Cloud Security Flashcards

1
Q

What are the 2 types of access, and what is required by each in order to authenticate?

Program Acces key id/secret and Managment console pswd and username

A

There are two types of access: Programmatic Access and Management Console Access. Programmatic Access requires Access Key ID and Secret Access Key for authentication. Management Console Access requires a username and password for authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cloud Security
“CLOUD SAFE” Cloud Secuirty
Here’s how to associate each letter with a security aspect:

A

“CLOUD SAFE” Cloud Secuirty
Here’s how to associate each letter with a security aspect:
C - Control Access: “Control Access” involves managing and restricting access to AWS resources through Identity and Access Management (IAM) and other security mechanisms.
L - Logging and Monitoring: “Logging and Monitoring” emphasizes the importance of continuous monitoring and logging to detect and respond to security incidents effectively.
O - Object Storage Security: “Object Storage Security” reminds you to secure data stored in Amazon S3 or other object storage services, applying proper access controls and encryption.
U - Use Encryption: “Use Encryption” encourages the use of encryption for data both in transit and at rest, safeguarding information from unauthorized access.
D - Data Integrity: “Data Integrity” involves ensuring the integrity of data through measures like checksums, making sure data remains unchanged and reliable.
S - Secure Network Configurations: “Secure Network Configurations” stresses the importance of properly configuring Virtual Private Cloud (VPC) settings and network security groups to control traffic.
A - Apply Security Best Practices: “Apply Security Best Practices” reminds you to follow AWS security best practices, incorporating recommended configurations and settings.
F - Follow Compliance Standards: “Follow Compliance Standards” underscores the importance of adhering to regulatory compliance standards relevant to your industry and geography.
E - Evaluate Security Controls: “Evaluate Security Controls” prompts regular assessments and reviews of security controls to ensure they align with evolving security requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CEPEASPIMIICIICII

CEPE ASP IMIICIICII

A

Cogently, Eloquently, Perspicaciously, Eruditely, Astutely, Sagaciously, Profoundly, Acutely, Incisively, Meticulously, Invariably, Ineffably, Conclusively, Incontrovertibly, Inherently, Inimitably, Ineffaceably, Inscrutably, Inexplicably, Inextricably

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a key pair made up of?

PUBLIC AWS / PRIVATE OMAR

A

A key pair consists of a public key, which AWS stores, and a private key, which the user downloads and keeps secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is MFA, and what are 3 ways to generate an MFA code?

HARDWARE AUTHENTICATOR SMS

A

MFA (Multi-Factor Authentication adds an extra layer of security. MFA codes can be generated using a hardware token, a virtual MFA app (like Google Authenticator , or through SMS text messages.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the default authorization?

LEAST PRIVALEGE 0 PERMISSIONS

A

The default authorization is based on the principle of least privilege. Users start with no permissions and must be explicitly granted access as needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does the principle of least privilege mean?

MINIMUM PERMISION FOR TASK NO UA OR MISUSE

A

The principle of least privilege means granting individuals or systems the minimum levels of access or permissions required to perform their tasks, reducing the risk of unauthorized access or misuse.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the difference between IMPLICIT access or denial and EXPLICIT access or denial?BEH POLICY

IM DEFAULT BEHAVOIR EX POLICIES IM ALLOWS EX DENIES BP

A

IMPLICIT access or denial is based on default behaviors, while EXPLICIT access or denial is specifically defined through policies. IMPLICIT allows actions by default unless explicitly denied, and EXPLICIT denies actions by default unless explicitly allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security policy is written using which language?

JSON

A

A security policy is written using the JSON (JavaScript Object Notation language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the 2 types of policies? IR

IR UGR RESOURCE AWS RESOURCES

A

The two types of policies are Identity-based policies and Resource-based policies. Identity-based policies are attached to IAM users, groups, or roles, while Resource-based policies are attached to AWS resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

If there is a conflict between a Deny statement (i.e., for a resource and an Allow statement (i.e., for a user , which statement takes precedence?

DENY OVER ALLOW

A

In case of a conflict, the Deny statement takes precedence over the Allow statement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An action can only take place with an _______ Allow permission; otherwise, the action is an _______ Deny.

EX ALLOW PERMISSION OR IM DENY

A

An explicit Allow permission; otherwise, the action is an implicit Deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How is an IAM group different from an IAM user?

USER UNIQUE CREDENTIALS AND COLLECTION OF USER WITH SIMILAR PERMISSIONS

A

An IAM user is an individual identity with unique credentials, while an IAM group is a collection of users with similar permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Can a user belong to multiple groups?

A

Yes, a user can belong to multiple IAM groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can a group be nested within another group?

NO NEST IN AWS

A

No, IAM groups cannot be nested within other groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who gets access through IAM Roles and for how long?

USER OR ROLE TEMP.

A

Temporary credentials obtained through IAM roles are assumed by AWS resources or users, granting them access for a specified duration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is needed to log into the Root User account?

EMAL AND PSWD

A

To log into the Root User account, you need the email address associated with the account and the corresponding password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is needed to log into the Root User account?

A

To log into the Root User account, you need the email address associated with the account and the corresponding password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What tasks can only be done with the Root User account?

CLOSE AWS CHANGE EMAIL MANAGE MFA

A

Only the Root User can close an AWS account, change the email address associated with the account, and manage MFA on the account.

20
Q

If you are not supposed to use the Root User for day-to-day interactions, how is someone needing widespread permissions such as yourself (top I.T. personnel supposed to access and manage services, AWS users, and policies?

IAM ROLES W PERMISSIONS NO ROOT

A

It’s recommended to use IAM roles with the necessary permissions for day-to-day interactions rather than relying on the Root User account. IAM roles allow temporary access with specific permissions when needed.

21
Q

After you create an IAM User account for yourself and place yourself in a group with particular security policies attached to it, what are you supposed to do with the Root User access key?

securely store and deactivate the Root User access key

A

It’s advisable to securely store and deactivate the Root User access key since day-to-day tasks should be performed using IAM user credentials.

22
Q

Which accounts should require MFA, and what are the 3 ways to generate an MFA code? RIAM

Root User/ IAM users with administrative privileges should require MF

A

Root User and IAM users with administrative privileges should require MFA. MFA codes can be generated using hardware tokens, virtual MFA apps, or SMS text messages.

23
Q

What is AWS CloudTrail?

API CALLS AND EVENTS VIA LOG FILES TO S3 BUCKET

A

AWS CloudTrail is a service that records AWS API calls and events for your account, delivering log files to an Amazon S3 bucket.

24
Q

What is AWS CloudTrail?

API CALLS AND EVENTS VIA LOG FILES TO S3 BUCKET ATA

A

AWS CloudTrail is a service that records AWS API calls and events for your account, delivering log files to an Amazon S3 bucket.

25
Q

What is AWS CloudTrail?

API CALLS AND EVENTS VIA LOG FILES TO S3 BUCKET

A
26
Q

How much does AWS CloudTrail cost, and how many days of account activity are kept?

CT DEPENDS ON DATA EVENTS MGT W LOGS FOR 90 DAYS

A

AWS CloudTrail costs depend on data events and management events. By default, logs are retained for 90 days.

27
Q

How can you maintain CloudTrail information beyond the standard time period?

SAM ASM OT STORE MONITOR ANALYZE S3 FOR 90 LONG TERM STORAGE

A

You can maintain CloudTrail information beyond the standard time period by configuring long-term storage using Amazon S3.

28
Q

Besides AWS Organizations handling centralized billing, what other service benefits do AWS Organizations provide?

SCP, policyand resourse-based management, billing,

A

AWS Organizations provides benefits like policy-based management, consolidated billing, and organizational units for better resource management. It also enables Service Control Policies (SCPs for fine-grained access control.

29
Q

How are Service Control Policies SCP different than IAM permissions policies?

Root SCPs are used wAWS Organizations to set permissions on entire accounts,

SCP NEVER GRANTS PERMISSIONS

A

SCPs are used with AWS Organizations to set permissions on entire accounts, while IAM permissions policies are attached to IAM entities like users or groups within an account. SCPs operate at the root level and act as guardrails for all accounts in an organization.
SCPs are similar to AWS Identity and Access Management (IAM) permission policies and use almost the same syntax. However, an SCP never grants permissions.

30
Q

Where within AWS Organizations can SCP be attached to?

SCP ROOT OU ACCOUNT

A

SCPs can be attached to the root of an organization or to individual organizational units OUs within AWS Organizations.

You can attach an SCP to the organization root, to an organizational unit (OU), or directly to an account.

31
Q

What is AWS KMS?

encryption keys used to encrypt your data

A

AWS Key Management Service (KMS is a managed service that allows you to create and control the encryption keys used to encrypt your data. It provides a secure and scalable solution for key management.

32
Q

What is Amazon Cognito?
AAUM

authentication, authorization,user management for web and mobile apps.

A

Amazon Cognito is a service that provides authentication, authorization, and user management for web and mobile apps. It allows you to securely manage user identities and synchronize user data across devices.

33
Q

What is Amazon Cognito? 2
AAUM

authentication, authorization,user management for web and mobile apps.

A

Amazon Cognito is an identity platform for web and mobile apps. It’s a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials. With Amazon Cognito, you can authenticate and authorize users from the built-in user directory, from your enterprise directory, and from consumer identity providers like Google and Facebook.

34
Q

What is SAML, and how does it relate to Amazon Cognito?

exchanging authentication and authorization data between parties. SAML

A

SAML (Security Assertion Markup Language is a standard for exchanging authentication and authorization data between parties. Amazon Cognito can act as a SAML identity provider, allowing users to sign in using their existing credentials.

35
Q

What is a federated user?

external identity provider (IdP and granted temporary AWS credentials

A

A federated user is a user authenticated by an external identity provider (IdP and granted temporary AWS credentials through federation. Federated users can access AWS resources without creating IAM user accounts.

36
Q

What is AWS Shield, and how much does it cost?

DDOS PROTECTION

A

AWS Shield is a managed Distributed Denial of Service (DDoS protection service. Costs depend on the type of Shield protection (Standard or Advanced and usage.

37
Q

In order to contact the AWS DDoS response team, what level support plan must you have?

BUSINESS OR ENTERPRISE

A

To contact the AWS DDoS response team, you must have a Business or Enterprise support plan.

38
Q

What is meant by data at rest?
DB files not being used

A

Data at rest refers to data that is stored in non-volatile storage, such as databases or files, and is not actively being used.

39
Q

What is meant by data in transit?

A

Data in transit refers to data actively moving from one location to another, such as during network transmissions.

40
Q

What type of certificates does AWS Certificate Manager manage, and what type of data is it used for?

A

AWS Certificate Manager manages X.509 certificates used for enabling HTTPS on websites and encrypting data in transit. It is used for securing communication between clients and servers.

41
Q

What is the default setting for all newly created S3 buckets and objects?

A

The default setting for all newly created S3 buckets and objects is private, meaning only the bucket or object owner has access by default.

42
Q

What tools can be used for controlling access to S3 data?

BALI

A

Tools such as S3 bucket policies, IAM policies, Access Control Lists (ACLs , and bucket logging can be used to control access to S3 data.

43
Q

What is AWS Config?

INVETORY Resource AND Config Asses audit evaluate resource EAA T

A

AWS Config is a service that provides a detailed inventory of your AWS resources and configurations, allowing you to assess, audit, and evaluate resource configurations over time.

44
Q

What is AWS Artifact?

Compliance Reports for pci dss iso soc

A

AWS Artifact is a service that provides on-demand access to AWS compliance reports, such as PCI DSS, ISO, and SOC. It offers downloadable documents and reports to help customers meet their compliance requirements.

45
Q

What are HIPPAA, PCI DSS, SOC, ISO, and GDPR?

A

These are compliance standards:<br></br>- HIPPAA: Health Insurance Portability and Accountability Act<br></br>- PCI DSS: Payment Card Industry Data Security Standard<br></br>- SOC: Service Organization Control<br></br>- ISO: International Organization for Standardization<br></br>- GDPR: General Data Protection Regulation

46
Q

What types of things does AWS’ Compliance programs cover?

REGION AND INDUSTRY DATA PROT PRIV SECT REGS PPS RR

A

AWS’ compliance programs cover a range of controls and safeguards to meet various industry-specific and regional compliance requirements. This includes data protection, privacy, security, and regulatory requirements across different sectors and geographies.

47
Q

POST SMART” Linkedin
Here’s how to associate each letter with a writing aspect:

A

POST SMART” Linkedin
Here’s how to associate each letter with a writing aspect:
P - Purposeful Topic: Start with a purposeful topic that aligns with your professional expertise or industry trends. Choose something that provides value or insights to your LinkedIn network.
O - Organized Structure: Ensure your article has a clear and organized structure. Use headings, subheadings, and bullet points to make it easy for readers to follow along.
S - Storytelling: Incorporate storytelling to make your article engaging and relatable. Share personal anecdotes or real-world examples to illustrate your points.
T - Target Audience: Keep your target audience in mind. Write with your LinkedIn connections in mind, addressing their interests, challenges, and needs.
S - Strategic Keywords: Use strategic keywords relevant to your industry or topic. This can improve the discoverability of your article on LinkedIn and through search engines.
M - Meaningful Content: Provide meaningful and valuable content. Offer insights, tips, or solutions that your readers can apply in their professional lives.
A - Authentic Voice: Write in an authentic voice that reflects your personality and expertise. Avoid overly formal language and aim for a conversational tone.
R - Relevant Visuals: Include relevant visuals such as images, infographics, or charts to enhance your article and make it visually appealing.
T - Thoughtful Conclusion: Conclude your article thoughtfully. Summarize key points, invite readers to share their thoughts in the comments, or encourage them to take a specific action.