AWS Security & Monitoring

Question 1

What type of keys do AWS services integrated with KMS use, symmetric or asymmetric?

Answer 1

Symmetric (AES-256)

Question 2

How do asymmetric keys work?

Answer 2

A public key encrypts the data and a private key decrypts the data

Question 3

True or false: The same KMS key can live in two regions

Answer 3

False. We can however, use KMS Multi-Region Keys, which creates replicas in different regions

Question 4

We would like global client-side encryption for our AWS Service/s implemented. What could we use?

Answer 4

KMS Multi-Region keys. We can use the same encryption/decryption across regions because we are using replica keys

Question 5

True or False: Unencrypted objects and objects encrypted with SSE-S3 are replicated by default

Answer 5

True

Question 6

Which service allows you to force rotation of secrets every X days, Secrets Manager or Parameter Store?

Answer 6

Secrets Manager

Question 7

Which service allows seamless integration with RDS: Secrets Manager or Parameter Store?

Answer 7

Secrets Manager

Question 8

We want to protect our application from DDoS attacks? What service can we use?

Answer 8

AWS Shield

Question 9

What is a metric and dimension in CloudWatch?

Answer 9

A metric is a time-ordered series of data points. Could be the CPU usage of EC2 or IO of EBS

A dimension is a name/value pair that is part of the identity of a metric. For example, we can use the InstanceId dimension to filter down to specific instance metrics in EC2, or the timestamp of the data point

Question 10

How long can CloudWatch log data take to be available for export?

Answer 10

Up to 12 hours

Question 11

We want to stream logs from CloudWatch logs to other services, what can we use?

Answer 11

CloudWatch subscriptions. We create the receiving resource and then define a CloudWatch subscription filter to filter which logs get delivered

Question 12

We want to log to CloudWatch from EC2. What do we need?

Answer 12

CloudWatch Unified Agent

Question 13

What is the difference between the CloudWatch Logs Agent and the Unified Agent?

Answer 13

The Unified Agent can collect more details on the system it runs on, such as CPU, memory, processes

Question 14

What are the three main targets of CloudWatch alarms?

Answer 14

EC2, ASG and SNS

Question 15

We want to monitor multiple CloudWatch alarms. What can we use?

Answer 15

CloudWatch Composite Alarms. CloudWatch Alarms are on a single metric

Question 16

True or False: CloudWatch Alarms can trigger an EC2 restart?

Answer 16

True. We can define what actions to take for an EC2 instance when we define the alarm like stop, recover, reboot or terminate

Question 17

We want to schedule a service action (Lambda function) every hour. What service can we use?

Answer 17

EventBridge

Question 18

What is the EventBridge schema registry?

Answer 18

The schema registry defines default and custom schemas for events that allow services receiving events to understand the event structure

Question 19

We want to collect logs to send to CloudWatch from container services. What can we use?

Answer 19

CloudWatch Container Insights

Question 20

How does the CloudWatch Container Insights work?

Answer 20

CloudWatch uses a containerized version of the CloudWatch Agent to discover containers

Question 21

We want to see which AWS services are impacting system performance the most. What can we use?

Answer 21

CloudWatch Contributor Insights. They use the standard CloudWatch logs to understand usage by different services

Question 22

We want to figure out which AWS services are the heaviest network users. What can we use?

Answer 22

CloudWatch Contributor Insights

Question 23

We want to monitor history of events and API calls made within an AWS Account. What can we use?

Answer 23

AWS CloudTrail

Question 24

True or False: A CloudTrail trail can only be used within a single region

Answer 24

False. It can be all regions or a single

Question 25

We want to detect unusual activity in our AWS account/s. What can we use?

Answer 25

CloudTrail Insights

Question 26

How long are events stored in CloudTrail?

Answer 26

90 days

Question 27

What is AWS Config?

Answer 27

AWS Config will track the configurations of all your AWS services over its history. From creation to any changes that were made

Question 28

True or False: We can use AWS Config to prevent AWS resource actions from happening

Answer 28

False. We can create rules to trigger actions, but not prevent them

Question 29

We want to automatically revoke unused IAM user credentials after a certain period of time. What AWS resource can we use?

Answer 29

AWS Config remediation rules

Question 30

For an Elastic Load Balancer, we want to ensure that an SSL certificate is always assigned to the Load Balancer. What service can we use?

Answer 30

AWS Config

Question 31

We want to monitor ELB incoming connection metrics, would we use CloudWatch or CloudTrail?

Answer 31

CloudWatch

Question 32

We want to see who made changes to our ELB with terminal commands, what AWS service can we use?

Answer 32

AWS CloudTrail

Question 33

You have an RDS DB instance that’s configured to push its database logs to CloudWatch. You want to create a CloudWatch alarm if there’s an Error found in the logs. How would you do that?

Answer 33

Create a CloudWatch Logs Metric Filter that filter the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter

Question 34

We want to set a CloudWatch alarm for only a certain grouping of metrics. What can we use to do this?

Answer 34

We can create a CloudWatch Logs metric filter

Question 35

How would you monitor your EC2 instance memory usage in CloudWatch?

Answer 35

Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch

Question 36

You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use, CloudWatch or CloudTrail?

Answer 36

CloudWatch. We want to measure performance change, not who made the change or when, which we would use CloudTrail for

Question 37

Someone has terminated an EC2 instance in your AWS account last week, which was hosting a critical database that contains sensitive data. Which AWS service helps you find who did that and when?

Answer 37

CloudTrail

Question 38

You have CloudTrail enabled for your AWS Account in all AWS Regions. What should you use to detect unusual activity in your AWS Account?

Answer 38

CloudTrail Insights. Insights help identify and respond to unusual activity associated with API calls and API error rates by analyzing CloudTrail management events

Question 39

One of your teammates terminated an EC2 instance 4 months ago which has critical data. You don’t know who made this so you are going to review all API calls within this period using CloudTrail. You already have CloudTrail set up and configured to send logs to the S3 bucket. What should you do to find out who made this?

Answer 39

Analyze CloudTrail logs in S3 bucket using Amazon Athena. CloudTrail records delete after 90 days, so we must go to the S3 bucket to analyze the logs

Question 40

You have enabled AWS Config to monitor Security Groups if there’s unrestricted SSH access to any of your EC2 instances. Which AWS Config feature can you use to automatically re-configure your Security Groups to their correct state?

Answer 40

AWS Config Remediations

Question 41

You are running a critical website on a set of EC2 instances with a tightened Security Group that has restricted SSH access. You have enabled AWS Config in your AWS Region and you want to be notified via email when someone modified your EC2 instances’ Security Group. Which AWS Config feature helps you do this?

Answer 41

AWS Config Notifications

Question 42

A DevOps engineer is working for a company and managing its infrastructure and resources on AWS. There was a sudden spike in traffic for the main application for the company which was not normal in this period of the year. The application is hosted on a couple of EC2 instances in private subnets and is fronted by an Application Load Balancer in a public subnet. To detect if this is normal traffic or an attack, the DevOps engineer enabled the VPC Flow Logs for the subnets and stored those logs in CloudWatch Log Group. The DevOps wants to analyze those logs and find out the top IP addresses making requests against the website to check if there is an attack. Which of the following can help the DevOps engineer to analyze those logs?

Answer 42

CloudWatch Contributor Insights

Question 43

A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later?

Answer 43

Use EventBridge Archive and Replay feature

Question 44

How can we audit our usage of AWS Key usage?

Answer 44

CloudTrail

Question 45

What are data keys in KMS?

Answer 45

Data keys are symmetric keys that you use to encrypt and decrypt data outside of KMS

You request data keys from KMS, and receive encrypted (that you can keep) data keys and plain text (that you use to encrypt/decrypt) data keys

Question 46

What is the automatic key rotation duration for AWS managed KMS keys?

Answer 46

1 year

Question 47

We want to control who can access our KMS keys. What can we use?

Answer 47

A Custom KMS Key Policy

Question 48

We want to authorize cross-account access to an EBS snapshot encrypted with a KMS key. What do we need?

Answer 48

Attach a custom KMS Key Policy that allows cross-account access

Question 49

True or False: if you import a TSL certificate outside ACM and import it, ACM will automatically renew the certificate for you.

Answer 49

False. We must renew the certificate ourselves. ACM will notify us of the expiration however through EventBridge

Question 50

What can we deploy AWS WAF to?

Answer 50

ALB, API Gateway, CloudFront, AppSync GraphQL API, Cognito User Pool

Question 51

True or False: WAF can be put on a Network Load Balancer

Answer 51

False

Question 52

You want to manage common sets of security rules across all your accounts, what can you use?

Answer 52

Firewall Manager. Rules are automatically applied to new resources as they are created across your organization

Question 53

What is AWS GuardDuty

Answer 53

GuardDuty runs ML algorithims to detect potential security threats inside your AWS accounts and workloads

Cannot also specifically protect against CryptoCurrency attacks with a dedicated finding

Question 54

What is AWS Inspector?

Answer 54

Allows you to run automated security assessment on EC2 instances, ECR and Lambda Functions

Can be used to scan package vulnerabilities

Question 55

What is Amazon Macie?

Answer 55

Uses machine learning and pattern maching to find sensitive data in S3 buckets and emits notifications

Question 56

True or False: You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS

Answer 56

False. you can use the AWS Managed Service keys in KMS

Question 57

When you enable Automatic Rotation on your KMS Key, the backing key is rotated every

Answer 57

Year

Question 58

You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can’t use it. How would you solve this problem?

Answer 58

You need to share the KMS CMK used to encrypt the AMI with the other AWS accound

Question 59

What should you use to control access to your KMS CMKs?

Answer 59

KMS Key Policies

Question 60

You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?

Answer 60

SSM Parameter Store; SSM PS has built-in tracking capability; each time you edit the value of a parameter, SSM PS creates a new version of the parameter and retains the previous version

Question 61

Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?

Answer 61

AWS Shield Advanced

Question 62

True or False: AWS GuardDuty monitors CloudWatch logs

Answer 62

False, it will look through CloutTrail event logs, VPC Flow Logs, DNS logs and Kubernetes Audit Logs

Question 63

Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?

Answer 63

AWS Firewall Manager