-
How would you find evidence of malicious activity within the services like AWS EBS, Application using Lambda etc.
This is to check if the person have experience with GuardDuty, CloudTrail, Config and have worked on any such malicious activities in past. If so, what all he/she did.
-
CloudTrail vs CloudWatch and explain in depth from security perspective.
Person has to work on CloudTrail functionalities more often and has to be good at incident/event analysis. Also, to check whether an interviewee is aware about CloudWatch.
-
How IMDSv1 is vulnerable to SSRF, explain.
There are many org wide admins, developers of whoever launch instance, by default AWS creates v1 reference. This can lead to key stealing, privilege escalation etc. through SSRF or sometimes even through curl commands. Is person aware of IMDSv1 and how IMDSv2 solves SSRF issue.
- Did you implement IMDSv2 and how it fixed SSRF?
References:
- https://medium.com/@shurmajee/aws-enhances-metadata-service-security-with-imdsv2-b5d4b238454b
- https://www.cyberbit.com/blog/uncategorized/aws-imds-v2-secures-ssrf-vulnerability/
- https://www.accurics.com/blog/security-blog/aws-cloud-security-protect-ssrf/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
- https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/
- https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af
- https://www.youtube.com/watch?v=2B5bhZzayjI (re:Invent SEC310)
- How logs are stored in AWS and how you can monitor those?
- Can you analyse and explain risk and security issues for ElasticSearch services?
- When should you use TGW? is there any security improvement for using this?
- Should we expose Database access publicly or to web application directly?
- Can you help me to understand the security posture for Wordpress site being hosted in AWS?
- Do you have experience in AWS services security design and enforcement review or documentation?
- What issue you see when any API endpoint is exposed to public?
- There is a security group names as default and have port 22, 25, 53, 80,443, 3679, 3306, 9001. Do you see any issue here?
- Have you worked on Backup security and monitoring. Can you explain?
- We want to enable SSO and integrate a tool call Trello in our AWS environment where other applications are hosted. What security posture you think we should work on to keep everything secured?
- How the security alerts of AWS resources being captured and sent to security people automatically?
- Have you worked on GuardDuty? It has lots of false positives. Do you have any suggestions to reduce false positives.
- Can you explain how to use and when to use Access key id and Principal id with one example?
- What are the different data sources for GuardDuty?
- What are the various options/features you have worked in GuardDuty?
- I need to get an alert to slack/mail, whenever my backend APIs start giving 5xx in CloudWatch, how would you achieve that?
- RTO (Recovery Time Objective) vs RPO (Recovery Point Objective)
- You are trying to SSH into an EC2 instance but it is failing.
- Explain below IAM policy:
As a Cloud Security Engineer, you would need to work on reviewing and inspecting IAM policies time to time. Main idea behind asking such question is to check if you are ok with IAM policies and know the basic idea about effect, resource, condition etc.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {"BoolIfExists":
{"aws:MultiFactorAuthPresent": "false"}
}
}]
}- Explain below policy. What's wrong with this policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::HRBucket/Payroll",
"arn:aws:s3:::HRBucket/Payroll/*"
]
}
}- What comes in your mind when a service need cross account access?
- How do you secure data transfer in transit?
- Do you agree that we need to enable data encryption at rest by default?
###Scenario 1 (Lambda, SES and config rules) : Task is to create lambda function for config rules and send email using SES. I have multi account and one of the account is for organization level aggregator. Using that org aggregator account write a lambda function to retrieve all non-compliant config rules based on each aggregator. I wanted to have a list which has the following results
Aggregator name = AggregatorTest OrgConfigRule – VPCFlowlog-o30sfig, Non_complaint, Acc No: 23135134235 Account id, Resource id, Resource type, AWS Region Account id, Resource id, Resource type, AWS Region
So above we have an email configured for aggregator test and then got the list of all OrgConfigRule then after that whatever resources are there for that org config rule you need to list out and then send email to users using SES.
- Data integrity for cloudtrail logs
- How to get unencrypted EBS volume(s) in an easy way: config -> filter
- cloudwatch -> metrics filter
- EC2 vulnerability patch management in automated way
- What checks AWS Inspector does to figure out instance vulnerabilities
- KMS key usage: s3 bucket, file download but can’t see the object. what solution do you propose
- CMK keys auto-renew solution after 3 month (key rotation): cloudwatchevent to check it
- What comes to your mind when you have to secure RDS instance?
- When encryption by default is not enough?
- Would you suggest key rotation? why and what should be the rotation period? Justify.
- Let's say an event is triggered and lambda does something. To make sure it works what you check in IAM
A non-decreasing number list is given and a target number. You need to print if target number exists in the list or print the most nearest number to the target number
- What are the top 3 things you would do if you are working on CSPM tool from the scratch.
- What and how you check if AWS resource is deployed/implemented over encrypted communication/channel.
- How do you make sure everyone in the organisation follow AWS security guideline while working with AWS Services?
You can help us to add more questions or even suggest any edits. Kind gesture to help the community is always welcome.