Application Security

Question 1

firewall

Answer 1

prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined.

Question 2

WAF

Answer 2

Web Application Firewall

• helps protect your web applications against common web attacks
• protects against SQL injection
• protects against cross-site scripting attacks

Question 3

Where are some areas you can deploy WAF to?

Answer 3

• the load balancer in front of EC2

- Cloud Front as part of your CDN solution

Question 4

DDoS

Answer 4

Distributed Denial of Service
-hacker uses bots to send large quantity of requests, causing a traffic jam on a website or web
application in an attempt to cause it to crash.

Question 5

Shield

Answer 5

a managed Distributed Denial of Service (DDoS) protection service

Question 6

What are differences between Shield Standard and Shield Advanced

Answer 6

Standard: free, protect against most common attacks
Advanced: additional fee, advanced attack protection, real-time notifications via CloudWatch, 24/7 expert support to assist while an attack is happening

Question 7

Which services is Shield Advanced supported on?

Answer 7

• Route 53
• Cloud Front
• Elastic Load Balancing
• AWS Global Accelerator

Question 8

Macie

Answer 8

helps find sensitive PII data stored on S3 (credit cards, social security numbers, passport numbers)

Question 9

Config

Answer 9

allows you to assess, audit, and evaluate 
the configurations of your resources
- track config changes over time
- delivers config history file to S3
- view network, OS, system updates, etc.

Question 10

Guard Duty

Answer 10

an intelligent threat detection system 
that uncovers unauthorized behavior
- uses machine learning
- built-in detection for EC2, D3 and IAM
- Reviews CloudTrail, VPC Flow Logs, and DNS logs

Question 11

Inspector

Answer 11

installed on EC2 instances

• built in rules check access from the internet, remote root login, vulnerable software versions, etc
• prioritizes vulnerabilities by level of severity

Question 12

Artifact

Answer 12

offers on-demand access to a central repository for your security and compliance reports.
- 3rd party compliance testing reorts
Service Organization Controls
- Payment Card Industry (PCI) reports, etc.

Question 13

KMS

Answer 13

Key Management Service

- AWS manages your keys for you

Question 14

use case for KMS

Answer 14

create encrypted Amazon EBS volumes

Question 15

CloudHSM

Answer 15

a Hardware Security Module used to generate encryption keys

• dedicated hardware for security
• AWS does not have access to your keys
• helps you meet compliance requirements for data security

Question 16

Secrets Manager

Answer 16

allows you to manage & retrieve secrets via an API call so you don’t store them in config files

Question 17

secrets

Answer 17

passwords and keys