Least Privilege¶
10 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard
🟢 Easy (3)¶
1. What is the principle of least privilege?
Show answer
Every user, service, and process should have the minimum permissions required to do its job — nothing more. This applies to user accounts, service accounts, processes, network ports, and time-limited access.2. Why should IAM permissions be managed through groups rather than individual user policies?
Show answer
Groups allow you to define a permission set once and apply it to many users. This is easier to audit, modify, and maintain than managing separate policies per user, and reduces the risk of permission drift or orphaned access.3. What two sshd_config settings are most critical for SSH hardening?
Show answer
PasswordAuthentication no (keys only, prevents brute-force password attacks) and PermitRootLogin no (forces users to authenticate as themselves and then escalate, providing an audit trail).🟡 Medium (4)¶
1. Why are IAM roles preferred over long-lived access keys for service authentication?
Show answer
Roles provide temporary credentials that expire automatically, reducing the blast radius if credentials are compromised. Access keys are long-lived, can be leaked, and must be manually rotated. Roles are assumed on-demand and never stored on disk.2. What does "defense in depth" mean in practice for an operations engineer?
Show answer
Multiple layers of security so that if one control fails, the next catches it: cloud security groups + host-level firewall + application authentication + encryption in transit. Never rely on a single layer. Each layer reduces the impact of a breach in another layer.3. In an AWS IAM policy, what do the Effect, Action, and Resource fields specify?
Show answer
Effect is Allow or Deny. Action specifies which API operations are permitted (e.g., s3:GetObject, s3:ListBucket). Resource specifies which AWS resources the policy applies to (e.g., a specific S3 bucket ARN). Together they form a precise permission boundary.4. What is the security principle behind a default-deny firewall rule, and how is it implemented in iptables?
Show answer
Default-deny means all traffic is blocked unless explicitly allowed by a preceding rule. In iptables: add specific ACCEPT rules first (e.g., SSH from internal network, HTTPS from anywhere, established connections), then end with "iptables -A INPUT -j DROP" to deny everything else.🔴 Hard (3)¶
1. What additional SSH hardening measures go beyond disabling password auth and root login?
Show answer
Restrict access with AllowGroups, limit MaxAuthTries (e.g., 3), set idle timeouts (ClientAliveInterval 300, ClientAliveCountMax 2), disable X11Forwarding and AllowTcpForwarding unless needed, and enforce strong ciphers only (chacha20-poly1305, aes256-gcm) with secure key exchange algorithms (curve25519-sha256).2. What is the CVE response workflow, and how should severity (CVSS score) drive response time?
Show answer
1. Alert on new CVE. 2. Assess severity: Critical 9.0-10.0 patch immediately, High 7.0-8.9 within days, Medium 4.0-6.9 within weeks, Low 0.1-3.9 normal cycle. 3. Scope: identify affected systems. 4. Mitigate with workaround if no patch. 5. Patch affected packages/images. 6. Verify the fix is applied everywhere.3. How should vulnerability scanning be integrated into CI/CD, and what tools are commonly used?