Domain 2: Security and Compliance

Question 1

You’re hosting a MySQL database on Amazon RDS. Are you responsible for patching the database engine on an RDS database instance or is AWS responsible for this security patching?

Answer 1

AWS is responsible for patching on Amazon RDS.

Question 2

You have a database running on EC2. Who would be responsible for patching of the Amazon EC2 instance?

Answer 2

You are responsible for the patching of your Amazon EC2 instance.

Question 3

Where can you find information about compliance on AWS?

Answer 3

AWS compliance programs such as AWS Artifact, the Security Center, and the AWS Knowledge Center.

Question 4

What AWS service helps to identify an IAM user who deleted an EC2 instance in your production environment?

Answer 4

AWS Cloudtrail
Cloudtrail is a service for governance l, compliance, operational auditing, and risk auditing of your AWS account that continuously monitors and retain account activity related to actions across your AWS infrastructure.

Question 5

What are some actions you can perform as the account root user of your AWS account?

Answer 5

You can:
• change your account settings
• restore IAM user permissions
• activate access to the AWS Billing and Cost Management console
• register as a seller
•configure an S3 bucket to enable MFA
• close your AWS account
etc.

Question 6

What identity in AWS has associated usernames and passwords?

Answer 6

IAM users.

Question 7

What AWS service would you choose if you need to create rules to filter web traffic based on conditions such as IP addresses, HTTP headers, or custom URLs?

Answer 7

AWS WAF
helps to control traffic with rules that you define that block common attack patterns like SQL injections or cross-site scripting.

Question 8

Can you conduct security assessments and penetration testing without prior approval against your AWS resources?

Answer 8

Yes, but only for certain services.

Question 9

Which AWS service provides a quick and automated way to create and manage AWS accounts?

Answer 9

AWS Organizations
offers an API to create and manage AWS accounts. Organizations can control permissions that are available to accounts and can consolidate billing.

Question 10

Which service or feature will enhance the security of access to the AWS Management Console?

Answer 10

1. Multi-factor authentication (MFA)
2. Complex password requirements

Question 11

Company wants to add a virtual firewall to an Amazon VPC. The company wants all instances inside a specific subnet to be automatically covered under its firewall.
Which feature meets these requirements?

Answer 11

Network ACLs
used to allow or deny specific traffic to a VPC at the subnet level. They are stateless - info about previously sent or received traffic is not saved. Can associate Network ACLs with multiple subnets, however a subnet can only be associated with one ACL at a time. each subnet in your VPC must have a Network ACL.

Question 12

Company has a new requirement to log actions taken in a production account.
Which AWS service should meet that requirement?

Answer 12

AWS CloudTrail
for example log actions taken in the Management Console, CLI, and SDKs.

Question 13

Which AWS service provides managed threat detection that will identify compromised instances and accounts?

Answer 13

Amazon GuardDuty
provides continuous monitoring and threat detection services. GuardDuty uses threat intelligence feeds and ML to identify unauthorized and malicious activity within your AWS environment. You can use GuardDuty to identify compromised instances and accounts.

Question 14

What is something the customer is responsible for updating and patching, according to the AWS shared responsibility model?

Answer 14

Amazon WorkSpaces virtual Windows desktop.
You can schedule maintenance windows or manually make the update yourself.

Question 15

What is a task that AWS is responsible for in the AWS shared responsibility model for security and compliance?

Answer 15

Updating EC2 hardware.

Question 16

What security-related services or features does AWS offer?

Answer 16

1. AWS Trusted Advisor Security Checks
2. Data encryption

Question 17

What task is the customer’s responsibility for AWS Lambda, according to the AWS shared responsibility model?

Answer 17

Encryption of the application data at rest.

Although lambda is fully managed, customers are still responsible for application data. Therefore, customer is responsible for protection and encryption of app data at rest.

Question 18

Which service should someone use to turn on single sign-on (SSO) to the AWS Management Console?

Answer 18

AWS IAM Identity Center.

provides you with the ability to manage sign-in security for your workforce users.

Question 19

Which service provides risk auditing by continuously monitoring and logging API requests to resources in an account, which includes user actions in the AWS Management Console and AWS SDKs?

Answer 19

CloudTrail

Question 20

What is CloudWatch used for?

Answer 20

CloudWatch monitors your AWS resources and the applications that you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables that you can measure for your resources and apps.
Can create custom dashboards to display metrics about your custom apps. Can create alarms that watch metrics and send notifications or auto make changes to the resources you’re monitoring when a threshold is breached.

Question 21

During a compliance review, one of the auditors requires a copy of the AWS SOC 2 report.
Which service should be used to submit this request?

Answer 21

AWS Artifact

a web service that allows you to download AWS security and compliance documents such as ISO certifications and SOC reports.

Question 22

What is the AWS Health Dashboard?

Answer 22

AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and accounts.
Can use Health events to learn how service and resource changes might affect your apps running on AWS.
Health helps you be aware of and prepare for planned activities.
Delivers alerts and notifications triggered by changes in the health of AWS resources, so you get near-instant event visibility and guidance to help accelerate troubleshooting.

Question 23

Which AWS service uses ML to help discover, monitor, and protect sensitive data that’s stored in S3 buckets?

Answer 23

Amazon Macie

Question 24

What is AWS Shield?

Answer 24

Shield Standard and Shield advanced are DDoS protection services that operate at the network, transport and application layers.

Question 25

What is Amazon Cognito?

Answer 25

Cognito is an identity platform that provides user management and authentication for web and mobile apps. It’s a user directory, an authentication server, and an authorization service for OAuth 2.0 access tokens and AWS credentials.
Can authenticate users from the built in user directory, from your enterprise directory, and from consumer identity providers like Google and Facebook.

Question 26

What is AWS Secrets Manager?

Answer 26

a service that helps you manage, retrieve, and rotate database credentials, app credentials, OAuth tokens, API keys and other secrets throughout their lifecycles.

Question 27

What is AWS Certificate Manager?

Answer 27

ACM handles the complexity of creating, storing, and renewing public and private SSL/TLS certificates and keys that protect your AWS-based websites and apps.

Question 28

What is a security group?

Answer 28

controls the traffic that’s allowed to reach and leave the resources that it’s associated with. (example of a resource is EC2 instances)
VPC come with a default security group (and nw ACL).
stateful if traffic is allowed out, it will be allowed back in.

Question 29

What is Amazon Inspector used for?

Answer 29

It’s used to scan AWS workloads for software vulnerabilities and unintended network exposure based on industry standards.
Discovers and scans EC2 instances, container images in ECR, and Lambda functions.

Question 30

What is the purpose of AWS Application Discovery Service?

Answer 30

Helps you plan your migration to the AWS cloud by collecting usage and configuration data about your on-premises servers and databases.

Question 31

What is the AWS Directory Service for Microsoft Active Directory?

Answer 31

AWS Managed Microsoft AD is a fully managed service that gives you the ability to connect to your existing active directory or to migrate workloads.

Question 32

What is a transit gateway used for?

Answer 32

To interconnect your VPC and on-premises networks through a central hub.

Question 33

What is a route table?

Answer 33

Contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

Question 34

What is AWS Config?

Answer 34

a service that provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

Question 35

Which AWS service or feature can create and provide temporary credentials for a trusted user to access AWS resources?

Answer 35

AWS Security Token Service (STS)