AWS Security

Question 1

What are the benefits of AWS Security?

Answer 1

Keep Your Data Safe – the AWS infrastructure puts strong safeguards in place to help.

Protect your privacy – All data is stored in highly secure AWS data centers.

Meet Compliance Requirements – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.

Save Money – cut costs by using AWS data centers. Maintain the highest standard of s security without having to manage your own facility.

Scale Quickly – security scales with your AWS Cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe.

Question 2

What is AWS Cloud Compliance?

Answer 2

AWS Cloud Compliance enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud.

As systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared.

Question 3

What are compliance programs are in AWS Security?

Answer 3

Compliance programs include:

Certifications / attestations.
Laws, regulations, and privacy.
Alignments / frameworks.

Question 4

What is AWS Artifact?

Answer 4

AWS Artifact is your go-to, central resource for compliance-related information that matters to you.

Question 5

What reports are available in AWS Artifact?

Answer 5

Reports available in AWS Artifact include:

• Service Organization Control (SOC) reports
• Payment Card Industry (PCI) reports
• Certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

Question 6

What agreements are available in AWS Artifact?

Answer 6

Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

Question 7

What is Amazon GuardDuty?

Answer 7

Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

Intelligent threat detection service.

Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise.

Question 8

What services can GuardDuty monitor?

Answer 8

Continuous monitoring for events across:

AWS CloudTrail Management Events.
AWS CloudTrail S3 Data Events.
Amazon VPC Flow Logs.
DNS Logs.

Question 9

What is AWS WAF?

Answer 9

AWS WAF is a web application firewall.

Protects against common exploits that could compromise application availability, compromise security, or consume excessive resources.

WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs.

WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.

The rules are known as Web ACLs.

Question 10

What is AWS Shield?

Answer 10

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.

Safeguards web application running on AWS with always-on detection and automatic inline mitigations.

Helps to minimize application downtime and latency.

Two tiers – Standard and Advanced.

Question 11

What is AWS Key Management Service (AWS KMS)?

Answer 11

AWS Key Management Service gives you centralized control over the encryption keys used to protect your data.

You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data.

Question 12

What integrations does KMS have with other services?

Answer 12

AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control.

AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when.

Question 13

What can AWS KMS allow developers to easily do?

Answer 13

AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console or using the AWS SDK to easily add encryption in their application code.

Question 14

What is AWS CloudHSM?

Answer 14

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

Question 15

What library integrations does CloudHSM have?

Answer 15

CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

Question 16

What is AWS Certificate Manager?

Answer 16

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

Question 17

What is SSL/TLS certificates in AWS Certificate Manager?

Answer 17

SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.

Question 18

What time consuming process does AWS Certificate Manager remove?

Answer 18

AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Question 19

What is AWS Inspector?

Answer 19

Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Inspector automatically assesses applications for vulnerabilities or deviations from best practices.

Uses an agent installed on EC2 instances.

Instances must be tagged.

Question 20

What is AWS Trusted Advisor?

Answer 20

Trusted Advisor is an online resource that helps to reduce cost, increase performance, and improve security by optimizing your AWS environment.

Trusted Advisor scans infrastructure and provides real time guidance to help you provision your resources following best practices.

Question 21

What categories does Trusted Advisor compare your infrastructure to?

Answer 21

Trusted Advisor scans your AWS infrastructure and compares is to AWS best practices in five categories:

• Cost Optimization.
• Performance.
• Security.
• Fault Tolerance.
• Service Limits.

Question 22

What two versions does Trusted Advisor come in?

Answer 22

Core Checks and Recommendations (free)

Full Trusted Advisor Benefits (business and enterprise support plans)

Question 23

What is “Core Checks and Recommendations” version in Trusted Advisor?

Answer 23

Core Checks and Recommendations (free):

Access to the 7 core checks to help increase security and performance.
Checks include S3 bucket permissions, Security Groups, IAM use, MFA on root account, EBS public snapshots, RDS public snapshots.

Question 24

What is “Full Trusted Advisor Benefits” version in Trusted Advisor?

Answer 24

Full Trusted Advisor Benefits (business and enterprise support plans):

Full set of checks to help optimize your entire AWS infrastructure.
Advises on security, performance, cost, fault tolerance and service limits.
Additional benefits include weekly update notifications, alerts, automated actions with CloudWatch and programmatic access using the AWS Support API.

Question 25

What is Penetration Testing?

Answer 25

Penetration testing is the practice of testing one’s own application’s security for vulnerabilities by simulating an attack.

Question 26

Which resources does AWS allow penetration testing to be performed?

Answer 26

Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers.
Amazon RDS.
Amazon CloudFront.
Amazon Aurora.
Amazon API Gateways.
AWS Lambda and Lambda Edge functions.
Amazon LightSail resources.
Amazon Elastic Beanstalk environments.

Question 27

What does AWS recommend in case account is compromised?

Answer 27

Change your AWS root account password.
Change all IAM user’s passwords.
Delete or rotate all programmatic (API) access keys.
Delete any resources in your account that you did not create.
Respond to any notifications you received from AWS through the AWS Support Center and/or contact AWS Support to open a support case.

Question 28

What is AWS Single Sign-On (AWS SSO)?

Answer 28

AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access and user permissions to all your AWS accounts and cloud applications.

AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0.

Question 29

Where can end user find their accessible resources in AWS SSO?

Answer 29

AWS SSO includes a user portal where your end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.

Question 30

What is Amazon Cognito?

Answer 30

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.

Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

Question 31

What are the two main components of AWS Cognito?

Answer 31

User pools are user directories that provide sign-up and sign-in options for your app users.

Identity pools enable you to grant your users access to other AWS services.

You can use identity pools and user pools separately or together.

Question 32

What directory types does AWS Directory Services offer?

Answer 32

Active Directory Service for Microsoft Active Directory
.
Simple AD.

AD Connector.

Question 33

What is AWS Directory Service for Microsoft Active Directory?

Answer 33

AWS-managed full Microsoft AD running on Windows Server 2012 R2

Use case: Enterprises that want hosted Microsoft AD or you need LDAP for Linux apps

Question 34

What is AD Connector in AWS Directory Service?

Answer 34

Allows on-premises users to log into AWS services with their existing AD credentials. Also allows EC2 instances to join AD domain

Use case: Single sign-on for on-premises employees and for adding EC2 instances to the domain

Question 35

What is Simple AD in AWS Directory Services?

Answer 35

Low scale, low cost, AD implementation based on Samba

Use case: Simple user directory, or you need LDAP compatibility

Question 36

What is AWS Systems Manager Parameter Store?

Answer 36

Provides secure, hierarchical storage for configuration data management and secrets management.

Question 37

What type of data can you store in Parameter Store?

Answer 37

You can store data such as passwords, database strings, and license codes as parameter values.

You can store values as plaintext (unencrypted data) or ciphertext (encrypted data).

You can then reference values by using the unique name that you specified when you created the parameter.

Question 38

AWS Secrets Manager

Answer 38

Similar to Parameter Store

Allows native and automatic rotation of keys.

Fine-grained permissions.

Central auditing for secret rotation.