Cloud Platform, Infrastructure, and Operations

Question 1

• infrastructure and systems/services in use
• how systems will communicate
• securing network traffic in shared environment
• securing the management plane

Answer 1

Cloud security considerations

Question 2

• network/communication capabilities allowing customers to transfer data in and out of cloud vendor’s environment
• compute (VMs, CPUs, storage, serverless computing, containers, etc.)
• management plane (controls network, communications, compute, etc.)

Answer 2

Cloud components

Question 3

In what environment does most security work occur?

Answer 3

IaaS

Question 4

IaaS Shared Responsibility

Answer 4

Securing infrastructure

Question 5

PaaS costumer responsibility

Answer 5

Security, apps, data, risk management

Question 6

SaaS customer data responsibility

Answer 6

Access and administration

Question 7

What are virtual firewalls used in cloud environments?

Answer 7

Network security groups

Question 8

Security groups use _____ to control traffic

Answer 8

Rules

Question 9

Tracking requests/responses to allow responses to return to systems that make an allowed request

Answer 9

Stateful (security groups and firewalls)

Question 10

AWS VPC traffic monitoring capability allows you to _____ traffic.

Answer 10

See, capture, and analyze

Question 11

Correlating logins and activity to the locations where they originate to ensure credentials aren’t being misused and to identify unexpected traffic patterns based on geoIP info:

Answer 11

Geofencing

Question 12

Relying on identities and authorization to ensure users and entities are validated before they access data:

Answer 12

Zero Trust

Question 13

Why is packet capture and traffic inspection harder in the cloud?

Answer 13

Cloud environments operate at Layer 3 of OSI model, while traditional networks can be accessed at Layers 1 and 2

Question 14

Tools that limit communications based on some criteria.

Answer 14

Firewalls

Question 15

In cloud environments, _____ are often the first firewall capability deployed.

Answer 15

(Network) security groups

Question 16

Criteria for determining which traffic is allowed is handled by _____.

Answer 16

Rules

Question 17

Firewalls
IPS
Access Control
Gateways
WAFs
Backup and Recovery

Answer 17

Network security tools

Question 18

Firewalls determine which traffic is allowed by using _____.

Answer 18

Rules

Question 19

_____ are designed to identify malicious traffic and alert on it.

Answer 19

Intrusion Detection System (IDS)

Question 20

_____ can detect and respond to malicious traffic by stopping it or alerting on it.

Answer 20

Intrusion Prevention System (IPS)

Question 21

Tool used to detect, identify, isolate, and analyze attacks by distracting attackers.

Answer 21

Honeypot

Question 22

Because many systems in the cloud are ephemeral, your scans need to:

Answer 22

• validate the original system
• validate changes that occur due to code and component updates

Question 23

Allows admins to access a private network from a lower security zone.

Answer 23

Bastion hosts (jump servers/jump boxes)

Question 24

The process by which an identity is validated as belonging to a user

Answer 24

Identity proofing

Question 25

Used to generate, store, and manage cryptographic keys as well as for other cryptographic uses in support of hashing and digital signatures, encryption, and decryption of data thru offloading.

Answer 25

Hardware Security Modules (HSMs)

Question 26

Hardware device used to secure, store, and manage cryptographic keys for disk encryption, trusted boot, hardware validation, and password management for devices.

Answer 26

Trusted Platform Module (TPM)

Question 27

- Using built-in tools - Least privilege - Encrypting data at rest and in transit - Blocking public access by default - Ensuring wildcard or broad access to storage buckets is not allowed - Building secure default access control list - Versioning and replication -Monitoring, auditing, and alerting

Answer 27

Ways to keep cloud storage secure

Question 28

- configuration requirements - patches and updates - security and notification - software composition analysis tools - package management tools

Answer 28

Checklist for 3P software management

Question 29

- Provide cryptographic hashes for integrity checks - Signing with developer's certificate - GPG or PGP signature

Answer 29

Ways to validate open-source software

Question 30

How to validate signatures:

Answer 30

You need the provider's public key and ensure key provided is actually theirs.

Question 31

The organization's standard for how a system should be configured to meet functional and security goals.

Answer 31

Baselines