Domain 2 - Security and Compliance Flashcards
Which of the following is one of the first places you should look when troubleshooting a failing application?
- Service Status Dashboard
- Service Health Dashboard
- AWS Billing Dashboard
- AWS Acceptable Use Monitor
- Service Health Dashboard
The AWS Billing Dashboard is focused on your account billing issues. Neither the AWS Acceptable Use Monitor nor the Service Status Dashboard actually exists. But nice try.
What role can the documents provided by AWS Artifact play in your application planning? (Select TWO.)
- They can provide insight into various regulatory and industry standards that represent best practices.
- They represent AWS infrastructure design policy.
- They can provide insight into the networking and storage design patterns your AWS applications use.
- They can help you confirm that your deployment infrastructure is compliant with regulatory standards.
- They can provide insight into various regulatory and industry standards that represent best practices.
AWS Artifact documents are about AWS infrastructure compliance with external standards. They tangentially can also provide insight into best practices. They do not represent internal AWS design or policies.
Which of the following credentials can you use to log into the AWS Management Console?
- Identity and Access Management (IAM) username
- Account alias
- Access key ID
- Account ID
- Identity and Access Management (IAM) username
You can sign in as the root user or as an IAM user. Although you need to specify the account alias or account ID to log in as an IAM user, those are not credentials. You can’t log in to the console using an access key ID.
How long will your session with the AWS Management Console remain active?
- 8 hours
- 6 hours
- 12 hours
- 24 hours
- 12 hours
Once you’re logged in, your session will remain active for 12 hours. After that, it’ll expire and log you out to protect your account.
What is a benefit of using CloudTrail log file integrity validation?
- It tells you how a CloudTrail log file has been tampered with.
- It lets you assert that no CloudTrail log files have been deleted from S3.
- It prevents unauthorized users from deleting CloudTrail log files.
- It lets you assert that no CloudTrail log files have been deleted from CloudWatch.
- It lets you assert that no CloudTrail log files have been deleted from S3.
Log file integrity validation uses cryptographic hashing to help you assert that no CloudTrail log files have been deleted from S3. It doesn’t prevent tampering or deletion and can’t tell you how a file has been tampered with. Log file integrity validation has nothing to do with CloudWatch.
Which of the following is true of a new security group?
- It contains an outbound rule denying access to public IP addresses.
- It contains an inbound rule allowing access from any IP address.
- It contains an outbound rule allowing access to any IP address.
- It contains an inbound rule denying access from any IP address.
- It contains an inbound rule denying access from public IP addresses.
- It contains an outbound rule allowing access to any IP address.
When you create a security group, it contains an outbound rule that allows access to any IP address. It doesn’t contain an inbound rule by default. Security group rules can only permit access, not deny it, so any traffic not explicitly allowed will be denied.
What’s the difference between a security group and a network access control list (NACL)? (Select TWO.)
- A security group operates at the subnet level.
- A security group operates at the instance level
Correct! - A network access control list operates at the subnet level.
- A network access control list operates at the instance level.
- A security group operates at the instance level
A network access control list is a firewall that operates at the subnet level. A security group is a firewall that operates at the instance level.
Which of the following are examples of applying the principles of the least privilege or maximum security?
- Enabling S3 versioning
- Creating a security group rule to deny access to unused ports
- Granting each AWS user their own IAM username and password
- Deleting an empty S3 bucket
- Enabling S3 versioning
- Granting each AWS user their own IAM username and password
Security is about protecting the confidentiality, integrity, and availability of data. Granting each AWS user their own IAM username and password makes it possible to ensure the confidentiality of data. Enabling S3 versioning protects the integrity of data by maintaining a backup of an object. Deleting an empty S3 bucket doesn’t help with any of these. It’s not possible to create a security group rule that denies access to unused ports since security groups deny any traffic that’s not explicitly allowed.
Your organization is building a database-backed web application that will sit behind an application load balancer. You add an inbound security group rule to allow HTTP traffic on TCP port 80. Where should you apply this security group to allow users to access the application?
- The application load balancer listener
- The subnets where the instances reside
- The database instance
- None of these
.
- The application load balancer listener
Application load balancer listeners use security groups to control inbound access, so you need to apply a security group that has an inbound rule allowing HTTP access. Applying the security group rule to the database instance won’t help, since users don’t connect directly to the database instance. You can’t apply a security group to a subnet, only a network access control list
Which of the following features of S3 improve the security of data you store in an S3 bucket? (Select TWO.)
- Objects in S3 are not public by default
- S3 removes public objects by default.
- All objects are readable by all AWS users by default.
- By default, S3 removes ACLs that allow public read access to objects.
- Objects in S3 are not public by default
- By default, S3 removes ACLs that allow public read access to objects.
Objects you upload to an S3 bucket are not public by default, nor are they accessible to all AWS users. Even if you try to make an object public using an ACL, S3 will immediately remove the ACL, but you can disable this behavior. S3 never removes objects by default.
Which of the following fall under the administration responsibility of Amazon rather than you (the customer)? (Select TWO.)
- Physical access to AWS data centers
- Data lost through malicious penetration of an application’s defenses
- The infrastructure powering AWS managed services
- Data stored in customer accounts on AWS
- Physical access to AWS data centers
- The infrastructure powering AWS managed services
It’s the responsibility of the customer (you) to properly back up and protect the data you use for your applications. AWS is responsible only for “the cloud” rather than “what’s in the cloud.”
Which of the following AWS services would require the customer (i.e., you) to assume the least responsibility for administration? (Select TWO.)
- Elastic Beanstalk
- Relational Database Service
- Route 53
- Elastic Compute Cloud
- Elastic Beanstalk
- ?
While RDS is a managed service, it’s not as fully managed as Beanstalk. EC2 gives you control over nearly the entire infrastructure powering your instance.
Which of the following authentication tools is most commonly used for programmatic or automated access to AWS resources?
- SSH key pairs
- Access keys
- Multifactor authentication
- Passwords
- Access keys
MFA and passwords are most commonly used for manual, direct logins to the AWS Management Console. SSH key pairs are used for SSH login sessions to EC2 instances. Access keys are generally incorporated into AWS CLI or coded access via an AWS API.
Which of the following steps should ideally be taken on behalf of an AWS account’s root user? (Select THREE.)
- Apply multifactor authentication (MFA).
- Delete associated access keys.
- Set a complex password.
- Create access keys.
- Apply multifactor authentication (MFA).
- Delete associated access keys.
- Set a complex password.
Since the goal is to “lock down” the user, you will be better off deleting rather than creating access keys.
Which of the following describes an IAM role?
- An identity assumed by multiple users logging in (using passwords) to access one or more AWS resources
- An identity used by a process to perform an action against an AWS resource
- An identity assigned the owner of an AWS account when the account is created
- An identity assumed when a person uses a password to log in to access one or more AWS resources
- An identity used by a process to perform an action against an AWS resource
Identities used by one or more logged-in users are either “user” or “group” identities. The account owner identity is known as the root user. Roles are generally assumed by processes, not users.
