Exam Cram Sheet862 words
AWS Advanced Networking Cram Sheet: Security Validation & Auditing
Validate and audit security by using network monitoring and logging services
AWS Advanced Networking: Security Validation & Auditing
This cram sheet focuses on Domain 4.2: Validating and auditing security via network monitoring and logging. In the AWS Specialty exam, this section tests your ability to choose the right tool for deep packet inspection versus metadata analysis and how to aggregate logs across multi-account architectures.
1. Topic Weighting
- Exam Domain: Domain 4: Security, Compliance, and Governance
- Total Domain Weight: 18%
- Task 4.2 Relative Importance: High. Expect 5–7 questions specifically on log analysis, Traffic Mirroring, and CloudWatch automation.
2. Key Concepts Summary
The Security Monitoring Trinity
- VPC Flow Logs: Captures IP traffic metadata (Src/Dest IP, Port, Protocol, Action, Status). No packet payloads. Useful for: "Why is my security group dropping traffic?"
- VPC Traffic Mirroring: Copying actual TCP/UDP/ICMP packets from an ENI to a security appliance. Full packet inspection. Useful for: IDS/IPS, deep protocol analysis.
- AWS CloudTrail: Records every API call (Console, CLI, SDK). Useful for: "Who deleted my Peering Connection?"
Analysis Tools
- Amazon Athena: Query logs stored in S3 using standard SQL.
- CloudWatch Logs Insights: Fast, interactive queries for logs stored in CloudWatch.
- AWS Config: Tracks configuration changes (e.g., "When did this SG change from port 80 to 0.0.0.0/0?").
Visual Overview of Log Flow
Loading Diagram...
3. Common Pitfalls
- Flow Logs vs. Traffic Mirroring: Do not choose Flow Logs if the question asks to detect a specific malware signature inside a payload; Flow Logs don't see payloads.
- Service-Linked Logs: Remember that Route 53 Resolver Logs and Global Accelerator Flow Logs are separate from standard VPC Flow Logs.
- Log Latency: CloudWatch Logs are not strictly real-time; there is a delivery delay (typically < 5 mins). For sub-second response, use Kinesis Data Streams.
- Rejected Traffic: If traffic is rejected by a Security Group, it shows as
REJECTin Flow Logs. If it's accepted by SG but rejected by Network ACL, it still shows asREJECTbut with different context.
4. Mnemonics / Memory Triggers
- F.L.O.W.: Find Layer Output Weakness (Metadata-focused).
- M.I.R.R.O.R.: Manage Inspection Real-time Raw (Full packet).
- Trail is the Tale: CloudTrail tells the story of who did what to the infrastructure.
- Config is the Camera: Takes snapshots of resource states over time.
5. Formula / Equation Sheet
VPC Flow Log Format (Version 2+)
Standard format includes: ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
| Feature | VPC Flow Logs | Traffic Mirroring |
|---|---|---|
| OSI Layer | Layer 3 / 4 (Metadata) | Layer 2 (L3/L4/L7 Payload) |
| Throughput Impact | Negligible | Can impact ENI bandwidth limits |
| Target | S3, CloudWatch, Kinesis | ENI, NLB (UDP 4789) |
| Format | Text/Gzip | VXLAN encapsulated packets |
6. Worked Examples
Problem: Investigating an Unauthorized Data Exfiltration
Scenario: A database instance is suspected of sending data to a malicious external IP.
Steps to Validate:
- Enable VPC Flow Logs: Filter for the ENI of the Database instance.
- Query Athena: Use SQL to find the top
dstaddr(Destination IP) sorted bybytes.sqlSELECT dstaddr, sum(bytes) as total_bytes FROM vpc_flow_logs GROUP BY dstaddr ORDER BY total_bytes DESC; - Cross-reference CloudTrail: Check for any
AuthorizeSecurityGroupEgressevents to see who opened the outbound rule that allowed this traffic.
Visualizing Traffic Mirroring
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
7. Practice Set
- Scenario: You need to audit why specific packets are being dropped by a web server's OS-level firewall (iptables). Will VPC Flow Logs show this?
- Answer: No. VPC Flow Logs capture traffic at the ENI level. If traffic is dropped inside the OS, the Flow Log might show
ACCEPTbecause the AWS infrastructure allowed it into the ENI.
- Answer: No. VPC Flow Logs capture traffic at the ENI level. If traffic is dropped inside the OS, the Flow Log might show
- Scenario: Which service identifies if a Security Group was changed to allow
0.0.0.0/0on port 22?- Answer: AWS Config (for the state change) and CloudTrail (for the identity of the person who made the change).
- Scenario: You want to send logs to a 3rd-party SIEM in near real-time. What is the best delivery mechanism?
- Answer: Amazon Kinesis Data Firehose (streaming VPC Flow Logs directly to the SIEM endpoint).
8. Fact Recall Blanks
- VPC Traffic Mirroring uses the ________ protocol for encapsulation. (Answer: VXLAN)
- To analyze logs across multiple accounts in a central location, you should use an ________ S3 bucket. (Answer: Organization-level/Centralized)
- The default port for Traffic Mirroring UDP traffic is ________. (Answer: 4789)
- If you see a flow log record with
actionasREJECT, the traffic was blocked by either a ________ or a ________. (Answer: Security Group, Network ACL) - ________ allows you to visualize the hop-by-hop path and security blocking point between two resources without sending traffic. (Answer: VPC Reachability Analyzer)
[!IMPORTANT] For the exam, always prioritize VPC Flow Logs for troubleshooting connectivity and Traffic Mirroring for security forensics/compliance requirements that demand content inspection.