AWS - Security

Question 1

Shared Responsibility Model

Answer 1

The shared responsibility model outlines your responsibilities vs AWS’ when it comes to security and compliance

Question 2

Well-architected framework

Answer 2

the well-architected framework describes design principles and best practices for running workloads in the cloud.

Question 3

Identity and Access Management (IAM)

Answer 3

IAM allows you to control access to your AWS services and resources

Question 4

Web Application Firewall (waf)

Answer 4

WAF helps protect your web applications against common web attacks.

Question 5

Shield

Answer 5

Shield is a managed Distributed Denial of Service (DDoS) protection service

Question 6

Macie

Answer 6

Helps you discover and protect sensitive data

Question 7

Config

Answer 7

allows you to assess, audit, and evaluate the configurations of your resources.

Question 8

what is GuardDuty

Answer 8

is an intelligent threat detection system that uncovers unauthorized behavior

Question 9

Inspector

Answer 9

works with EC2 instances to uncover and report vulnerabilities

Question 10

Artifact

Answer 10

offers on-demand access to AWS security and compliance reports.

Question 11

Cognito

Answer 11

helps you control access to mobile and web applications

Question 12

Key Management Service (KMS)

Answer 12

allows you to generate and store encryption keys

Question 13

CloudHSM

Answer 13

hardware security module (HSM) used to generate encryption keys.

Question 14

Secrets Manager

Answer 14

allows you to manage and retrieve secrets (passwords or keys)

Question 15

4 Services provided by IAM

Answer 15

-Helps secure cloud resources
-define who has access
-define what you can do
-free global service

Question 16

4 identities

Answer 16

-root user
-individual users
-groups
-roles

Question 17

what are 4 resources a identity can access?

Answer 17

-policies
-AWS managed policies
-Customer managed policies
-permissions boundaries

Question 18

what is authentication

Answer 18

where you present your identity and provide verification

Question 19

what is authorization

Answer 19

determines which services and resources the authenticated identity has access to

Question 20

principle of least privilege

Answer 20

involves giving a user minimum access required to get the job done

Question 21

what are groups

Answer 21

collection of IAM users that helps you apply common access controls to all group members

Question 22

are ec2 security groups the same as IAM user groups?

Answer 22

no, EC2 security groups act as firewalls while IAM groups are collections of users

Question 23

Roles

Answer 23

define access permissions and are temporarily assumed by an IAM user or service

Question 24

Policies

Answer 24

manage permissions for IAM users, groups, and roles by creation a policy document in JSON format and attaching it

Question 25

4 IAM best practices

Answer 25

1) enable MFA for privileged users
2) Implement strong password policies
3) Create individual users instead of using root
4) user roles for Amazon EC2 instances

Question 26

IAM credential report

Answer 26

lists all users in your account and status of their various credentials

Question 27

what is a firewall

Answer 27

prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined

Question 28

what are 3 things WAF protects against

Answer 28

-common attack patterns
-SQL injection
-cross-site scripting

Question 29

what is DDoS

Answer 29

ddos attack causes a traffic jam on a website or web application in an attempt to cause it to crash

Question 30

3 things to remember shield provides

Answer 30

-always on detection
-standard is free
-advanced is a paid service

Question 31

4 services shield advanced is supported on?

Answer 31

-cloudFront
-Route 53
-Elastic Load Balancing
-AWS Global Accelerator

Question 32

3 services Macie provides?

Answer 32

-uses machine learning
-evaluates s3 environment
-uncovers personally identifiable information (PII) data

Question 33

3 services config provides

Answer 33

-tracks configuration changes over time
-delivers configuration history file to S3
-notifications via simple notification service (SNS) of every configuration change

Question 34

3 services provided by guardDuty

Answer 34

-uses machine learning
-build-in detection for EC2, S3, and IAM
-review CloudTrail, VPC, Flow Logs, and DNS logs

Question 35

3 services inspector provides

Answer 35

-agent installed on EC2 instances
-reports vulnerabilities found
-checks access from the internet, remote root login, vulnerable software versions, etc

Question 36

3 services artifact provdies

Answer 36

-central repo for compliance reports from 3rd party auditors
-service organization controls (SoC) Reports
-payment card industry (PCI) reports

Question 37

3 services cognito provides

Answer 37

-provides authentication and authorization
-helps you manage users
-assists with user sign-up and sign-in

Question 38

4 points of KMS

Answer 38

(key management service)
-key generator
-store and control keys
-aws manages encryption keys
-automatically enabled for certain services

Question 39

3 points of cloudHSM

Answer 39

hardware security module
-dedicated hardware for security
-generate and manage your own encryption keys
-aws does not have access to your keys

Question 40

3 points of secrets manager

Answer 40

-rotate, manage, and retrieve secrets
-encrypt secrets at rest
-integrates with services like RDS, redshift, and documentDB