Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Certified Cloud Practitioner (CCP) > AWS Cloud Security > Flashcards

AWS Cloud Security Flashcards

1
Q

Federation w/ IAM

A

Federation w/ IAM

Federation can use something other than an ‘individual’ identity sources for AWS IAM access

Example:

Active Directory (like we do at State Farm)
--->Connects to AWS IAM via SAML 2.0
Social Providers (gmail, facebook, etc)
--->Connects to AWS IAM via OpenID Connect (OIDC)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS Single Sign-On (SSO)

A

AWS Single Sign-On (SSO)

Centralized permissions management
—>Provides access to MULTIPLE AWS Accounts and Organizations w/out having to re-authenticate for each one

Identify Sources

  • –>Active Directory (self-managed) or cloud directory(Asure AD)
  • –>Business applications

Active Directory (self-managed) identity source connects to SSO via AWS Directory Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Used for Mobile and Web Apps to obtain temporary, limited-privilege credentials for AWS services via AWS STS (Security Token Service):

AD Connector
AWS Single Sign-On (SSO)
AWS Cognito
AWS Directory Services

A

AWS Cognito

Used for Mobile and Web Apps

Cognito Identity pools are used to obtain temporary, limited-privilege credentials for AWS services

Identities can come from:

  • –>Cognito User Pool - stores actual identities are stored
  • –>Identity Provider - external source - social IdPs

Cognito Identity pool uses AWS STS (Security Token Service) to obtain the ‘temporary’ credentials to AWS
—>STS provides access via an IAM role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS managed Microsoft Active Directory providing fully managed AWS services on AWS infrastructure. Good option for enterprises that want a hosted Microsoft Active Directory:

AD Connector
AWS Single Sign-On (SSO)
AWS Cognito
AWS Directory Services

A

AWS Directory Services:

AWS Managed Microsoft Active Directory

Fully managed AWS services on AWS infrastructure

Best choice if you have more than 5,000 users and/or need a trust relationship set up

You can setup trust relationships to extend authentication from on-premises Active Directories into the AWS cloud

On-premises users and groups can access resources in either domain using SSO

Can be uses as a standalone AD in the AWS cloud

Use Case: Enterprises that want hosted Microsoft Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Self-managed Microsoft Active Directory in your own datacenter that connects your existing on-premise Active Directory to AWS:

AD Connector
AWS Single Sign-On (SSO)
AWS Cognito
AWS Directory Services

A

AD Connector

Self-managed Microsoft AD in your own datacenter

All Identities are in one place - on premises

A gateway for redirecting directory requests to your on-premise Active Directory

Eliminates need for directory synchronization and the cost of complexity of hosting a federation infrastructure

Connects your existing on-premise AD to AWS

Use Case: Single sign-on for on-premises employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Compatible w/ Active Directory but very simple, low scale, low cost, Active Directory (AD) implementation based on Samba:

AD Connector
AWS Single Sign-On (SSO)
Simple AD
AWS Directory Services

A

Simple AD

Compatible w/ Active Directory but very simple

Low scale, low cost, AD implementation based on Samba

Use Case: Simple user directory, or you need LDAP compatibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS Systems Manager Parameter Store

A

AWS Systems Manager Parameter Store

Stores information in one place but NOT stored in your code

Provides secure, hierarchical storage for configuration data management and secrets management

Highly scalable, available and durable

You can store data such as passwords, database strings, and license codes as parameter values

You can store values as plaintext (unencrypted data) or ciphertext (encrypted data)

You can then reference values by using the unique name that you specified when you created the parameter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS Secrets Manager

A

AWS Secrets Manager

Similar to Parameter Store

Store info (database strings, passwords,etc) in a secure, encrypted place

Can be pulled out using API call

Allows native and automatic rotation of keys

Fine grained permissions

Central auditing for secret rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Encryption in Transit VS Encryption at Rest

A

Encryption in Transit

—When user sends data via HTTPSS it is protected by SSL/TLS (certificate attached to load balancer) in transit.

— Data may not have been encrypted on users machine and may not be encrypted once it gets to AWS, HOWEVER, it IS encrypted while it is in transit thanks to the SSL/TLS certificate.

Encryption at Rest

—Data is encrypted when it is stored

—Amazon S3 encrypts the object as it is written to the bucket using a data encryption key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is SSL/TLS?

A

SSL/TLS = Secure Sockets Layer/Transport Layer Security

public and private CERTIFICATES Used to connect your internal connected resources with AWS

Encrypts data while it is IN TRANSIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Asymmetric Encryption

A

Asymmetric Encryption

Also known as public key cryptography

Data is passed through encryption process and it becomes encrypted via a Public Key THEN you pass that encrypted data through decryption process via a Private Key and data becomes decrypted

Messages encrypted with the public key can only be decrypted with the Private Key

Messages encrypted with the private key can be decrypted with the public key

Examples include SSL/TLS certificates used to secure websites and SSH (secure shell)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which AWS service creates, stores and renews SSL/TLS X.509 certificates?

AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)

A

AWS Certificate Manager (ACM)

Create, store and renew SSL/TLS X.509 certificates

Single domains, multiple domain names and wildcards

Integrates w/ several AWS services:

  • -Elastic Load Balancing
  • -Amazon CloudFront
  • -AWS Elastic Beanstalk
  • -AWS Nitro Enclaves
  • -AWS CloudFormation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Symmetric Encryption

A

Symmetric Encryption

Data is passed through encryption process and it becomes encrypted via a Data encryption key

To decrypt the data you need the SAME Data encryption key for encryption and decryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What Multi-tenant AWS service is used to create and manage encryption keys, has AWS managed root of trust and provides broad AWS service support?

AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)

A

AWS Key Management Service (KMS)

Used for creating and managing encryption keys

Gives you centralized control over the encryption keys used to protect your data

KMS is integrated with most other AWS services

Easy to encrypt the data you store in these services with encryption keys you control

KMS is:

  • -MULTI-TENANT AWS Service
  • —>Muti-tenant = a single instance of the software and its supporting infrastructure serves multiple customers
  • -Highly available and durable key storage and management
  • -AWS managed root of trust
    • Broad AWS service support
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What Single-tenant AWS service is used to create and manage encryption keys in your VPC, has customer managed root of trust and broad 3rd Party support?

AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)

A

AWS CloudHSM

Similar to KMS but has a higher level of security due to its physical separation and single tenancy

Can be used to created and managed symmetric and asymmetric encryption keys

Cloud-based hardware security module (HSM)

Generate and use your own encryption keys on the AWS Cloud

Manage your own encryption keys using FIPS 140-2 level 3 validated HSM’s

CloudHSM runs in your VPC

CloudHSM is:

  • -SINGLE-TENANT Hardware Security Model(HSM)
  • —>Single-tenant - a single instance of the software and supporting infrastructure serve a single customer on customer own independent database

Customer-managed durability and availability

Customer managed root of trust

Broad 3rd Party Support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the difference between Multi-tenant and Single Tenant?

A

Muti-tenant = a single instance of the software and its supporting infrastructure serves multiple customers

Single-tenant - a single instance of the software and supporting infrastructure serve a single customer on customer own independent database

17
Q

Used for performance and monitoring and captures metrics about account activity:

Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs

A

Amazon CloudWatch

Gather application and system logs in CloudWatch

Unified CloudWatch Agent - must be installed on EC2 and on-premises servers to be able to send information to CloudWatch

Lamda can send info to CloudWatch via permissions

Amazon Elasticsearch Service - used to perform real-time log processing with subscription filters

Defined expiration policies and KMS encryption

18
Q

Used to perform real-time log processing with subscription filters:

Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs

A

Amazon Elasticsearch Service

Used to perform real-time log processing with subscription filters

19
Q

What is used to log API activity for Auditing:

Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs

A

AWS CloudTrail

CloudTrail logs API activity for Auditing

Auditing provides who did what and when in your account

Good for governance, compliance and auditing needs for AWS accounts

By default, management events are logged and retained for 90 days (data events and insight events are not logged by default)

CLOUD TRAIL TRAIL is a configuration that enables delivery of CloudTrail events to an Amazon S3 bucket, CloudWatch Logs, and CloudWatch Events

Can use a trail to filter the CloudTrail events you want delivered, encrypt your CloudTrail event log files with an AWS KMS key, and set up Amazon SNS notifications for log file delivery.

Logs any events in S3 for indefinite retention (for compliance purposes)

Trail can be within Region or all Regions

CloudWatch Events can be triggered based on API calls in CloudTrail

Events can be streamed to CloudWatch Logs

20
Q

Logs info about what is actually happening in your account at the network level:

Amazon CloudWatch
Amazon Elasticsearch Service
AWS CloudTrail
VPC Flow Logs

A

VPC Flow Logs

Logging info about what is actually happening in your account at the network level

Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC

Flow log data is stored using Amazon CloudWatch Logs

Flow logs can be created at the following levels:

  • -VPC
  • -Subnet
  • -Network Interface
21
Q

Which service is the correct logging service for the following:

  • Capture detailed information about requests sent to the load balancer
  • Use to analyze traffic patterns and troubleshoot issues
  • Can identify requester, IP, request type etc.

Elastic Load Balancing Access Logs
S3 Access Logs

A

Elastic Load Balancing Access Logs

Capture detailed information about requests sent to the load balancer

Use to analyze traffic patterns and troubleshoot issues

Can identify requester, IP, request type etc.

Can be optionally stored and retained in S3

22
Q

Which service is the correct logging service for the following:

  • You enable logging and choose a target bucket
  • Provides detailed records for the requests that are made to a bucket

Elastic Load Balancing Access Logs
S3 Access Logs

A

S3 Access Logs

You enable logging and choose a target bucket

Provides detailed records for the requests that are made to a bucket

Details include the requester, bucket name, request time, request action, response status, and error code (if applicable)

Disabled by default

23
Q

Which service is used to analyze, investigate and quickly identify the root cause of potential security issues or suspicious activities:

Amazon Macie
Amazon Detective
AWS CloudTrail
AWS GuardDuty

A

Amazon Detective

Analyze, investigate and quickly identify the root cause of potential security issues or suspicious activities

Automatically collects data from AWS resources

Uses machine learning, statistical analysis, and graph theory

Data sources include VPC Flow Logs, CloudTrail, and GuardDuty

24
Q

Which service is an intelligent threat detection service that detects account compromise, and bucket compromise?

Amazon Macie
Amazon Detective
AWS CloudTrail
AWS GuardDuty

A

AWS GuardDuty

Intelligent threat detection service

Detects account compromise, and bucket compromise

Continuous monitoring for events across:

  • -AWS CloudTrail Management Events
  • -AWS CloudTrail S3 Data Events
  • -Amazon VPC Flow Logs
  • -DNS Logs
25
Q

Which service enables security compliance and preventive security for your sensitive data in Amazon S3 buckets?

Amazon Macie
Amazon Detective
AWS CloudTrail
AWS GuardDuty

A

Amazon Macie

Macie is a fully managed data security and data privacy

Looks at data in Amazon S3 and uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data

Macie enables security compliance and preventive security

Findings can be recorded in CloudWatch Events to trigger an action to remediate or notify someone

Can identify a variety of data types:

  • -PII (Personally Identifiable Information)
  • -PHI (Protected Health Information)
  • -Regulatory documents
  • -API Keys
  • -Secret Keys
26
Q

Firewall that creates rules to filter web traffic based on conditions:

AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact

A

AWS WAF

AWS WAF is web application firewall

Create rules to filter web traffic based on conditions that include:

  • -IP addresses
  • -HTTP headers and body
  • -Custom URIs

Can block common web exploits

  • -SQL injection
  • -cross site scripting

The rules are known as Web Access Control Lists (ACLs)

27
Q

Which service helps you mitigate and protect your resources from Distributed Denial of Service (DDoS) attacks with always-on detection and automatic inline mitigations?

AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact

A

AWS Shield

AWS Shield helps you mitigate and protect your resources from Distributed Denial of Service (DDoS) attacks

Always-on detection and automatic inline mitigations

Helps to minimize application downtime and latency

Two tiers:

  • -Standard - no cost
  • -Advanced - $3k per month w/ 1 year commitment
  • —>Much better support from AWS
  • —>More protections included

Automatically get some DDoS protection if your application sits behind amazon CloudFront

Standard included w/ CloudFront

28
Q

DDoS - Distributed Denial of Service

A

DDoS - Distributed Denial of Service

Someone is trying to take down your systems by:

–Send huge amount of traffic

–Generate traffic using bots

—Send a type of payload that they know will case a negative effect to your application

29
Q

Provides on-demand access to AWS security and compliance reports and select online agreements including Service Organization Control (SOC) reports and Payment Card Industry (PCI) reports:

AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact

A

AWS Artifact

Provides on-demand access to AWS’ security and compliance reports and select online agreements

Reports available in AWS Artifact include:

  • -Service Organization Control (SOC) reports
  • -Payment Card Industry (PCI) reports

Provides certifications from accreditation bodies that validate the implementation and operating effectiveness of AWS security controls

Useful if building something requiring high compliance/standards

Agreements available in AWS Artifact:

  • -Business Associate Addendum (BAA)
  • -Nondisclosure Agreement (NDA)
30
Q
  • Provides a comprehensive view of security alerts and security posture across AWS accounts
  • Aggregates, organizes, and priorities security alerts, or findings, from multiple AWS services
  • Continuously monitors your environment using automated security checks

AWS Shield
AWS WAF
AWS Security Hub
AWS Artifact

A

AWS Security Hub

Provides a comprehensive view of security alerts and security posture across AWS accounts

Aggregates, organizes, and priorities security alerts, or findings, from multiple AWS services

Continuously monitors your environment using automated security checks

Configure security standards to validate against:

  • -AWS Foundational Security Best Practices V1.0.0
  • -CIS AWS Foundations Benchmark v1.2.0
  • -PCI DSS v3.2.1
31
Q

Security and privacy events affecting AWS services are published (also has an RSS feed):

AWS Shield
AWS Security Bulletins
AWS Security Hub
AWS Artifact

A

AWS Security Bulletins

Security and privacy events affecting AWS services are published (also has an RSS feed)

Kind of like an ESS

32
Q

Who should you contact if you suspect AWS resources are being abused (spam, distributing malware, DDoS, etc):

AWS Shield
AWS Trust & Safety Team
AWS Security Hub
AWS Penetration

A

AWS Trust & Safety Team

Contact the AWS Trust & Safety team if AWS resources are being used for:

  • -Spam
  • -Port Scanning
  • -Denial-of-service attacks (DDoS)
  • –Intrusion attempts
  • -Hosting of objectionable or copyrighted content
  • -Distributing malware

abuse@amazoneaws.com

33
Q

The practice of testing one’s own application’s security for vulnerabilities by simulating an attack:

Security Test
Threat Assessment
Breach Test
Penetration Test

A

Penetration Testing

Penetration testing is the practice of testing one’s own application’s security for vulnerabilities by simulating an attack

AWS allows penetration testing without prior approval for 8 AWS services and ONLY on your own services

*Should not have to know 'exact' permitted and prohibited events but here they are: 
Permitted Services:
--Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
--Amazon RDS
--Amazon CloudFront
--Amazon Aurora
--Amazon API Gateways
--AWS Lamda and Lamda Edge functions
--Amazon Lightsail resources
--Amazon Elastic Beanstalk environments

Prohibited Activities:

  • -DNS zone walking via Amazon Route 53
  • -Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS Port flooding
  • -Protocol flooding
  • -Request flooding (login request flooding, API request flooding)
34
Q

Shared Responsibility Model in Relation to Security:

A

Customer

  • -Bucket w/ objects
  • -Staff training
  • -Role
  • -Data Encryption
  • -IAM User
  • -Multi-Factor Authentication
  • -Network ACL
  • -Security Group
  • -Firewall configurations
  • -SSL encryption
  • —->Using your own certificates or certificates from AWS
  • -Patch management
  • —–>Systems should be compliant w/ latest patches and less likely to be easily attacked
  • -Auto scaling
  • —–>Keeps systems available
  • -EC2 instance
  • -Elastic Load Balancer

AWS

  • -Data Center security
  • -Global infrastructure security
  • -Anything that relates to underlying platform and physical hardware

AWS Certified Cloud Practitioner (CCP) (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions