CPC Prep AWS Compliance

Question 1

What enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud? These programs include: certifications/attestations; law, regulations, and privacy; & alignments/frameworks

Answer 1

AWS Compliance

Question 2

As systems are built on top of AWS Cloud Infrastructure who is responsible for compliance?

Answer 2

Shared responsiblity

Question 3

Which AWS service is a central resource for compliance-relation that provides on-demand access to AWS security and compliance reports and select online agreements?

Answer 3

AWS Artifact

Question 4

Which AWS service provides on-demand access to Service Organization Control, Payment Card Industry reports and certifications from accreditation bodies across the world, compliance that validate the implementation and operating effectiveness of AWS security controls?

Answer 4

AWS Artifact

Question 5

Which AWS Organizations feature defines the AWS service actions that are available for use and how you can limit the actions taken on an AWS account?

Answer 5

Service Control Policies (SCP)

Question 6

Which AWS Organizations feature enforces rules around tagging across accounts and OUs?

Answer 6

Tag Policies

Question 7

Which AWS service provides and automated security assessment service that helps improve security and compliance of applications deployed on AWS?

Answer 7

Amazon Inspector

Question 8

Which AWS service automatically assesses applications for vulnerabilities or deviations from best practices and uses an agent installed on EC2 where the instances must be tagged?

Answer 8

Amazon Inspector

Question 9

Which AWS service protects against common exploits that could compromise application availability, compromise security, or consume excessive resources?

Answer 9

AWS Web Application Firewall (WAF)

Question 10

Which AWS service safeguards web applications running on AWS with alway-on detection and automatic inline mitigations?

Answer 10

AWS Shield

Question 11

Which AWS service is a managed DDoS protection service that minimizes application downtime and latency and is integrated with Amazon CloudFront?

Answer 11

AWS Shield

Question 12

What are the two AWS Shield pricing tiers?

Answer 12

1. Standard - free

2. Advanced - visibility & reporting; incident management

Question 13

Which AWS service manages WAF and AWS Shield?

Answer 13

AWS Firewall Manager

Question 14

Which AWS service is a fully managed data security and data privacy service the uses machine learning and pattern matching to discover, monitor, or help protect sensitive data on Amazon S3?

Answer 14

Amazon Macie

Question 15

Which AWS service enables security compliance and preventive security to identify a variety of data types including PII, PHI, HIPPA, regulatory documents, API keys, and secret keys?

Answer 15

Amazon Macie

Question 16

Which AWS service identifies changes to policy and access control lists; continuously monitors the security posture of Amazon S3; and generates security findings that can viewed on Macie Console, AWS Security Hub, or Amazon Eventbridge?

Answer 16

Amazon Macie

Question 17

Which AWS service offers threat detection that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads (threats to the account) and generates reports or trigger action to remediate?

Answer 17

AWS GuardDuty

Question 18

Which AWS service continuously analyzes CloudTrail Logs, VPC Flow Logs, and DNS Logs to intelligently detect threats through machine learning?

Answer 18

Amazon GuardDuty

Question 19

When does Amazon S3 encrypt objects?

Answer 19

As it is written

Question 20

What type of data is protected by SSL/TLS while it is in flight?

Answer 20

Encryption in Transit

Question 21

Which AWS service provides centralized control over the encryption keys used to protect your data?

Answer 21

Key Management Service (KMS)

Question 22

Which AWS service can create, import, rotate, disable, delete, define usage policies, and audit the use of encryption keys used to encrypt your data?

Answer 22

Key Management Service (KMS)

Question 23

Which AWS service is integrated with most other AWS services making it easy to encrypt the data stored on these services with customer controlled encryption keys?

Answer 23

Key Management System (KMS)

Question 24

Which AWS service is a cloud-based hardware security module that enables you to easily generate and use your own encryption keys in the cloud?

Answer 24

AWS CloudHSM

Question 25

Which AWS service enables you to manage your own encryption keys using FIPS 140-2 Level 3 validated USM?

Answer 25

AWS CloudHSM

Question 26

Which AWS service is used for creating SSL/TLS certificates for encrypting data in transit?

Answer 26

AWS Certificated Manager (ACM)

Question 27

Which AWS service can secure multiple domain names, multiple domain names with a domain, create wildcard SSL and can protect in unlimited number of sub domains?

Answer 27

AWS Secrets Manager

Question 28

Which AWS service enables you to meet your security and compliance requirements by enabling you to rotate secrets safely without the need for code deployments?

Answer 28

AWS Secrets Manager

Question 29

Which AWS service is built for Amazon RDS, Amazon RedShift, and Amazon Document DB that automatically rotates secrets periodically?

Answer 29

AWS Secrets Manager

Question 30

During penetration testing what are the five prohibited activities?

Answer 30

1. DNS zone walking 2. DoS, DDoS, & simulated DoS or DDoS 3. Port flooding 4. Protocol flooding 5. Request flooding

Question 31

What is the purpose of the AWS authorized customer penetration testing?

Answer 31

Testing of customer applications security for vulnerability by simulating an attack

Question 32

What services does AWS authorize customer to conduct penetration testing on without permission?

Answer 32

- Amazon EC2 instances, NAT Gateways, & Elastic Load Balancers - Amazon RDS and Amazon Aurora - Amazon CloudFront - Amazon API Gateways - AWS Lambda & Lambda Edge Functions - Amazon Lightsail - Amazon Elastic Beanstalk environments

Question 33

What actions should you take if your AWS account is compromised?

Answer 33

1. Change AWS root account password 2. Change all IAM user passwords 3. Deleted or rotate all programmatic (API) access keys 4. Delete any resource in your account you did not create 5. Respond to notifications you received from AWS though the AWS Support Center or contact AWS to open a support case

Question 34

Which AWS feature enables you to log-in once and access multiple accounts?

Answer 34

AWS Single Sign-On

Question 35

What is an active directory social providers can access through AWS using IAM that Cognito is recommend to use?

Answer 35

Web Identity Federation

Question 36

What is a fully managed active directory running on Windows Sever 2012 R2 that used to host Microsoft AD or LDAP for Linux apps?

Answer 36

AWS Directory Service for Microsoft Active Directory

Question 37

Which AWS feature allows on-premises users to log into AWS services with their existing AD credentials this is used for single sign-on for on-premises employees and for adding EC2 instances to the domain?

Answer 37

AD Connector

Question 38

What is a low-scale, low cost, AD implementation base on Samba that can be used for simple user directory or if you need LDAP compatibility?

Answer 38

Simple AD

Question 39

Which service is used to notify customers of security and privacy events with AWS service vulnerabilities?

Answer 39

Security Bulletins

Question 40

Which AWS service is used a customer suspects AWS resources are used for abusive or illegal purposes; they can be notified through an online form or AWS email box?

Answer 40

AWS Abuse Teams