems manager parameter and permission to use the key to decrypt. Guardduty protects ec2 instances but not ddos. Trusted advisor vs amazon inspector? inspector is an assessment service, finds vulnerabilities via agents. Compares against CIS and other benchmarks. Trusted advisor - optimizing your aws environment. Security (basic checks), Cost opitimization, fault tolerance, performance. (DOES SECURITY GROUPS - inspector doesnttt) Need external id to grant iam role for temp access, you need to give the other person the resource name (ARN) too. Feedback quiz AWS Network Firewall and WAF can inspect traffic flow and requests over http and https with lowest overhead. Flow logs give metadata about traffic, source, dest, port numbers, and packet size but not inspection of content. Troubleshooting quiz Trusted entity + assume role access for any external account for s3 objects. Is cloudwatch region based? Yes but you can use cross-region functionality Function policy allow invoking of lambda function. Lambda needs access to cloudwatch logs via execution policy to write logs to cloudwatch Final practice exam: Cloudwatch.. Metric filter for multi- accounts? Nope use cloudwatch event buses - new feature for tracking multiple accounts. Can you.. Launch instance with root volume from another instance? no What's the command to validate integrity of logs? Aws cloudtrail validate-logs Rotated keys - annually.. Are those aws managed CMK or customer managed CMK? If customer managed, what is the one where you upload your own material completely? Customer managed CMK with custom key material lol Do you need permission to use cloudtrail apis? No you don't ,but you might need s3 read permissions. Does aws network firewall do deep packet inspection? Same or different than IDS/IPS - yes it does but not ids/ips Can you change vault lock once it's in-progress? No but you can abort lock and start again. CMK admins can DescribeKEy, EnableKey, and CreateKey. GenerateKey is an operational thing. Trust policy is created in internal account allowing access to assume role? yes Can macie detect sharing of documents? yes What can u pen test without asking for permission? EC2, NAT Gateway, ELB, RDS, CloudFront, Aurora, API, Lambda, Lightsail, Elastic Beanstalk. NOT S3 and NOT Kinesis Can't use a default CF cert for a custom domain name. Need to configure cloudfront to use HTTPS to grab stuff from origin for E2E in transit. Assume inbound traffic is done on ephemeral ports, 32768-65535 Port 25 outbound Is disabled by default What's the bucket policy key to test encrypted connections? AWS:SecureTransport Is an organization trail a thing? Yes apparently Macie vs guardduty for data in s3 AND threat detection? It's guardduty, macie doesn't do threat detection. Guardduty will do aws accounts, workloads, data stored in s3. When you use web identity federation do you need IAM or SAML 2.0 fed more? - use cognito OR web identity federation. IAM has limit of 5000 users per account. Web identity federation allows google or amazon auth. AWS Config customer managed rule.. Is that a thing? Yes - good for ongoing monitoring. Do you create a new dhcp option set to set DNS server or just update the existing one? New. Guardduty queries dns logs to catch miners, right? yes Does elasticache allow for encryption at rest? no AWS inspector needs to be manually installed on instances, can use systems manager to automate that Trusted advisor doesn't do ec2 instance security assessments. For E2E encyrption you need to use NLB to terminate TLS on ec2. SSE-S3 detection string ends in AES256. KMS encryption is aws:kms Udemy stuff: If you find instance with malware, lock it down and run forensics. Explicit deny on the key principal - if your key is compromised, then delete the keys. Remember to enable Global resource check when configuring AWS Config? AWS config works with IAM. Review flow log syntax Patch compliance is a service Verify that ssm agent is on all computers S3 event notifications is a thing Aws config is good for change monitoring and assessment. AMIs keep old keypair if imaged and relaunched. Nacl rules read in order, top to bottom. AWS WAF Web ACL is responsible for accepting or rejecting packets Cloudfront SNI can cause old systems to not connect - use dedicated IP custom SSL with CF. You can associate roles to lambda functions with IAM. EC2 run command can remove public keys Can't expand security group limit via aws support If you want to whitelist domains you have to use 3rd party software. You might need "bucket-owner-full-control" acl set for uploading objects to another account's s3 bucket. Deny Notaction iam policies denies anything outside of the actions listed in notaction. If you want to use polciy ariables you need to have a version in your iam policy You need IAM roles to link them to AD groups with SSO. If you delete EBS key you will have access to the drive until it is remounted. Certs with ACM need *.example.com if you are trying to do it for a subdomain. CMK takes 7 days to delete. CloudHSM can be launched in a vpc, should run 2 for fault tolerance. ELB can do tcp listener, this might help with reducing header issues. (It doesn't do TLS - that's NLB) You can email-validate certs for ACM SSE-C is customer provided encryption keys "DynamoDB Encryption Client" is a thing :root as a suffix in the principal means all iam users under that account. A specific user is denoted with a /. AWS Cloudtrail console stores logs for only 3 months, anything older will have to use Athena. Guardduty will not see on-prem DNS requests. WAF will protect against some malformed headers and things related to DDOS You can send logs from web ACL to kinesis VPC flow logs do not have a deny code reason. If you have ALB you can put web servers on private subnet. Ephereal ports - only traffic TO client. So if you are the client in vpc, then you need inbound nacl. If you are client outside vpc, then you need outbound nacl. Lambda@edge can insert headers onto legacy traffic. Aws does not provide vpn software. Cloudfront signed urls are good for individuals files or when they are using a client, signed cookies is good for multiple files and not changing urls. SCPs will control root account. Can use sts get-session-token command to validate MFA using CLI. For cmk with imported materials, you need to make a new cmk every year, and point key alias to that new cmk Systems manager is more cost effective than secrets manager Cloudhsm allows you to copy keys to different regions. EncyptionContext allows for AAD, audit trail and authorization context for KMS SSE-C requires you to manage your key storage on your own. Kms grants are good for sharing keys with vendors. Digest files are encrypted with S3 instead of KMS encryption. Encryption and decryption needs re-encrypt, describekey, and generatedata key perms too. Review AWS RAM - shares resources to other accounts, duh. Does aws cloudwatch agent send logs via snmp? No it uses public aws apis. EC2Rescue for Windows Server utility? For memory dumps of ec2? Yep. Can you deny port 22 if you are using aws systems manager? Yep. Manually rotating key doesn’t delete key ,but using key import functionality will. Lambda needs kms encrypt and decrypt to store encrypted environment variables You can store custom ssl cert in IAM. AWS Cert manager does not have a default cert. Internet gateway is a managed service, cannot be misconfigured. IF you run a cloudformation template and the instances terminate it's because you don't have aws kms perms and the ami was encrypted. Chitram course: Log insights? Search log insights Trusted advisor to check limits? yes How to check LB only uses certain ciphers. Load balancer security policy Community AMI for sharing? Nah - use RAM Alias vs CNAME hmmm… use alias for cloudfront - need CF for custom domain on S3.