Hello Reader,

In today’s post, let’s look at another correct but average answer and a great answer that gets you hired to common cloud interview questions.

Question - How will you secure your application on AWS?

Common but average answer(s)

• I will use KMS, IAM, and firewall for security
• I will use KMS for encryption, IAM for access, Security Group, Private subnet

Why average?

• What the interviewer is looking for is you understand different attack vectors and how to mitigate them. Explain what the services do rather than saying the service names. Another common mishap candidates do is they mess up the names for what does what.
• A great approach is to take one sample design e.g. microservice on Serverless or ALB-EC2 or Kubernetes, and explain in detail. This proves that you think in terms of system design like a Solutions Architect.
• We are looking to delight the interviewer and not meet.

A great answer is :

• When we talk about securing an application running on AWS, we want to implement defense in depth i.e. implement security in multiple layer, making it harder for the attacker to penetrate all the layers
• Let's take an example, a popular one, Serverless Microservices which is implemented using Amazon API Gateway, Lambda, and Amazon RDS
• At the first layer, I will ensure only authenticated users can access this microservice. I will implement this using Amazon Cognito
• Then, I need to ensure traffic is encrypted at transit. By default, Amazon API Gateway uses HTTPS using AWS provided certificate. However, we can bring our own certificate using Amazon Certificate Manager (ACM) along with Route 53
• Next, we need to protect the API endpoint from various attacks. This is where candidates mess up the names. AWS Shield protects AWS endpoints from DDoS attack, and AWS WAF protects from SQL Injection and Cross Site Scripting attacks. Candidates often say this the other way around - don't do this mistake. Another caveat - Amazon API Gateway automatically protects the endpoint from DDoS, but you need to enable AWS WAF yourself.
• Then comes security of the Lambda. There are multiple things here - Amazon Inspector to scan the code dynamically, IAM roles and resource policies for least privilege access, and Secrets Manager to save credentials for the RDS Database. If you use Amazon EFS with the Lambda ensure it's encrypted at rest using KMS
• For Amazon RDS, I'd ensure data at rest is encrypted using KMS. I'd also put the Lambda and RDS in Private Subnet so they can't be accessed from the internet directly
• Finally, it is possible that some security even happens. For that reason, always monitor and audit. Utilize CloudWatch and CloudTrail.

If you get this question in your interview, make sure to knock it out of the park!

If you have found this newsletter helpful, and want to support me 🙏:

Checkout my bestselling courses on AWS, System Design, Kubernetes, DevOps, and more: Max discounted links​

AWS SA Bootcamp with Live Classes, Mock Interviews, Hands-On, Resume Improvement and more: https://www.sabootcamp.com/​

Keep learning and keep rocking 🚀,

Raj