Domain 6: Security

Question 1

What kind of attack does Encryption in Flight prevent?

Answer 1

Man in the middle (MITM) attack

Question 2

When does the server decrypt a Client Side encrypted object?

Answer 2

Never

Question 3

What is the encryption type for S3-SSE?

Answer 3

AES-256

Question 4

What is the HTTP/S header for for S3-SSE?

Answer 4

“x-amz-server-side-encryption”: “AES256”

Question 5

What are the advantages of S3-KMS over S3-SSE?

Answer 5

User control, audit trail, rotation of keys

Question 6

What is the HTTP/S header for S3-KMS?

Answer 6

“x-amz-server-side-encryption”: “aws:kms”

Question 7

What must be included in the header for an SSE-CS request?

Answer 7

Data Key

Question 8

When is data encrypted during an SSE-CS request?

Answer 8

On S3, then the Data Key is discarded

Question 9

What is another term for Encryption in Flight?

Answer 9

SSL / TLS

Question 10

What are the encryption options in the web S3 UI?

Answer 10

None, S3-SSE, S3-KMS

Question 11

When can the Customer Master Key be retrieved by the User in KMS?

Answer 11

Never

Question 12

What is the maximum data size that be encrypted via KMS per call?

Answer 12

4KB

Question 13

What should be used if more than 4KB of data needs to be encrypted in a KMS call?

Answer 13

Envelope encryption

Question 14

What must be done to give someone access to KMS?

Answer 14

Make sure Key Policy allows the user, make sure IAM policy allows API calls

Question 15

What are the three types of KMS Customer Master Keys?

Answer 15

AWS Managed Default (Free); User Keys in KMS ($1/month); User Imported Keys ($1/month) must be 256 symmetric

Question 16

How are KMS API calls charged?

Answer 16

3 cents per 10,000 calls

Question 17

What is the only service in AWS that allows in-place encryption?

Answer 17

S3

Question 18

Who manages the encryption keys when using an HSM?

Answer 18

Customer

Question 19

What level of compliance does CloudHSM offer?

Answer 19

FIPS 140-2 Level 3

Question 20

Is CloudHSM multi-AZ?

Answer 20

Yes

Question 21

Is Free Tier available for CloudHSM?

Answer 21

No

Question 22

How many days does CloudTrail hold logs?

Answer 22

90

Question 23

Which API calls are tracked by CloudTrail by default?

Answer 23

Create, Modify, Delete

Question 24

Can CloudTrail Trails be Global or Region-specific?

Answer 24

Either

Question 25

What is the format of CloudTrail Trail event exports?

Answer 25

JSON

Question 26

Which services are Gateway VPC endpoints used for?

Answer 26

DynamoDB and S3

Question 27

Which type of VPC endpoint is used for all services except DynamoDB and S3?

Answer 27

Interface endpoint

Question 28

Which encryption service offers asymmetric encryptiop?

Answer 28

CloudHSM

Question 29

How is Kinesis Data Streams encrypted in flight?

Answer 29

SSL / HTTPS

Question 30

What restriction is there when using client-side encryption in Kinesis Data Streams?

Answer 30

You must provide your own encryption libraries

Question 31

Does Kinesis Data Streams support VPC endpoints?

Answer 31

Yes, interface endpoints

Question 32

What additional access is needed when using KCL with Kinesis Data Streams?

Answer 32

DynamoDB access?

Question 33

What is an additional security level for SQS beyond IAM roles?

Answer 33

SQS queue access policies

Question 34

What are the two options for what you can attach IoT policies to?

Answer 34

X.509 certificates or Cognito Identities

Question 35

What language are IoT policies written in?

Answer 35

JSON

Question 36

Should you attach IAM roles to IoT Rules Engine?

Answer 36

Yes

Question 37

What does WORM stand for in Glacier?

Answer 37

Write Once Read Many

Question 38

How is data encrypted in flight in DynamoDB?

Answer 38

TLS / HTTPS

Question 39

Can KMS encryption be used on secondary indexes in DynamoDB?

Answer 39

Yes

Question 40

How do you encrypt an unencrypted table in DynamoDB?

Answer 40

Create a new encrypted table and migrate the data from the unencrypted table

Question 41

Do DynamoDB Streams support encryption?

Answer 41

No

Question 42

What do IAM policies provide protection for in the context of RDS?

Answer 42

RDS APIs

Question 43

Which two RDS technologies support IAM authentication?

Answer 43

PostgreSQL and MySQL

Question 44

Where are user permissions managed in RDS?

Answer 44

Within the database itself, NOT through IAM

Question 45

Which two RDS technologies support Transparent Data Encryption (TDE)?

Answer 45

Microsoft SQL and Oracle

Question 46

Which two database APIs are compatible with Aurora?

Answer 46

PostgreSQL and MySQL

Question 47

How can Lamba functions be configured to access resources within a VPC?

Answer 47

Deploy the Lamba function within the VPC

Question 48

How should Glue be configured to securely access data sources?

Answer 48

JDBC through SSL

Question 49

In addition to KMS encryption, what else can be used to secure Glue Data Catalog resources?

Answer 49

Resource policies (similar to S3 bucket policies)

Question 50

How are Glue connection passwords encrypted?

Answer 50

KMS

Question 51

What Glue data output destinations offer encryption?

Answer 51

S3, CloudWatch, Job bookmarks