Domain 2: Security and Compliance Flashcards
What is associated with the access keys that are used
in managing your cloud resources
via the AWS Command Line Interface (AWS CLI) ? ***
IAM User
Associated with an identity or resource,
defines their permissions
IAM Policy
How can you apply
and manage
common access permissions for a large number of IAM users
in AWS?
Attach the necessary policies
or permissions
required to a new IAM Group
then afterwards, add the IAM Users to the IAM group
A collection of IAM users.
It lets you specify permissions for multiple users,
which can make it easier
to manage the permissions for those users
IAM Group
An automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices
AWS Inspector
What are the things that you can implement
to improve the security of your
Identity and Access Management (IAM) users?
Configure a strong password policy for your users and Enable Multi-Factor Authentication (MFA)
In the VPC dashboard of your AWS Management Console, which of the following services or feature below can you manage?
Network ACLs and Security Groups
These services have their own respective dashboards
Amazon CloudFront,
AWS Lambda,
and Amazon Route 53
Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
Amazon Virtual Private Cloud (Amazon VPC)
Shared control between AWS and the customer
- Patch Management
- Configuration Management
- Awareness and Training
Inherited controls
which a customer fully inherits from AWS
Physical and Environmental controls
Customer specific controls
which are solely the responsibility of the customer based on the application they are deploying within AWS services
Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments
Customer Responsibility for security ‘in’ the cloud
- Customer Data
- Platform, applications, identity & access management
- OS, Network & Firewall Configuration
- Client-side data encryption & data integrity authentication
- Server-side encryption
- Networking traffic protection
AWS Responsibility for security ‘of’ the Cloud
- Software (compute, storage, database, networking)
2. Hardware/AWS Global Infrastructure (regions, availability zones, edge locations)
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge.
What can be done to prevent unauthorized deletion of your S3 objects?
Configure MFA delete on the S3 bucket
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources?
Amazon RDS and Amazon Aurora
Allowed Services to conduct security assessments
- Amazon EC2 instances, Nat Gateways, and ELB’s
- Amazon RDS, CloudFront, Aurora,
API Gateways, Lightsail resources - AWS Lambda and Lambda Edge functions
- Amazon Elastic Beanstalk environments
Prohibited Activities to conduct security assessments
- DNS zone walking via Amazon Route 53 Hosted Zones
- DoS, DDoS, simulated Dos, Simulated DDoS
- Port flooding
- Procotol flooding
- Request flooding (login request flooding, API request flooding)
Network Access Control List (ACL)
An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets
Security Group
Used to secure your EC2 instances and RDS databases in a similar way with how network ACLs work.
However, they are not used for subnet security
AWS IAM
It is a service used for account and user management
AWS Config
It is a tool that checks for resource compliance in your account
Amazon Cognito Identity Pool
Should use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication
Amazon Cognito User Pool
A user directory in Amazon Cognito
Amazon Cognito Sync
A client library that enables cross-device syncing of application-related user data
AWS GovCloud
An isolated AWS Region
which is designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements
AWS Certificate Manager
Lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
This service does not store certifications or compliance-related documents
What is the most secure way to provide applications temporary access to your AWS resources?
Create an IAM role and have the application assume the role
Amazon GuardDuty
A threat detection service that continuously monitors for malicious activity and unauthorized behaviour to protect your AWS accounts and workloads
AWS Shield
Managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
Amazon Macie
A machine learning-powered security service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII)
or intellectual property
Amazon Cognito
Primarily used if you want to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily
IAM Policy Simulator
Use to test and troubleshoot IAM and resource-based policies?
Which of the following policies grant the necessary permissions required to access your Amazon S3 resources?
User policies and Bucket policies
What is the best way to keep track of all activities made in your AWS account?
Create a multi-region trail in AWS CloudTrail
What service acts as a firewall for your EC2 instances?
Security Group
Elastic Network Interface
A logical networking component in a VPC that represents a virtual network card.
It does not serve as a virtual firewall for your instances
What is an account alias is in IAM?
A substitute for an account ID in the web address for your account
Which of the following do you need to programmatically interact with your AWS environment?
AWS SDK and Access keys
Which compliance requirement has AWS achieved that allows handling of medical information?
HIPAA
Health Insurance Portability and Accountability Act
PCI DSS
Payment Card Industry Data Security Standard
This is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment
SOC 1
System and Organization Controls 1
This is a report on Controls at a Service Organization which are relevant to user entities internal control over financial reporting
SOC 2
System and Organization Controls 2
This is focused more on making sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data
A company plans to work with a third-party provider to deploy a new application that will be accessed globally.
You need to delegate permissions to access resources without using permanent credentials.
What should you use?
IAM Role
Are a secure way to grant permissions to entities you trust without creating dedicated user accounts
Service Control Policy
This is a feature of AWS Organizations.
It’s a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects.
They’re similar to IAM permission policies except that they don’t grant any permissions.
Instead, They’re are just filters that allow only the specified services and actions to be used in affected accounts
What service will allow you to safely store and automatically rotate database secrets for services such as Amazon RDS and Amazon Redshift?
AWS Secrets Manager
AWS Secrets Manager
Helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle
VPC Endpoint
Enables you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
AWS Abuse
Addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents.
When abuse is reported, we alert customers so they can take the remediation action that is necessary.
Customers want to build automation for handling abuse events and the actions to remediate them
Which AWS services should you use to upload
Secure Sockets Layer (SSL) certificates?
AWS IAM and AWS Certificate Manager
The Chief Technology Officer wants to control the use of services across multiple AWS accounts using AWS Organizations. What service must be used to satisfy this requirement?
Service Control Policy
AWS Systems Manager
Automates common maintenance and deployment tasks of EC2 instances and other AWS resources
A company plans to restrict access to content served from an Amazon S3 bucket using Amazon CloudFront.
What features can you use to satisfy this requirement?
Origin Access Identity
IAM User
Make use of access keys for long-term programmatic credentials.
Access keys consist of two parts:
access key ID and a secret access key.
You can use access keys to sign programmatic requests to the AWS CLI or AWS API
