Domain 2.0 Security and Compliance Flashcards
Associated with the access keys that are used in managing your cloud resources via the AWS Command Line Interface (AWS CLI)?
IAM User
- Not associated with the access keys used for the AWS CLI
- define permissions for an action regardless of the method that you use to perform the operation
IAM Policy
How can you apply and easily manage the common access permissions to a large number of IAM users in AWS?
Attach the necessary policies or permissions required to a new IAM Group then afterwards, add the IAM Users to the IAM group
Is a collection of IAM users. It lets you specify permissions for multiple users, which can make it easier to manage the permissions for those users
IAM Group
An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices
AWS Inspector
What are the things that you can implement to improve the security of your Identity and Access Management (IAM) users?
Configure a strong password policy for your users and Enable Multi-Factor Authentication (MFA)
In the VPC dashboard of your AWS Management Console, which of the following services or feature below can you manage?
Network ACLs and Security Groups
Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
Amazon Virtual Private Cloud (Amazon VPC)
What are the Shared control between AWS and the customer?
- Patch Management
- Configuration Management
- Awareness and Training
Which Inherited controls does a customer fully inherits from AWS?
- Physical and Environmental controls
Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include:
Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.
Customer Responsibility for security ‘in’ the cloud
- Customer Data
- Platform, applications, identity & access management
- OS, Network & Firewall Configuration
- Client-side data encryption & data integrity authentication
- Server-side encryption
- Networking traffic protection
AWS Responsibility for security ‘of’ the Cloud
- Software (compute, storage, database, networking)
- Hardware/AWS Global Infrastructure (regions, availability zones, edge locations)
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?
Configure MFA delete on the S3 bucket
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources?
Amazon RDS and Amazon Aurora
Permitted Services to conduct security assessments
- Amazon EC2 instances, Nat Gateways, and ELB’s
- Amazon RDS, CloudFront, Aurora, API Gateways, Lightsail resources
- AWS Lambda and Lambda Edge functions
- Amazon Elastic Beanstalk environments
Prohibited Activities to conduct security assessments
- DNS zone walking via Amazon Route 53 Hosted Zones
- DoS, DDoS, simulated Dos, Simulated DDoS
- Port flooding
- Procotol flooding
- Request flooding (login request flooding, API request flooding)
a virtual firewall that controls inbound and outbound traffic at the subnet level for VPCS
this is a stateless filtering type
Network Access Control List (ACL)
Used to secure your EC2 instances and RDS databases in a similar way with how network ACLs work. However, they are not used for subnet security
Security Group
It is a service used for account and user management
AWS IAM
It is a tool that checks for resource compliance in your account
AWS Config
Should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication?
Amazon Cognito Identity Pool
A user directory in Amazon Cognito
Amazon Cognito User Pool
A client library that enables cross-device syncing of application-related user data
Amazon Cognito Sync
An isolated AWS Region and not a compliance document repository like AWS Artifact, which is designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements
AWS GovCloud
Lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. This service does not store certifications or compliance-related documents
AWS Certificate Manager
What is the most secure way to provide applications temporary access to your AWS resources?
Create an IAM role and have the application assume the role
Is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
Amazon GuardDuty
Managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
AWS Shield
A machine learning-powered security service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property?
Amazon Macie
Primarily used if you want to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily
Amazon Cognito
Can you use to test and troubleshoot IAM and resource-based policies?
IAM Policy Simulator
Which of the following policies grant the necessary permissions required to access your Amazon S3 resources?
User policies and Bucket policies
Which of the following statements is true for AWS CloudTrail?
When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default
What is the best way to keep track of all activities made in your AWS account?
Create a multi-region trail in AWS CloudTrail
What service acts as a firewall for your EC2 instances?
Security Group
A logical networking component in a VPC that represents a virtual network card. It does not serve as a virtual firewall for your instances
Elastic Network Interface
Best describes what an account alias is in IAM?
A substitute for an account ID in the web address for your account
Which of the following security group rules are valid?
- Inbound HTTP rule with security group ID as source
- Inbound RDP rule with an address range as source
Security group rules facts
The name for the security group
Protocol, port
source, destination by subnet
Which of the following do you need to programmatically interact with your AWS environment?
AWS SDK and Access keys
Which compliance requirement has AWS achieved that allows handling of medical information?
HIPAA
This is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment
PCI DSS Payment Card Industry Data Security Standard
report is for service organizations that impact or may impact their clients’ financial reporting
SOC 1
This report focused more on making sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data
SOC 2Report
A company plans to work with a third-party provider to deploy a new application that will be accessed globally. You need to delegate permissions to access resources without using permanent credentials.
What should you use?
IAM Role
Are a secure way to grant permissions to entities you trust without creating dedicated user accounts
This is a feature of AWS Organizations. It’s a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. They’re similar to IAM permission policies except that they don’t grant any permissions. Instead, They’re are just filters that allow only the specified services and actions to be used in affected accounts
Service Control Policy
What service will allow you to safely store and automatically rotate database secrets for services such as Amazon RDS and Amazon Redshift?
AWS Secrets Manager
Helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle
AWS Secrets Manager
Enables you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection
VPC Endpoint
Addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents. When abuse is reported, we alert customers so they can take the remediation action that is necessary. Customers want to build automation for handling abuse events and the actions to remediate them
AWS Abuse
Which AWS services should you use to upload SSL certificates?
AWS IAM and AWS Certificate Manager
The Chief Technology Officer wants to control the use of services across multiple AWS accounts using AWS Organizations. What service must be used to satisfy this requirement?
Service Control Policy
Automates common maintenance and deployment tasks of EC2 instances and other AWS resources
AWS Systems Manager
special CloudFront user that you can associate with Amazon S3 origins, so that you can secure all or just some of your Amazon S3 content
Origin Access Identity
Make use of access keys for long-term programmatic credentials. Access keys consist of two parts: an access key ID and a secret access key. You can use access keys to sign programmatic requests to the AWS CLI or AWS API
IAM User
