Domain 2: Security and Compliance Flashcards
Which AWS service can be used to detect and prevent Distributed Denial of Service attacks against services hosted on AWS?
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced. https://aws.amazon.com/shield/
Users need to access AWS resources from the command-line interface. Which IAM option can be used for authentication?
Access Keys
You must provide your AWS access keys to make programmatic calls to AWS or to use the AWS Command Line Interface or AWS Tools for PowerShell.
When you create your access keys, you create the access key ID (for example, AKIAIOSFODNN7EXAMPLE) and secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY) as a set. The secret access key is available for download only when you create it. If you don’t download your secret access key or if you lose it, you must create a new one. https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
You need to set up a virtual firewall for your EC2 instance. Which would you use?
Security Group
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
After configuring your VPC and all of the resources within it, you want to add an extra layer of security at the subnet level. Which will you use to add this security?
Network ACL
A network access control list (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups to add an additional layer of security to your VPC. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
You are concerned about access to your top-secret application by stolen passwords. What additional layer of security can you add for logging in to AWS Management Console, in addition to user passwords?
Multi-Factor Authentication
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources. https://aws.amazon.com/iam/features/mfa/
In Identity and Access Management, which term applies to a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS?
Principal
A Principal is a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
A software development team has requested IAM access to be able to work with AWS from the CLI. What will you provide these developers?
Access Keys
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
You are working with IAM and need to attach policies to users, groups, and roles. Which will you be attaching these policies to?
Identities
Identities are the IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles. Identity-based policies and resource-based policies.
As an AWS account administrator, you are in charge of creating AWS accounts and securing those accounts. What steps can you take?
Add IP restrictions for all accounts
This would greatly limit who can access your environment and from where.
Create multi-factor authentication for the root account.
This will add an additional layer of security to the root account.
A company has a large number of S3 buckets and needs to manage and automate tasks on these buckets at one time. Which AWS feature can do this?
Resource Groups
You can use resource groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at one time. This guide shows you how to create and manage resource groups in AWS Resource Groups. https://docs.aws.amazon.com/ARG/latest/userguide/welcome.html
A company is configuring IAM for its new AWS account. There are 5 departments with between 5 to 10 users in each department. How can they efficiently apply access permissions for each of these departments and simplify management of these users?
Create policies for each department that define the permissions needed. Create an IAM group for each department and attach the policy to each group. Add each department’s members to their respective IAM group.
By creating an IAM group, all like users can be managed all at one time. Once the permissions are defined within the policy, it can be attached to the IAM group, allowing them access to the resources/services stated within the policy.
You are storing sensitive employee information in an S3 Bucket. What can you use to give bucket access only to authorized personnel?
Bucket Policy
S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached to (e.g., allow user Alice to PUT but not DELETE objects in the bucket). https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources
Which AWS service provides central governance and management across multiple AWS accounts?
AWS Organizations
AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Whether you are a growing startup or a large enterprise, AWS Organizations helps you to centrally manage billing, control access, compliance, and security, and share resources across your AWS accounts.
Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts. Through integrations with other AWS services, you can use Organizations to define central configurations and resource sharing across accounts in your organization. AWS Organizations is available to all AWS customers at no additional charge. https://aws.amazon.com/organizations/
Which term refers to the Identity and Access Management (IAM) resource objects that AWS uses for authentication?
Entities
IAM entities are the users (IAM users and federated users) and roles that are created and used for authentication. https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html
Microsoft has announced a new patch for its operating system. For a Platform as a Service solution, who would be responsible for applying the patch?
AWS
Platforms as a service remove the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allow you to focus on the deployment and management of your applications.