Chapter 29 Quiz: Cloud Security Testing

Question 1

In the AWS shared responsibility model, which of the following is the customer's responsibility?

A) Physical security of data centers B) Hypervisor patching C) IAM policy configuration D) Network infrastructure maintenance

Question 2

An S3 bucket policy grants access to the principal "AWS": "*". What does this mean?

A) Only IAM users within the same AWS account can access the bucket B) Any authenticated AWS user from any account can access the bucket C) Only root account holders can access the bucket D) Only users with MFA enabled can access the bucket

Question 3

What is the primary security improvement of IMDSv2 over IMDSv1?

A) IMDSv2 encrypts all metadata responses B) IMDSv2 requires a PUT request to obtain a session token before accessing metadata C) IMDSv2 disables access to IAM credentials entirely D) IMDSv2 requires multi-factor authentication

Question 4

Which tool is specifically designed as an AWS exploitation framework, similar to Metasploit for traditional penetration testing?

A) ScoutSuite B) Prowler C) Pacu D) CloudMapper

Question 5

A penetration tester discovers that a Lambda function's execution role has iam:PassRole and lambda:CreateFunction permissions. What type of attack does this enable?

A) Cross-site scripting via Lambda responses B) Privilege escalation by creating a new function with a higher-privilege role C) Denial of service through function concurrency exhaustion D) SQL injection into DynamoDB

Question 6

During cloud reconnaissance, you discover a CNAME record pointing to d1abc123.cloudfront.net. What AWS service does this indicate?

A) Elastic Load Balancer B) CloudFront CDN C) S3 static website hosting D) API Gateway

Question 7

Which of the following is NOT a valid AWS IAM privilege escalation technique?

A) Creating a new IAM policy version with elevated permissions B) Attaching the AdministratorAccess managed policy to your own user C) Modifying the AWS account root email address D) Passing a high-privilege role to a new Lambda function

Question 8

What is the purpose of S3 Block Public Access settings?

A) To encrypt all objects in the bucket B) To override bucket policies and ACLs to prevent public access C) To block access from specific IP addresses D) To disable cross-region replication

Question 9

A Kubernetes pod has automountServiceAccountToken not explicitly set to false. What security risk does this present?

A) The pod cannot communicate with other pods B) The pod's service account token is mounted automatically, potentially allowing access to the Kubernetes API C) The pod will fail to start D) The pod cannot access external networks

Question 10

Which tool generates an HTML report of cloud security findings mapped to CIS benchmarks and compliance frameworks?

A) Pacu B) Nmap C) Prowler D) Metasploit

Question 11

In the context of serverless security, what is "event injection"?

A) Injecting malicious code into the Lambda runtime B) Exploiting insufficient input validation on event data from trusted AWS services C) Creating fake CloudWatch events to trigger functions D) Modifying the event source mapping configuration

Question 12

You are testing an Azure environment and discover a Shared Access Signature (SAS) token in a public GitHub repository. The token has not expired. What is the most significant risk?

A) The SAS token can only provide read access B) The SAS token grants direct access to Azure Storage resources without requiring Azure AD authentication C) SAS tokens are automatically invalidated when exposed publicly D) SAS tokens cannot be used outside the Azure portal

Question 13

Which of the following is the correct metadata endpoint for AWS EC2 instances?

A) http://metadata.google.internal/computeMetadata/v1/ B) http://169.254.169.254/metadata/instance C) http://169.254.169.254/latest/meta-data/ D) http://169.254.169.254/openstack/latest/meta_data.json

Question 14

During a container security assessment, you find that a Docker container is running with the --privileged flag. Why is this a critical finding?

A) Privileged containers have slower performance B) Privileged containers can access all host devices and have nearly all Linux capabilities, enabling container escape C) Privileged containers cannot access the network D) Privileged containers use more memory

Question 15

What is the primary purpose of Infrastructure as Code (IaC) security scanning tools like tfsec and Checkov?

A) To deploy infrastructure faster B) To identify security misconfigurations in infrastructure definitions before deployment C) To monitor running infrastructure for intrusions D) To generate compliance documentation

Question 16

In the Capital One breach pattern, what was the critical chain of vulnerabilities?

A) Phishing email leading to credential theft B) SQL injection in the web application C) SSRF vulnerability enabling metadata service access, leading to IAM credential theft and S3 data exfiltration D) Physical access to AWS data centers

Question 17

Which AWS service should be verified as enabled in all regions during a cloud security assessment to ensure comprehensive audit logging?

A) Amazon GuardDuty B) AWS CloudTrail C) Amazon Inspector D) AWS Config

Question 18

You discover that an organization's CI/CD pipeline stores AWS credentials as plaintext environment variables in Jenkins. Which remediation approach is most appropriate?

A) Encrypt the Jenkins configuration file B) Replace static credentials with IAM roles for EC2 instances running Jenkins, or use AWS Secrets Manager C) Rotate the credentials monthly D) Restrict Jenkins access to the local network only

Answer Key

  1. C — IAM policy configuration is a customer responsibility. Physical security, hypervisor patching, and network infrastructure are provider responsibilities under the shared responsibility model.

  2. B — The principal "AWS": "*" means any authenticated AWS user from any AWS account, not just users within the bucket owner's account. This is a common source of confusion and a frequent misconfiguration.

  3. B — IMDSv2 requires a PUT request to obtain a session token (with a TTL), which must then be included as a header in subsequent metadata requests. This token-based approach mitigates most SSRF attacks because SSRF typically only allows GET requests.

  4. C — Pacu is developed by Rhino Security Labs as an AWS exploitation framework with modular attack capabilities. ScoutSuite and Prowler are defensive assessment tools. CloudMapper creates network visualizations.

  5. B — The combination of iam:PassRole and lambda:CreateFunction allows creating a Lambda function with an arbitrary role attached, then invoking it to perform actions with that role's permissions, effectively escalating privileges.

  6. B — The d prefix followed by alphanumeric characters at cloudfront.net indicates an Amazon CloudFront distribution, which is AWS's content delivery network service.

  7. C — Modifying the AWS account root email address requires access to the root account itself and is not an IAM privilege escalation technique. The other three are documented IAM privilege escalation paths.

  8. B — S3 Block Public Access settings act as an override layer that prevents public access regardless of bucket policies or ACLs. They can be applied at both the account level and individual bucket level.

  9. B — When automountServiceAccountToken is not set to false, the pod's service account token is automatically mounted, which could allow a compromised pod to authenticate to the Kubernetes API server and perform actions based on the service account's RBAC permissions.

  10. C — Prowler generates reports in multiple formats (HTML, CSV, JSON) and maps findings to CIS benchmarks and compliance frameworks including HIPAA, PCI DSS, and GDPR.

  11. B — Event injection refers to exploiting the assumption that data from AWS service events (S3 notifications, SQS messages, API Gateway requests) is inherently trusted, when in reality the event data may contain attacker-controlled input that requires validation.

  12. B — SAS tokens provide direct access to Azure Storage resources without requiring Azure AD authentication. They are bearer tokens — anyone who has the token can use it until it expires or is revoked by regenerating the storage account key.

  13. Chttp://169.254.169.254/latest/meta-data/ is the correct AWS EC2 Instance Metadata Service endpoint. Option A is GCP's metadata endpoint, and Option B is Azure's (which also requires a Metadata: true header).

  14. B — Privileged containers have access to all host devices (/dev), all Linux capabilities, and can modify kernel parameters. This effectively removes the isolation boundary between the container and the host, enabling container escape attacks.

  15. B — IaC scanning tools analyze Terraform, CloudFormation, and other infrastructure definitions to identify security misconfigurations (public S3 buckets, open security groups, unencrypted databases) before they are deployed to production.

  16. C — The Capital One breach involved an SSRF vulnerability in a WAF misconfiguration that allowed querying the EC2 metadata service, retrieving temporary IAM credentials, and using those credentials to access and exfiltrate data from S3 buckets containing customer records.

  17. B — AWS CloudTrail records API calls across the AWS account. It should be enabled in all regions (not just the primary region) to ensure comprehensive audit logging, as attackers may operate in unexpected regions to avoid detection.

  18. B — The best remediation is eliminating static credentials entirely by using IAM roles attached to the EC2 instance running Jenkins, or using AWS Secrets Manager for dynamic credential retrieval. Simply rotating credentials or restricting network access does not address the fundamental issue of static credential storage.