14. Security Compliance

Question 1

What is the AWS Shared Responsibility Model?

Answer 1

A model where AWS is responsible for ‘Security of the Cloud,’ and customers are responsible for ‘Security in the Cloud.’

Question 2

True or False: AWS is responsible for the security of the guest OS on EC2 instances.

Answer 2

False

Question 3

What is AWS responsible for in the AWS Shared Responsibility Model?

Answer 3

Security of the Cloud, including infrastructure, hardware, software, and networking for AWS services.

Question 4

What type of encryption should customers manage for their data in the cloud?

Answer 4

Data encryption

Question 5

Name a shared control between AWS and customers in the Shared Responsibility Model.

Answer 5

Patch Management

Question 6

Who manages encryption for S3 buckets?

Answer 6

The customer

Question 7

Which AWS service offers free DDoS protection for all customers?

Answer 7

AWS Shield Standard

Question 8

What does AWS Shield Advanced offer beyond AWS Shield Standard?

Answer 8

Premium DDoS protection with 24/7 support from AWS DDoS Response Team (DRP)

Question 9

Which AWS service provides firewall protection for HTTP layer attacks?

Answer 9

AWS WAF (Web Application Firewall)

Question 10

True or False: AWS WAF protects applications from Layer 7 attacks.

Answer 10

True

Question 11

Which AWS service offers rule-based web access control lists (ACLs)?

Answer 11

AWS WAF

Question 12

What does AWS Network Firewall protect?

Answer 12

Amazon VPCs from Layer 3 to Layer 7 attacks

Question 13

Fill in the blank: AWS Network Firewall can inspect traffic from ______ to ______.

Answer 13

VPC to VPC, internet

Question 14

What is the primary function of AWS Firewall Manager?

Answer 14

To manage security rules across all accounts in an AWS Organization

Question 15

What is the purpose of AWS Security Hub?

Answer 15

To centralize security findings from multiple AWS services and accounts

Question 16

Which AWS service integrates with AWS Config for security compliance checks?

Answer 16

AWS Security Hub

Question 17

Fill in the blank: AWS Security Hub aggregates findings from services like ______, ______, and ______.

Answer 17

GuardDuty, Inspector, Macie

Question 18

What is the purpose of AWS GuardDuty?

Answer 18

To provide intelligent threat detection using machine learning and anomaly detection

Question 19

What does Amazon Inspector evaluate?

Answer 19

EC2 instances, container images, and Lambda functions for vulnerabilities

Question 20

True or False: Amazon Inspector performs continuous vulnerability scanning.

Answer 20

True

Question 21

What is AWS Macie used for?

Answer 21

Discovering and protecting sensitive data such as PII in Amazon S3

Question 22

Which AWS service allows you to create, manage, and deploy SSL/TLS certificates?

Answer 22

AWS Certificate Manager (ACM)

Question 23

True or False: AWS Certificate Manager charges for public TLS certificates.

Answer 23

False

Question 24

Fill in the blank: CloudTrail is used to track ______ made by users within an AWS account.

Answer 24

API calls

Question 25

What is Amazon Detective used for?

Answer 25

To analyze and identify the root cause of security issues or suspicious activities

Question 26

Which service provides compliance documentation access like PCI and ISO reports?

Answer 26

AWS Artifact

Question 27

What is an IAM Access Analyzer used for?

Answer 27

To find resources that are shared externally from an AWS account

Question 28

True or False: The root user can be used for everyday administrative tasks.

Answer 28

False

Question 29

Name one privilege exclusive to the root user in an AWS account.

Answer 29

Changing account settings

Question 30

Which AWS service is primarily for storing sensitive data and secrets?

Answer 30

AWS Secrets Manager

Question 31

What AWS service helps track configuration changes over time?

Answer 31

AWS Config

Question 32

Which encryption method is automatically enabled for S3 Glacier?

Answer 32

AWS-managed encryption with KMS

Question 33

Fill in the blank: ______ helps identify misconfigurations in security groups and other resources.

Answer 33

AWS Config

Question 34

True or False: AWS CloudHSM allows AWS to manage the encryption keys.

Answer 34

False

Question 35

What is the difference between AWS KMS and CloudHSM?

Answer 35

KMS is software-managed by AWS; CloudHSM uses dedicated hardware managed by the customer.

Question 36

What is a common use for AWS KMS?

Answer 36

Encryption of data at rest in various AWS services

Question 37

Fill in the blank: In the AWS Shared Responsibility Model, customers are responsible for managing ______.

Answer 37

Security in the Cloud

Question 38

Who should configure IAM roles for S3 access?

Answer 38

The customer

Question 39

What AWS service should you use to protect web applications from SQL injection?

Answer 39

AWS WAF

Question 40

Fill in the blank: To store compliance-related documents like ISO certifications, use ______.

Answer 40

AWS Artifact

Question 41

True or False: AWS Shield Standard is included at no additional cost.

Answer 41

True

Question 42

Name one activity prohibited during penetration testing on AWS.

Answer 42

DDoS attacks

Question 43

Which AWS service enables data encryption for RDS databases?

Answer 43

AWS KMS

Question 44

What kind of logs does Amazon GuardDuty analyze?

Answer 44

CloudTrail logs, VPC Flow Logs, and DNS logs

Question 45

Fill in the blank: AWS ______ provides managed, secure key storage for encryption.

Answer 45

KMS (Key Management Service)

Question 46

Which service is used for real-time data inspection of S3 buckets?

Answer 46

Amazon Macie

Question 47

What is Amazon Detective’s primary purpose?

Answer 47

To provide in-depth investigation of security issues

Question 48

True or False: AWS Config is a global service.

Answer 48

False; AWS Config is a per-region service

Question 49

Fill in the blank: ______ is used to manage security rules across all accounts in an organization.

Answer 49

AWS Firewall Manager

Question 50

What AWS service should you use to centrally manage compliance and security alerts?

Answer 50

AWS Security Hub

Question 51

What type of data is Amazon Macie designed to detect?

Answer 51

Sensitive data such as PII

Question 52

Fill in the blank: ______ helps in protecting applications from DDoS attacks.

Answer 52

AWS Shield

Question 53

Which service helps monitor for suspicious activity based on VPC, DNS, and CloudTrail logs?

Answer 53

Amazon GuardDuty

Question 54

What is the AWS Abuse team responsible for?

Answer 54

Investigating reports of AWS resources used for abusive or illegal purposes

Question 55

Which AWS service evaluates EC2 instances for vulnerabilities?

Answer 55

Amazon Inspector

Question 56

Fill in the blank: The AWS root user has full ______ to all AWS services and resources.

Answer 56

access

Question 57

Name one security report available in AWS Artifact.

Answer 57

PCI DSS compliance report

Question 58

True or False: Only AWS manages encryption keys in CloudHSM.

Answer 58

False; customers manage their own keys in CloudHSM.

Question 59

What is AWS Secrets Manager primarily used for?

Answer 59

Storing and managing secrets with optional rotation

Question 60

Fill in the blank: AWS KMS allows customers to ______ their encryption keys.

Answer 60

manage

Question 61

Name a type of attack AWS Shield Standard helps mitigate.

Answer 61

SYN flood attacks

Question 62

Which AWS service allows scanning of container images for vulnerabilities?

Answer 62

Amazon Inspector

Question 63

Fill in the blank: Data in motion is also known as data ______.

Answer 63

in transit

Question 64

What is the difference between AWS Managed Key and Customer Managed Key?

Answer 64

AWS Managed Keys are managed by AWS for customer use; Customer Managed Keys are created and managed by the customer.

Question 65

What is the purpose of a Web ACL in AWS WAF?

Answer 65

To control access based on specified rules, protecting from attacks like SQL injection

Question 66

Which AWS service provides tamper-resistant hardware for key storage?

Answer 66

AWS CloudHSM

Question 67

True or False: AWS Macie is designed for monitoring access to EC2 instances.

Answer 67

False; it’s designed for data discovery and classification in S3.

Question 68

Which service should be enabled to track all API calls in an AWS account?

Answer 68

AWS CloudTrail

Question 69

What can AWS Config be used to verify about S3 buckets?

Answer 69

Whether any bucket has public access

Question 70

Which encryption service is FIPS 140-2 Level 3 compliant?

Answer 70

AWS CloudHSM

Question 71

True or False: Amazon Detective collects events from GuardDuty for analysis.

Answer 71

True

Question 72

Fill in the blank: To report spam or abuse, contact the ______ team.

Answer 72

AWS Abuse team

Question 73

Which AWS service uses machine learning to discover sensitive data?

Answer 73

Amazon Macie

Question 74

What does AWS Firewall Manager automate?

Answer 74

The enforcement of security policies across accounts in an AWS Organization

Question 75

Which service helps protect against unauthorized access attempts?

Answer 75

AWS GuardDuty

Question 76

Name a prohibited activity for penetration testing in AWS.

Answer 76

Simulated DDoS attacks