AWS Certified Security – Specialty Interview Question-1

Which AWS services allow native encryption of data at rest?

  • EBS, S3 and EFS are AWS Services which allow native encryption of data, while at rest.
  • All allow the user to configure encryption at rest.
  • They can use either the AWS Key Management Service (KMS) or customer provided keys.
  • The exception is ElastiCache for Memcached which does not offer a native encryption service whereas ElastiCache for Redis allows.
  • AWS Snowball encrypts data at rest by default as well.

Explain about Amazon Macie.

  • Amazon Macie is a security monitoring tool that utilizes AWS’s AI engine for continuous analysis and content classification in Amazon S3 buckets.
  • It can identify PII in S3 buckets.
  • Macie doesn’t automatically prevent data from leaving protected zones but you can receive notifications when that happens. 
  • It can detect when large quantities of business-critical documents are shared – both internally and externally.
  • Macie doesn’t automatically prevent data from leaving protected zones but you can receive notifications when that happens.
  • It uses NLP methods to understand data.
  • Macie doesn’t automatically prevent data from leaving protected zones but you can receive notifications when that happens.

Alex is working in banking company in United states and he needs to create an S3 bucket to act as a repository. It is for highly sensitive company accounting information and its all data at rest must be encrypted. Its key cryptographic material should be rotated at least once a year. How Alex can achieve this task?

Alex can use a Customer Managed CMK with optional yearly rotation enabled. KMS Customer Managed CMK optionally allows rotation to occur automatically every year. Procedure in Console:

  1. Log in to the AWS Management Console at [].
  2. Open the Amazon KMS console.
  3. In the left navigation pane, select customer managed keys.
  4. Select the customer master key (CMK) in scope.
  5. Navigate to the Key Rotation tab.
  6. Select Rotate this key every year.
  7. Click Save.

CLI Command

Change the policy to enable key rotation using CLI command:

aws kms enable-key-rotation --key-id <kms_key_id>

John is using Glacier to store historical data(for retention period-10 years) with vault lock policy to prevent the data. Now his Boss suggested to reduce the retention policy for these historical files to only 5 years. How will he do in 1 week?

We know that S3 Glacier enforces the controls set in the vault lock policy. For data retention. Once it is locked, the policy can no longer be changed. That’s why It is not possible to reduce the retention period from 10 years to 5 years. You cannot change the vault lock once it is activated.

How will you limit the use of your KMS master key to only allow requests which come from S3?

We can use the kms: ViaService condition key. The kms:ViaService condition key limits use of an AWS KMS customer master key (CMK) to requests from specified AWS services. It filters access when a request made when it comes from a specified AWS service.

Where can we use aws:ResourceTag/${TagKey} Condition keys in AWS Key Management Service?

It filters access to the specified AWS KMS operations based on those tags which is assigned to the customer master key.

Where can you use kms:EncryptionAlgorithm condition key?

You can use the kms:EncryptionAlgorithm condition key to control access to cryptographic operations based on the encryption algorithm that is used in the operation.

What will happen if CMK key material is deleted and You don’t have access any of your encrypted files. How can you fix this?

If you have the same key material that was originally imported into the CMK then you can re-import the same key material to your CMK. If you delete the key material, the CMK’s key state changes to pending import, and the CMK becomes unusable. To use the CMK again, you must reimport the same key material. You cannot import the key material into a different key or import different key material.

You have created a vault lock policy which is now in an in-progress state. Later on you decided to alter the policy. How can you update the policy?

We can Abort the lock and start again.

  • After the vault lock enters the in-progress state, you have 24 hours to complete the lock.
  • If you don’t complete the vault lock process within 24 hours then your vault automatically exits the in-progress state, and the vault lock policy is removed.
  • While the lock is in-progress, if it doesn’t work as expected, you can abort the lock and restart .

Why Do you need to rotate the CMK every three months?

You can rotate CMK keys according to your own schedule using a customer managed CMK. An AWS managed or AWS owned CMK does not give you the option to rotate according to your own schedule. AWS managed keys automatically rotate once every three years.

You encrypted data using KMS. Your manager asks you to create a key which can be automatically rotated once per year. How will you complete this task?

We can use a CMK managed by you. A customer managed CMK supports automatic key rotation once per year. AWS managed keys automatically rotate once every three years. Automatic key rotation is not available for CMKs that have imported key material. We can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS HSMs. Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature.

Which AWS services support Parameter Store?

CloudFormation, Lambda and EC2 (amongst others) all natively support the Systems Manager Parameter Store. AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data and secrets management.

Explain AWS Artifact.

  • AWS Artifact is central resource for compliance-related information that matters to you. It provides on-demand access to AWS‘ security and compliance reports and select online agreements.
  • It provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and Service Organization Control (SOC) reports.
  • You can also use these documents as guidelines to evaluate your own cloud architecture and assess the effectiveness of your company’s internal controls.
  • Consider An auditor is reviewing your process documentation for a Payment Card Industry (PCI) audit.Because you do store cardholder data in the AWS Cloud, the auditor would like to review AWS’s PCI DSS Attestation of Compliance and Responsibility. In this case , we can share AWS Artifact.

What is Customer Managed CMK and where can you use?

  • A customer master key (CMK) is a logical representation of a master key.
  • The CMK includes metadata, such as the key ID, creation date, description, and key state.
  • The CMK also contains the key material used to encrypt and decrypt data.
  • When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data.
  • Customer-managed keys offer greater flexibility to manage access controls.
  • Customer Managed CMKs have key policies that can be used to specify permissions for using key cryptographical functionality (encryption, decryption, re-encrypt, etc.) or administrative (revoke, update, delete, etc.) functionality.
  • AWS Managed CM uses a default key policy which cannot be modified or updated.
  • Creating symmetric CMKs
    • To change the AWS Region, use the Region selector in the upper-right corner of the page.
    • In the navigation pane, choose Customer managed keys.
    • Choose Create key.
    • To create a symmetric CMK, for Key type choose Symmetric. …
    • Choose Next.
    • Type an alias for the CMK.
  • Our Product Management requires the ability to encrypt and decrypt large amounts of data for a new client using an encryption key. Then we can use Customer Managed CMKs that provides a way to control access to the key’s functionality, depending on whether the user of the key requires administrative or cryptographic access

What is role of CloudTrail in Cloud security?

AWS CloudTrail is a web service that records activity made on your account and delivers log files to your Amazon S3 bucket. It is recommended to use a dedicated S3 bucket for CloudTrail logs. When you apply a trail to all regions, CloudTrail uses the trail that you create in a particular region to create trails with identical configurations in all other regions in your account. To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.

You are AWS Certified Cloud Security in US Based project and Your manager asks you to propose a solution to trace all changes made to the AWS infrastructure. How will you do?

  • You can allow the Security Team permission to make changes in CloudTrail.
  • You can enable CloudTrail in all AWS regions and send application logs to S3 bucket.
  • And you can Grant read only access to the Security Team members.
  • Doing so, Security team member can review the logs.

You are working as AWS Engineer in your project and
You got service ticket from Client and you noticed that data events for Lambda and S3 are not available in Amazon CloudWatch Events.
What could be the reason for this?

  • Step 1: You have to check whether your Lambda function and S3 resources have been added to a CloudTrail trail or not.
  • Step 2: Data events are not logged by default.
  • Data events provide visibility into the resource operations performed on or within a resource.
  • Data events are not logged by default when you create a trail. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity to a trail.

You are working as AWS Engineer and monitoring logs. After analysis, you found that log data has security alerts and critical warnings. The application is critical for your company and your manager wants to be informed immediately if the logs generate any security related messages.How can you resolve this?

We can Configure the application to deliver the logs to CloudWatch Logs, then we can use a custom metric filter to trigger alarms and notifications.

How will you use Cloudwatch to monitor logs?

  • When the CloudWatch dashboard appears, click on the Logs option, and then click on the number of metric filters that is displayed within your log group.
  • You can use CloudWatch Logs to monitor applications and systems using log data.
  • For example, you can monitor application logs for specific literal terms, or count the number of occurrences of a literal term at a particular position in log data. When the term you are searching for is found, CloudWatch Logs reports the data to a CloudWatch metric that you specify.

You have been asked to design a solution to perform deep packet inspection in client project, what can you use?

A third party solution

AWS does not provide any deep packet inspection capability. They suggest that third-party software can be used to provide additional functionality such as deep packet inspection, IPS/IDS, or network threat protection. 

How will you protect your website against DDoS attacks, SQL injection and cross-site scripting attacks. Which services do you recommend?

  • We can use AWS WAF to protect against SQL injection
  • We can use AWS WAF to protect against cross-site scripting
  • We can use AWS Shield to protect against DDoS attacks
  • AWS Shield protects against DDoS, AWS WAF protects against SQL injection and cross-site scripting.

If you have lost your private key for connecting EC2 instance then what you need to perform in order to access your instance ?

  • If you lose the private key for an EBS-backed instance, you can regain access to your instance.
  • You must stop the instance, then detach its root volume and attach it to another instance as a data volume.
  • Modify the authorized_keys file, move the volume back to the original instance, and restart the instance.

How will you investigate whether unrestricted SSH access is enabled to any of your EC2 instances?

Trusted Advisor checks security groups for rules that allow unrestricted access to specific ports. AWS Config can alert you to any modifications to a security group but will not perform a check for unrestricted access.