Domain 2.0 Security and Compliance

Question 1

Associated with the access keys that are used in managing your cloud resources via the AWS Command Line Interface (AWS CLI)?

Answer 1

IAM User

Question 2

1. Not associated with the access keys used for the AWS CLI
2. define permissions for an action regardless of the method that you use to perform the operation

Answer 2

IAM Policy

Question 3

How can you apply and easily manage the common access permissions to a large number of IAM users in AWS?

Answer 3

Attach the necessary policies or permissions required to a new IAM Group then afterwards, add the IAM Users to the IAM group

Question 4

Is a collection of IAM users. It lets you specify permissions for multiple users, which can make it easier to manage the permissions for those users

Answer 4

IAM Group

Question 5

An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices

Answer 5

AWS Inspector

Question 6

What are the things that you can implement to improve the security of your Identity and Access Management (IAM) users?

Answer 6

Configure a strong password policy for your users and Enable Multi-Factor Authentication (MFA)

Question 7

In the VPC dashboard of your AWS Management Console, which of the following services or feature below can you manage?

Answer 7

Network ACLs and Security Groups

Question 8

Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

Answer 8

Amazon Virtual Private Cloud (Amazon VPC)

Question 9

What are the Shared control between AWS and the customer?

Answer 9

1. Patch Management
2. Configuration Management
3. Awareness and Training

Question 10

Which Inherited controls does a customer fully inherits from AWS?

Answer 10

1. Physical and Environmental controls

Question 11

Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include:

Answer 11

Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.

Question 12

Customer Responsibility for security ‘in’ the cloud

Answer 12

1. Customer Data
2. Platform, applications, identity & access management
3. OS, Network & Firewall Configuration
4. Client-side data encryption & data integrity authentication
5. Server-side encryption
6. Networking traffic protection

Question 13

AWS Responsibility for security ‘of’ the Cloud

Answer 13

1. Software (compute, storage, database, networking)
2. Hardware/AWS Global Infrastructure (regions, availability zones, edge locations)

Question 14

There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?

Answer 14

Configure MFA delete on the S3 bucket

Question 15

You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources?

Answer 15

Amazon RDS and Amazon Aurora

Question 16

Permitted Services to conduct security assessments

Answer 16

• Amazon EC2 instances, Nat Gateways, and ELB’s
• Amazon RDS, CloudFront, Aurora, API Gateways, Lightsail resources
• AWS Lambda and Lambda Edge functions
• Amazon Elastic Beanstalk environments

Question 17

Prohibited Activities to conduct security assessments

Answer 17

• DNS zone walking via Amazon Route 53 Hosted Zones
• DoS, DDoS, simulated Dos, Simulated DDoS
• Port flooding
• Procotol flooding
• Request flooding (login request flooding, API request flooding)

Question 18

a virtual firewall that controls inbound and outbound traffic at the subnet level for VPCS
this is a stateless filtering type

Answer 18

Network Access Control List (ACL)

Question 19

Used to secure your EC2 instances and RDS databases in a similar way with how network ACLs work. However, they are not used for subnet security

Answer 19

Security Group

Question 20

It is a service used for account and user management

Answer 20

AWS IAM

Question 21

It is a tool that checks for resource compliance in your account

Answer 21

AWS Config

Question 22

Should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication?

Answer 22

Amazon Cognito Identity Pool

Question 23

A user directory in Amazon Cognito

Answer 23

Amazon Cognito User Pool

Question 24

A client library that enables cross-device syncing of application-related user data

Answer 24

Amazon Cognito Sync

Question 25

An isolated AWS Region and not a compliance document repository like AWS Artifact, which is designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements

Answer 25

AWS GovCloud

Question 26

Lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. This service does not store certifications or compliance-related documents

Answer 26

AWS Certificate Manager

Question 27

What is the most secure way to provide applications temporary access to your AWS resources?

Answer 27

Create an IAM role and have the application assume the role

Question 28

Is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?

Answer 28

Amazon GuardDuty

Question 29

Managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

Answer 29

AWS Shield

Question 30

A machine learning-powered security service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property?

Answer 30

Amazon Macie

Question 31

Primarily used if you want to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily

Answer 31

Amazon Cognito

Question 32

Can you use to test and troubleshoot IAM and resource-based policies?

Answer 32

IAM Policy Simulator

Question 33

Which of the following policies grant the necessary permissions required to access your Amazon S3 resources?

Answer 33

User policies and Bucket policies

Question 34

Which of the following statements is true for AWS CloudTrail?

Answer 34

When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default

Question 35

What is the best way to keep track of all activities made in your AWS account?

Answer 35

Create a multi-region trail in AWS CloudTrail

Question 36

What service acts as a firewall for your EC2 instances?

Answer 36

Security Group

Question 37

A logical networking component in a VPC that represents a virtual network card. It does not serve as a virtual firewall for your instances

Answer 37

Elastic Network Interface

Question 38

Best describes what an account alias is in IAM?

Answer 38

A substitute for an account ID in the web address for your account

Question 39

Which of the following security group rules are valid?

Answer 39

1. Inbound HTTP rule with security group ID as source
2. Inbound RDP rule with an address range as source

Question 40

Security group rules facts

Answer 40

The name for the security group
Protocol, port
source, destination by subnet

Question 41

Which of the following do you need to programmatically interact with your AWS environment?

Answer 41

AWS SDK and Access keys

Question 42

Which compliance requirement has AWS achieved that allows handling of medical information?

Answer 42

HIPAA

Question 43

This is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment

Answer 43

PCI DSS Payment Card Industry Data Security Standard

Question 44

report is for service organizations that impact or may impact their clients’ financial reporting

Answer 44

SOC 1

Question 45

This report focused more on making sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data

Answer 45

SOC 2Report

Question 46

A company plans to work with a third-party provider to deploy a new application that will be accessed globally. You need to delegate permissions to access resources without using permanent credentials.

What should you use?

Answer 46

IAM Role

Are a secure way to grant permissions to entities you trust without creating dedicated user accounts

Question 47

This is a feature of AWS Organizations. It’s a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. They’re similar to IAM permission policies except that they don’t grant any permissions. Instead, They’re are just filters that allow only the specified services and actions to be used in affected accounts

Answer 47

Service Control Policy

Question 48

What service will allow you to safely store and automatically rotate database secrets for services such as Amazon RDS and Amazon Redshift?

Answer 48

AWS Secrets Manager

Question 49

Helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle

Answer 49

AWS Secrets Manager

Question 50

Enables you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection

Answer 50

VPC Endpoint

Question 51

Addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents. When abuse is reported, we alert customers so they can take the remediation action that is necessary. Customers want to build automation for handling abuse events and the actions to remediate them

Answer 51

AWS Abuse

Question 52

Which AWS services should you use to upload SSL certificates?

Answer 52

AWS IAM and AWS Certificate Manager

Question 53

The Chief Technology Officer wants to control the use of services across multiple AWS accounts using AWS Organizations. What service must be used to satisfy this requirement?

Answer 53

Service Control Policy

Question 54

Automates common maintenance and deployment tasks of EC2 instances and other AWS resources

Answer 54

AWS Systems Manager

Question 55

special CloudFront user that you can associate with Amazon S3 origins, so that you can secure all or just some of your Amazon S3 content

Answer 55

Origin Access Identity

Question 56

Make use of access keys for long-term programmatic credentials. Access keys consist of two parts: an access key ID and a secret access key. You can use access keys to sign programmatic requests to the AWS CLI or AWS API

Answer 56

IAM User