While getting ready to sit AWS Certified Security - Specialty exam, I jotted down a few notes. Breaking them into sections corresponding to the exam domains. Here's Infrastructure Security domain.
Each note starts with a problem/situation statement in bold followed up with either a service description or a list of practical actions to be taken in response to the stated problem.
Migrating an application from on-prem to AWS (two regions). What to do with custom SSL certs?
Import the existing certificate and private key into Certificate Manager in both regions. Assign that imported certificate to the Application Load Balancers using their respective regionally imported certificate.
You can import private certificates into Certificate Manager and assign them to all the same resources you can with generated certificates, including an ALB. Also note that Certificate Manager is a regional service so certificates must be imported in each region where they will be used.
Solution to protect your website against DDoS attacks, SQL injection and cross-site scripting attacks.
- Use AWS WAF to protect against SQL injection
- Use AWS Shield to protect against DDoS attacks
- Use AWS WAF to protect against cross-site scripting
- Use AWS WAF to protect against DDoS attacks
You would like to protect your application from attacks such as SQL injection and cross-site scripting.
- CloudFront
- AWS WAF
- Application Load Balancer AWS WAF protects websites against SQL injection and cross-site scripting attacks. WAF is closely integrated with CloudFront and Application Load Balancer.
Configuring the bastion host.
- Limit inbound connections to the bastion host to the CIDR range that will be used by your administrators
- Deploy the bastion host in the public subnet of your VPC
- Configure your Security Group to allow inbound connections on port 22 Access to bastion hosts should be locked down to known CIDR ranges for ingress. Ports should be limited to allow only the necessary access to the bastion hosts. For Linux bastion hosts, TCP port 22 for SSH connections is typically the only port allowed. Bastion hosts are deployed in the public subnets of the VPC.
Replacing A Lost Key Pair
Stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file, move the volume back to the original instance. Restart the instance.
If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file, move the volume back to the original instance, and restart the instance.
Test failover capability of Multi-AZ RDS instance. Initiated a reboot with failover expecting only a short outage while the standby instance was promoted and the DNS path was updated. After the failover, DB was unreachable rom on-prem network despite being in an “Available” state.
The subnets in the subnet group did not have the same routing rules. The standby subnet did not have a valid route back to the on-prem network so the database could not be reached despite being available.
A compromised Linux based EC2 instance has initiated a DOS attack. Steps to isolate the instance and perform additional analysis.
- Update the security group to prevent all outbound traffic.
- Update the instances’ security group to only allow inbound traffic on port 22 and limit incoming traffic from only your internal IP addresses for analysis.
Setting up a new VPC from scratch. Not able to reach the Amazon Linux web server instance launched in VPC from on-prem network using a web browser. You have verified the internet gateway is attached and the main route table is configured to route 0.0.0.0/0 to the internet gateway properly. What’s going on?
The instance is deployed in a subnet associated with a network ACL that only allows outbound traffic on port 80 ad 22.
For an HTTP connection to be successful, you need to allow port 80 inbound and allow the ephemeral ports outbound. Additionally, it is possible that the subnet is not associated with the route table containing the default route to the internet.
Design a solution to perform deep packet inspection.
- Use AWS Network Firewall
You can filter network traffic at the perimeter of your VPC using AWS Network Firewall. Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service. Rule groups in AWS Network Firewall provide detailed criteria for packet inspection and specify what to do when a packet matches the criteria. When Network Firewall finds a match between the criteria and a packet, the packet matches the rule group.
Implement end-to-end encryption in transit for all network communication between your users and your application servers.
- Use a Network Load Balancer and terminate TLS on the EC2 instance
Application Load Balancers load balance at the HTTP and HTTPS level. Network Load Balancers work at the TCP and TLS level. For end-to-end encryption, you need to terminate SSL /TLS on the EC2 instance and this is only possible using the Network Load Balancer or Classic Load Balancer.
Deliver content over HTTPS and users will only be able to access the website using CloudFront. In which region do you request an SSL cert?
If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East 1 (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate.
Protecting against SQL injection and cross-site scripting attacks.
AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
Implement a solution to help protect the website from DDoS attacks. Services to use:
- AWS Shield
- AWS WAF
- Amazon CloudFront
When attempting to protect your application against DDoS attacks, services such as Route 53, Amazon CloudFront, Elastic Load Balancing, and AWS WAF can all be used to control and absorb traffic, and deflect unwanted requests. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
Help an IT organization meet security audit requirements imposed on them by a prospective customer.
Employ Amazon Inspector to periodically assess applications for vulnerabilities or deviations from best practices.
Most efficiently protect against SQL injection attacks.
Use AWS WAF to deny requests that contain SQL code
Website uses an S3 bucket configured as a website endpoint behind a CloudFront distribution, using a custom domain name. Make sure users are only allowed to access the website using HTTPS.
Provide a custom SSL Certificate in CloudFront and configure CloudFront to use HTTPS to get files from your S3 bucket (origin)
Stateful/stateless sec groups and ACLs.
Security Groups are stateful, so only an outbound rule is required. Network ACLs are stateless, so both an inbound and outbound rule is required. The third party will not reply using the same port, instead it will use ephemeral ports. So the Network ACL will need to allow the reply to come through using ephemeral ports.
Auto patches of Windows Server EC2 instance.
Make use of Patch Manager and the AWS-DefaultPatchBaseline pre-defined baseline
The default predefined patch baseline for Windows servers in Patch Manager is AWS-DefaultPatchBaseline.
Bucket policy keys used in a conditional to test for encrypted connections.
- aws:SecureTransport
The key aws:SecureTransport
can be used in a conditional statement to determine if the connection is encrypted (Condition: {Bool: {aws:SecureTransport: true}}
for example).
Protect your website against DDoS attacks, SQL injection and cross-site scripting attacks. Services to be used:
- Use AWS WAF to protect against SQL injection
- Use AWS WAF to protect against DDoS attacks
- Use AWS WAF to protect against cross-site scripting
- Use AWS Shield to protect against DDoS attacks
AWS Shield protects against DDoS, AWS WAF protects against SQL injection and cross-site scripting. AWS WAF rules can block common web-based attacks.
Top comments (0)