DVA-C02 Security Flashcards

Q: Cognito User Pool vs Identity Pool?

A: User Pool = user directory for sign-up/sign-in (issues JWTs). Identity Pool = federated identities that exchange tokens for temporary AWS credentials.

Q: What is KMS envelope encryption?

A: A data key encrypts the data. KMS encrypts the data key. The encrypted data key is stored alongside the data. This avoids sending large data to KMS.

Q: What is an IAM permission boundary?

A: A managed policy attached to a user/role that sets the maximum permissions. Effective permissions = intersection of identity policy and boundary.

Q: How does Secrets Manager rotation work?

A: A Lambda function rotates the secret on a schedule. It creates a new version, tests it, and promotes it. Supports RDS, Redshift, and DocumentDB natively.

Q: What is STS AssumeRole?

A: Returns temporary credentials (access key, secret key, session token) for cross-account access or elevated privileges. Credentials expire after 1-12 hours.

Q: What is Signature Version 4 (SigV4)?

A: AWS request signing process that authenticates API requests. Uses access key + secret key to create a signature in the Authorization header or query string.

Q: How do you secure Lambda environment variables?

A: Environment variables are encrypted at rest by default with an AWS-managed KMS key. Use a CMK for additional control. Decrypt in code if using a CMK.

Q: What is the Cognito pre-token generation trigger?

A: A Lambda trigger that modifies or adds custom claims to the JWT before Cognito issues it. Useful for RBAC or adding user attributes to tokens.

Q: Parameter Store SecureString vs Secrets Manager?

A: SecureString encrypts with KMS but has no auto-rotation. Secrets Manager supports automatic rotation but costs $0.40/secret/month.

Q: How do you grant cross-account DynamoDB access?

A: Create an IAM role in the target account with DynamoDB permissions. The source account assumes the role via STS AssumeRole.