-
What are some best practices for securing an AWS account? Answer: Best practices include enabling multi-factor authentication (MFA), using strong passwords, regularly reviewing IAM policies, and monitoring account activity.
-
What is AWS IAM Access Analyzer and how can it help in securing an AWS account? Answer: IAM Access Analyzer analyzes resource policies to help you understand who can access your resources and how, allowing you to make informed decisions about access.
-
What are some security considerations for AWS Elastic Load Balancers (ELBs)? Answer: Considerations include configuring security groups, using SSL/TLS for secure communication, and enabling access logs for monitoring.
-
How can you restrict access to an AWS Application Load Balancer (ALB) based on IP address? Answer: You can configure an ALB to allow or deny traffic based on IP addresses by using security groups / Network ACLs or AWS WAF rules.
-
What is the purpose of SSL termination on a load balancer? Answer: SSL termination offloads the SSL decryption process from the backend servers to the load balancer, improving performance and reducing the server's CPU usage.
-
What are some best practices for securing applications hosted on AWS? Answer: Best practices include regular security patching, implementing WAF rules, using security groups and NACLs, and monitoring application logs.
-
What is AWS WAF and how does it help in securing web applications? Answer: AWS WAF is a web application firewall that helps protect web applications from common web exploits. It can filter and monitor incoming web traffic to your application. You can protect against vulnerabilities like SQL injection, XSS, and CSRF attacks by implementing security measures such as input validation, output encoding, and using security headers.
-
What is a Web ACL in AWS WAF? Answer: A Web ACL is a set of rules that define the conditions under which a web application firewall allows or blocks requests to your application.
-
What is the benefit of using AWS Managed Rules with AWS WAF? Answer: AWS Managed Rules are pre-configured rulesets provided by AWS that can help protect your web applications from common threats without the need for manual rule creation.
-
What is AWS Shield and how does it help protect against DDoS attacks? Answer: AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS against network and transport layer attacks.
-
How does AWS Shield protect against network and transport layer DDoS attacks? Answer: AWS Shield provides always-on network flow monitoring, near real-time attack visibility, and automatic traffic anomaly detection and mitigation.
-
What is the difference between AWS Shield Standard and AWS Shield Advanced? Answer: Shield Standard provides protection against most common and frequent DDoS attacks. Shield Advanced provides enhanced protection, including additional DDoS mitigation capacity and 24x7 access to the AWS DDoS Response Team (DRT).
-
How can you use Amazon CloudFront to enhance the security of your web applications? Answer: CloudFront can be used to distribute content securely through HTTPS, implement geo-restriction, and integrate with AWS WAF to protect against web application attacks.
-
What is Origin Access Identity (OAI) in Amazon CloudFront? Answer: OAI is a virtual identity that you can use to grant CloudFront permission to fetch private content from an S3 bucket.
-
How can you configure CloudFront to prevent hotlinking of your content? Answer: You can configure CloudFront to check the referrer header and only serve content to requests that originate from your specified domains.
-
What is the purpose of CloudFront signed URLs and cookies? Answer: CloudFront signed URLs and cookies provide a way to control access to your content by requiring viewers to use a special URL or include special information in their request.
-
What is AWS Key Management Service (KMS) and what is its purpose? Answer: AWS Key Management Service (KMS) is a managed service that makes it easy to create and control encryption keys for your applications. It helps you protect sensitive data.
-
How does AWS KMS help in securing data at rest in AWS services like S3 and EBS? Answer: AWS KMS allows you to create and manage encryption keys that can be used to encrypt data at rest in services like S3 and EBS, providing an additional layer of security.
-
What is an AWS KMS Customer Master Key (CMK)? Answer: An AWS KMS Customer Master Key (CMK) is a logical key that represents a top-level encryption key. It can be used to encrypt and decrypt data, and it's managed by AWS KMS.
-
What is envelope encryption and how does AWS KMS use it? Answer: Envelope encryption is a method where a data encryption key is used to encrypt data, and then the data encryption key itself is encrypted using a master key. AWS KMS uses this approach to secure data.
-
Can you explain the difference between AWS managed keys (AWS managed CMKs) and customer managed keys (CMKs)? Answer: AWS managed keys are created, managed, and used by AWS services on your behalf. Customer managed keys (CMKs) are created, managed, and used by you within AWS KMS.
-
How can you rotate a Customer Master Key (CMK) in AWS KMS? Answer: You can enable automatic key rotation for a CMK, and AWS KMS will automatically rotate the backing key material. Alternatively, you can manually rotate a CMK.
-
What is AWS KMS grants and how do they work? Answer: A grant in AWS KMS is a way to delegate permissions to use a customer managed key (CMK) in specific ways. Grants are used to allow other AWS identities or services to use the key.
-
How does AWS KMS integrate with AWS services like S3 and EBS for encryption? Answer: AWS services like S3 and EBS can interact with AWS KMS to request encryption keys for encrypting data at rest. AWS KMS then returns the appropriate encryption key.
-
What is AWS CloudHSM and how can it enhance security for sensitive data in AWS? Answer: AWS CloudHSM is a hardware security module (HSM) that provides secure cryptographic key storage. It can be used to protect sensitive data and meet compliance requirements.
-
How can you encrypt data in an Amazon RDS database? Answer: You can enable encryption at rest when creating a new RDS instance, or modify an existing instance to enable encryption. AWS RDS uses AWS KMS to manage the encryption keys.
-
What is AWS SSM Parameter Store and how can it be used for secret management? Answer: AWS Systems Manager (SSM) Parameter Store is a service that provides secure, hierarchical storage for configuration data management and secrets management. It can be used to store sensitive information securely.
-
How do you handle security incidents and breaches in an AWS environment? Answer: Establish an incident response plan, monitor for unusual activity, and have procedures in place to investigate and mitigate security incidents.
-
How can you secure sensitive information like API keys and passwords in your applications deployed on AWS? Answer: You can use AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store and retrieve sensitive information.