Domain 2.0 Security and Compliance Flashcards

1
Q

Associated with the access keys that are used in managing your cloud resources via the AWS Command Line Interface (AWS CLI)?

A

IAM User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Not associated with the access keys used for the AWS CLI

2. Associated with an identity or resource, defines their permissions

A

IAM Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How can you apply and easily manage the common access permissions to a large number of IAM users in AWS?

A

Attach the necessary policies or permissions required to a new IAM Group then afterwards, add the IAM Users to the IAM group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Is a collection of IAM users. It lets you specify permissions for multiple users, which can make it easier to manage the permissions for those users

A

IAM Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices

A

AWS Inspector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the things that you can implement to improve the security of your Identity and Access Management (IAM) users?

A

Configure a strong password policy for your users and Enable Multi-Factor Authentication (MFA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In the VPC dashboard of your AWS Management Console, which of the following services or feature below can you manage?

A

Network ACLs and Security Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

These services have their own respective dashboards

A

Amazon CloudFront, AWS Lambda, and Amazon Route 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

A

Amazon Virtual Private Cloud (Amazon VPC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Shared control between AWS and the customer

A
  1. Patch Management
  2. Configuration Management
  3. Awareness and Training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Inherited controls (which a customer fully inherits from AWS)

A
  1. Physical and Environmental controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Customer specific controls (which are solely the responsibility of the customer based on the application they are deploying within AWS services)

A

Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Customer Responsibility for security ‘in’ the cloud

A
  1. Customer Data
  2. Platform, applications, identity & access management
  3. OS, Network & Firewall Configuration
  4. Client-side data encryption & data integrity authentication
  5. Server-side encryption
  6. Networking traffic protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Responsibility for security ‘of’ the Cloud

A
  1. Software (compute, storage, database, networking)

2. Hardware/AWS Global Infrastructure (regions, availability zones, edge locations)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?

A

Configure MFA delete on the S3 bucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources?

A

Amazon RDS and Amazon Aurora

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Permitted Services to conduct security assessments

A
  • Amazon EC2 instances, Nat Gateways, and ELB’s
  • Amazon RDS, CloudFront, Aurora, API Gateways, Lightsail resources
  • AWS Lambda and Lambda Edge functions
  • Amazon Elastic Beanstalk environments
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Prohibited Activities to conduct security assessments

A
  • DNS zone walking via Amazon Route 53 Hosted Zones
  • DoS, DDoS, simulated Dos, Simulated DDoS
  • Port flooding
  • Procotol flooding
  • Request flooding (login request flooding, API request flooding)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets

A

Network Access Control List (ACL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Used to secure your EC2 instances and RDS databases in a similar way with how network ACLs work. However, they are not used for subnet security

A

Security Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

It is a service used for account and user management

A

AWS IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

It is a tool that checks for resource compliance in your account

A

AWS Config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication?

A

Amazon Cognito Identity Pool

24
Q

A user directory in Amazon Cognito

A

Amazon Cognito User Pool

25
Q

A client library that enables cross-device syncing of application-related user data

A

Amazon Cognito Sync

26
Q

An isolated AWS Region and not a compliance document repository like AWS Artifact, which is designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements

A

AWS GovCloud

27
Q

Lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. This service does not store certifications or compliance-related documents

A

AWS Certificate Manager

28
Q

What is the most secure way to provide applications temporary access to your AWS resources?

A

Create an IAM role and have the application assume the role

29
Q

Is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?

A

Amazon GuardDuty

30
Q

Managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

A

AWS Shield

31
Q

A machine learning-powered security service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property?

A

Amazon Macie

32
Q

Primarily used if you want to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily

A

Amazon Cognito

33
Q

Can you use to test and troubleshoot IAM and resource-based policies?

A

IAM Policy Simulator

34
Q

Which of the following policies grant the necessary permissions required to access your Amazon S3 resources?

A

User policies and Bucket policies

35
Q

Which of the following statements is true for AWS CloudTrail?

A

When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default

36
Q

What is the best way to keep track of all activities made in your AWS account?

A

Create a multi-region trail in AWS CloudTrail

37
Q

What service acts as a firewall for your EC2 instances?

A

Security Group

38
Q

A logical networking component in a VPC that represents a virtual network card. It does not serve as a virtual firewall for your instances

A

Elastic Network Interface

39
Q

Best describes what an account alias is in IAM?

A

A substitute for an account ID in the web address for your account

40
Q

Which of the following security group rules are valid?

A
  1. Inbound HTTP rule with security group ID as source

2. Inbound RDP rule with an address range as source

41
Q

Security group rules facts

A
  1. Instance IDs or Hostnames are not valid values
  2. Outbound MYSQL rule with IP address as source is incorrect because the source cannot be modified. Since it is outbound, you should set the allowed destination
42
Q

Which of the following do you need to programmatically interact with your AWS environment?

A

AWS SDK and Access keys

43
Q

Which compliance requirement has AWS achieved that allows handling of medical information?

A

HIPAA

44
Q

This is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment

A

PCI DSS

45
Q

This is a report on Controls at a Service Organization which are relevant to user entities internal control over financial reporting

A

SOC 1

46
Q

This is focused more on making sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data

A

SOC 2

47
Q

A company plans to work with a third-party provider to deploy a new application that will be accessed globally. You need to delegate permissions to access resources without using permanent credentials.

What should you use?

A

IAM Role

Are a secure way to grant permissions to entities you trust without creating dedicated user accounts

48
Q

This is a feature of AWS Organizations. It’s a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. They’re similar to IAM permission policies except that they don’t grant any permissions. Instead, They’re are just filters that allow only the specified services and actions to be used in affected accounts

A

Service Control Policy

49
Q

What service will allow you to safely store and automatically rotate database secrets for services such as Amazon RDS and Amazon Redshift?

A

AWS Secrets Manager

50
Q

Helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle

A

AWS Secrets Manager

51
Q

Enables you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection

A

VPC Endpoint

52
Q

Addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents. When abuse is reported, we alert customers so they can take the remediation action that is necessary. Customers want to build automation for handling abuse events and the actions to remediate them

A

AWS Abuse

53
Q

Which AWS services should you use to upload SSL certificates?

A

AWS IAM and AWS Certificate Manager

54
Q

The Chief Technology Officer wants to control the use of services across multiple AWS accounts using AWS Organizations. What service must be used to satisfy this requirement?

A

Service Control Policy

55
Q

Automates common maintenance and deployment tasks of EC2 instances and other AWS resources

A

AWS Systems Manager

56
Q

A company plans to restrict access to content served from an Amazon S3 bucket using Amazon CloudFront. What features can you use to satisfy this requirement?

A

Origin Access Identity

57
Q

Make use of access keys for long-term programmatic credentials. Access keys consist of two parts: an access key ID and a secret access key. You can use access keys to sign programmatic requests to the AWS CLI or AWS API

A

IAM User