Cantrill Questions

Question 1

Generates temporary credentials (sts:AssumeRole)

Answer 1

Security Token Service

Question 2

____ expire and do not belong to the IAM identity

Answer 2

Security Token Service (STS) generated credentials (they are temporary!)

Question 3

Security Token Service (STS) temporary credentials are requested by?

Answer 3

AWS (IAM role) or external (web identity federation)

Question 4

Each Region has a default AWS Service Quota although some services can be ____

Answer 4

per account

Question 5

You should use SAML 2.0 when you currently use an Enterprise ID like MS AD or if the directory is ___ compatible?

Answer 5

SAML 2.0

Question 6

Single Source of Truth or > 5000 users

Answer 6

SAML 2.0

Question 7

NACL’s are stateful or stateless?

Answer 7

STATELESS. Request and Response are seen differently

Question 8

What network security mechanism only impacts data crossing a subnet boundary?

Answer 8

NACL

Question 9

What network security mechanism can ALLOW or DENY network traffic based on IP address?

Answer 9

NACL

Question 10

Each subnet can only have one NACL (default or custom) however, NACL can be associated with many ______?

Answer 10

subnets

Question 11

What security mechanism is STATEFUL and detects requests and response traffic automatically?

Answer 11

VPC Security Groups

Question 12

What security mechanism features no ability to explicitly DENY?

Answer 12

VPC Security Groups

Question 13

What are VPC Security Groups attached to? Subnets, EC2 instances, or ENI’s?

Answer 13

ENI

Question 14

Using this service, connections enter at the Edge, essentially moving the AWS network closer, using Anycast IP’s

Answer 14

Global Accelerator

Question 15

An AWS site to site VPN can be HA, if

Answer 15

you design it that way

Question 16

What are the two ends of an AWS site to site VPN?

Answer 16

Virtual Private Gateway (VGW) and Customer Gateway (CGW)

Question 17

What is the max speed for an AWS site to site VPN?

Answer 17

1.25 GBps

Question 18

subnets can be associated to one _____ only

Answer 18

route table (default or custom)

Question 19

DX (Direct Connect) physical connection port can only be used with what type of cable?

Answer 19

single mode fiber

Question 20

What are the proper port settings for the DX (Direct Connect) physical connection port?

Answer 20

Auto-Negotiation DISABLED, port speed and FULL DUPLEX

Question 21

What routing protocol (and auth) does the customer DX router need to support for DX (Direct Connect) connections?

Answer 21

BGP and BGP MD5

Question 22

Private VIF are used to access how many VPC’s?

Answer 22

1

Question 23

1 Private VIF = how many VPC’s and how many VGW’s?

Answer 23

1 VPC and 1 VGW in the same region as the DX

Question 24

How many private prefixes can you advertise over a private VIF?

Answer 24

100

Question 25

______ provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network

Answer 25

AWS PrivateLink

Question 26

What needs to be done in order to make AWS PrivateLink HA?

Answer 26

Deploy multiple endpoints in each AZ

Question 27

Does AWS PrivateLink use iPv6?

Answer 27

Nope

Question 28

Can you access AWS PrivateLink via Direct Connect, VPC peering and/or site to site VPN?

Answer 28

Yeahhhh

Question 29

____ provides access to public AWS resources such as S3 and DynamoDB from within a private subnet

Answer 29

gateway endpoint

Question 30

Are gateway endpoints HA across AZ’s?

Answer 30

Yes no config needed

Question 31

If you access a resource via a gateway endpoint, what mechanism controls your level of access?

Answer 31

the endpoint policy, such as an s3 bucket policy

Question 32

are gateway endpoints regional only?

Answer 32

yes, no cross regional services

Question 33

Are interface endpoints HA?

Answer 33

no you need one interface endpoint per VPC

Question 34

can you use network security groups with interface endpoints?

Answer 34

yes

Question 35

What services can be accessed using a VPC Gateway Endpoint?

Answer 35

S3 & DynamoDB

Question 36

How to add encryption over a DX (Direct Connect)?

Answer 36

via a PUBLIC VIF

Question 37

Is PrivateDNS used with interface endpoints or gateway endpoints?

Answer 37

interface endpoints

Question 38

What type of directory can aws workspaces integrate with?

Answer 38

Simple AD, Microsoft AD, and AD Connector

Question 39

If you want to utilize Workspaces and have a security regulatory restriction and can not have any directory information stored within AWS, what type of directory should you run in AWS?

Answer 39

Directory Connector

Question 40

What configures the role of credentials from federated to AWS using IAM roles

Answer 40

Cognito identity pool

Question 41

What type of file system should you use if users need to be able to use VSS for self or user driven file restores?

Answer 41

FSx

Question 42

What is a native file system accessible over SMB?

Answer 42

FSx

Question 43

What is a native file system accessible over NFS?

Answer 43

EFS

Question 44

Does FSx support NTFS permissions and DFS?

Answer 44

Yes

Question 45

What is a high performance windows file system, also good for POSIX

Answer 45

FSx for Lustre

Question 46

What file system mounts on linux and is shared across many EC2 instances?

Answer 46

EFS

Question 47

S3 server-side encryption with customer-provided encryption keys

Answer 47

(SSE-C)

Question 48

S3 server-side encryption with Amazon S3-managed encryption keys

Answer 48

(SSE-S3)

Question 49

S3 server-side encryption with customer master encryption keys (CMK) stored in AWS key management service

Answer 49

SSE-KMS

Question 50

Can a NAT gatewy tolerate the failure of an AZ?

Answer 50

Nope

Question 51

Can an Internet Gateway (IGW) withstand the failure of many AZ’s in a region?

Answer 51

Yes

Question 52

What is AWS’s SIEM product?

Answer 52

GuardDuty

Question 53

What is an AWS service that monitors configurations?

Answer 53

AWS Config

Question 54

What AWS service is used for scanning EC2 and EC2 instance OS for vulnerabilities?

Answer 54

AWS Inspector

Question 55

AWS Inspector host assessment is agentless or requires an agent?

Answer 55

agent

Question 56

AWS Inspector network assessment is agentless or requires an agent?

Answer 56

agentless

Question 57

KMS is a regional and public or private service?

Answer 57

Public

Question 58

Keys never leave KMS, KMS provides ______ level of FIPS

Answer 58

FIPS 140-2 (L2)

Question 59

What provides a true single tenant hardware security module?

Answer 59

Cloud HSM

Question 60

What security standard does Cloud HSM meet?

Answer 60

FIPS 140-2 Level 3

Question 61

If you see, PKCS#11, JCE (java cryptography extensions) and CryptoNG (CNG) libraries, think ____?

Answer 61

CloudHSM

Question 62

Does CloudHSM integrate nativley with AWS services?

Answer 62

No

Question 63

Can CloudHSM be used to offload SSL/TLS prociessing tasks from web servers?

Answer 63

Yes

Question 64

What security service should be used to enable transparent data encrytion (TDE) for Oracle DB’s?

Answer 64

CloudHSM

Question 65

What security service should be used to protect private keys for an issuing CA?

Answer 65

CloudHSM

Question 66

ACM (Certificate Manager) can generate or import certs, if generated, the cert will ____, if imported, customer is responsible for the _____

Answer 66

Auto-renew, Renewing the certs

Question 67

ACM issued certs can be depoyed for supported services only (not EC2), name two:

Answer 67

CloudFront & ALB

Question 68

True/False: ACM is a regional service and certs cannot leave their region?

Answer 68

True

Question 69

One exception to the rule of deploying ACM certs regionally, is this AWS service ____. When configuring ACM for this service, you must choose this particular AZ _____

Answer 69

CloudFront, AWS-EAST-1

Question 70

AWS Secrets Manager supports automatic rotation, what service performs this rotation?

Answer 70

Lambda

Question 71

Does Secrets Manager autoamtically inegrate with some AWS services like RDS?

Answer 71

Yes

Question 72

VPC flow logs are used for packet capture?

Answer 72

No, they capture packet metadata

Question 73

Name two destinations where VPC flow logs can be sent?

Answer 73

S3 or CloudWatch

Question 74

Service provides DDOS protections

Answer 74

AWS Shield

Question 75

What are two services that Shield Standard (free) protects?

Answer 75

Route53 & CloudFront

Question 76

How much does AWS Shield Advanced cost?

Answer 76

3k/month

Question 77

What additonal services can Shield Advaned protect outside of CloudFront and R53?

Answer 77

EC2, ELB & Global Accelerator

Question 78

What AWS Shield service level provides for insurance and a DDOS repsonse team from AWS?

Answer 78

Shield advanced

Question 79

What service protects against SQL injections and cross site scripting?

Answer 79

WAF

Question 80

When creating a WAF, you first create a Web Access ____ _____ which can integrate with:

Answer 80

Control List (WEBACL), integrates with ALB, API Gateway and cloudfront

Question 81

Can CMK’s and KMS be used to encrypt data?

Answer 81

Yes, 4KB

Question 82

Do AWS managed CMK’s support key rotation?

Answer 82

Yes, once every 3 years, cannot be changed or disabled

Question 83

Do customer managed CMK’s support key rotation?

Answer 83

Yes, can be enabled for 1 year

Question 84

Can CMK’s be migrated between regions?

Answer 84

No

Question 85

Can imported CMK’s be rotated?

Answer 85

No

Question 86

When evaluating permissions in AWS, does it matter if an ALLOW or DENY comes from an inline or managed policy?

Answer 86

No

Question 87

Is a Master Account affected by SCP’s?

Answer 87

No

Question 88

What happens to the source data in Athena when used for adhoc querying?

Answer 88

Nothing

Question 89

What S3 related setting defines a way for client web applications that are loaded in one domain to interact with resources in a different domain?

Answer 89

CORS cross origin resource sharing

Question 90

What security mechanism are atached to ENI’s, can explictly ALLOW and are stateful?

Answer 90

Security Groups

Question 91

What security mechanism can explictly ALLOW and DENY and can be attached to subnets?

Answer 91

NACL

Question 92

If you need the apex of a domain to point to an ALB, what type of R53 record?

Answer 92

A Alias

Question 93

What are Configured to have one subnet in each AZ in the region by default?

Answer 93

VPC

Question 94

What are Configured to have one subnet in each AZ in the region by default?

Answer 94

VPC