Domain 2: Security and Compliance (25%)

Question 1

Customer Responsibility Elements

Answer 1

• Customer Data
• Platform, applications, IAM
• OS, Network, and Firewall Configurations
• Client-side Data Encryption & Data Integrity Authentication
• Server-side encryption (file systems and/or data)
• Network Traffic protection (encryption, integrity, identity)

Question 2

AWS Responsibility Elements

Answer 2

Compute
Storage
Database
Networking
Regions
Availability Zones
Edge Locations

Question 3

Responsibility Differences between IaaS and PaaS

Answer 3

Customer accepts responsibility of OS, Middleware, and runtime with IaaS vs PaaS where these functions are managed for the customer

Question 4

Compliance Information Location

Answer 4

https://aws.amazon.com/compliance/programs/

Question 5

Encryption Key Management Solutions

Answer 5

Internal Storage
External Storage
Independent System or service

Question 6

DLP Components

Answer 6

Discovery and classification
Monitoring
Enforcement

Question 7

Define Federated Access

Answer 7

Integrate other technologies such as SAML or Microsoft Active Directory into the IAM account creation process

Question 8

Security, Identity, and Compliance Services

Answer 8

• AWS Artifact
• AWS Certificate Manager (ACM)
• AWS CloudHSM
• Amazon Cognito
• Amazon Detective
• Amazon GuardDuty
• AWS Identity and Access Management (IAM)
• Amazon Inspector
• AWS License Manager
• Amazon Macie
• AWS Shield
• AWS WAF

Question 9

Explain the Principle of Least Privilege

Answer 9

Limit user access to the minimum privileges required to do their job

Question 10

User and Identity Management Features

Answer 10

• Access keys and password policies (rotation, complexity)
• MFA
• Groups/Users
• Roles
• Managed polices vs custom policies
• Root account tasks and protections

Question 11

Root Only AWS Tasks

Answer 11

• Change account settings
• Restore IAM user permissions
• Activate IAM access to billing and cost management console
• Close AWS account
• Change/cancel support plan
• Register as a seller
• Configure S3 bucket to enable MFA
• Edit/delete S3 bucket policy with invalid VPC ID or endpoint ID
• Sign up for GovCloud

Question 12

AWS Security Support Levels

Answer 12

Free
Developer
Business
Enterprise

Question 13

AWS Developer Support Plan Features

Answer 13

AWS Trusted Advisor (7 checks)
AWS Personal Health Dashboard
Technical Support
Architecture Support

Question 14

AWS Developer Support Plan Technical Support Response Times

Answer 14

(Business hours only)
24 hours general guidance
12 hours system problems and issues

Question 15

AWS Business Support Plan Features

Answer 15

AWS Trusted Advisor (115 checks)
AWS Personal Health Dashboard
Technical Support
Architecture Support
AWS Support API
Third-Party Software Support
Access to Proactive Support Programs

Question 16

AWS Business Support Plan Technical Support Response Times

Answer 16

(24/7)
24 hours general guidance
12 hours system problems and issues
4 hours production system problems
1 hour production system outages

Question 17

AWS Enterprise Support Plan Features

Answer 17

Technical Support
Proactive Support Programs
Support Concierge
Account Onboarding

Question 18

AWS Enterprise Support Plan Technical Support Response Times

Answer 18

(24/7)
24 hours general guidance
12 hours system problems and issues
4 hours production system problems
1 hour production system outages
15 minutes for critical systems outages

Question 19

AWS Documentation Sources

Answer 19

AWS Knowledge Center
Security Center
Security Forum
Security Blogs
Partner System Integrators

Question 20

Trusted Advisor Features

Answer 20

Cost Optimization
Performance
Security Checks
Service Limits

Question 21

Network Security Capabilities

Answer 21

• Security Groups
• Network ACLs
• AWS WAF
• 3rd Party products form Marketplace

Question 22

Management, Montitoring, and Governance Services

Answer 22

• AWS Auto Scaling
• AWS Budgets
• AWS CloudFormation
• AWS CloudTrail
• Amazon CloudWatch
• AWS Config
• AWS Cost and Usage Report
• Amazon EventBridge (Amazon CloudWatch Events)
• AWS License Manager
• AWS Managed Services
• AWS Organizations
• AWS Secrets Manager
• AWS Systems Manager

Question 23

Describe Credential Report

Answer 23

User and access privileges report for audit and compliance