Domain 6: Security Flashcards

1
Q

What kind of attack does Encryption in Flight prevent?

A

Man in the middle (MITM) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When does the server decrypt a Client Side encrypted object?

A

Never

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the encryption type for S3-SSE?

A

AES-256

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the HTTP/S header for for S3-SSE?

A

“x-amz-server-side-encryption”: “AES256”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the advantages of S3-KMS over S3-SSE?

A

User control, audit trail, rotation of keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the HTTP/S header for S3-KMS?

A

“x-amz-server-side-encryption”: “aws:kms”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What must be included in the header for an SSE-CS request?

A

Data Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When is data encrypted during an SSE-CS request?

A

On S3, then the Data Key is discarded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is another term for Encryption in Flight?

A

SSL / TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the encryption options in the web S3 UI?

A

None, S3-SSE, S3-KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When can the Customer Master Key be retrieved by the User in KMS?

A

Never

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the maximum data size that be encrypted via KMS per call?

A

4KB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What should be used if more than 4KB of data needs to be encrypted in a KMS call?

A

Envelope encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What must be done to give someone access to KMS?

A

Make sure Key Policy allows the user, make sure IAM policy allows API calls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the three types of KMS Customer Master Keys?

A

AWS Managed Default (Free); User Keys in KMS ($1/month); User Imported Keys ($1/month) must be 256 symmetric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How are KMS API calls charged?

A

3 cents per 10,000 calls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the only service in AWS that allows in-place encryption?

A

S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Who manages the encryption keys when using an HSM?

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What level of compliance does CloudHSM offer?

A

FIPS 140-2 Level 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Is CloudHSM multi-AZ?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Is Free Tier available for CloudHSM?

A

No

22
Q

How many days does CloudTrail hold logs?

A

90

23
Q

Which API calls are tracked by CloudTrail by default?

A

Create, Modify, Delete

24
Q

Can CloudTrail Trails be Global or Region-specific?

A

Either

25
Q

What is the format of CloudTrail Trail event exports?

A

JSON

26
Q

Which services are Gateway VPC endpoints used for?

A

DynamoDB and S3

27
Q

Which type of VPC endpoint is used for all services except DynamoDB and S3?

A

Interface endpoint

28
Q

Which encryption service offers asymmetric encryptiop?

A

CloudHSM

29
Q

How is Kinesis Data Streams encrypted in flight?

A

SSL / HTTPS

30
Q

What restriction is there when using client-side encryption in Kinesis Data Streams?

A

You must provide your own encryption libraries

31
Q

Does Kinesis Data Streams support VPC endpoints?

A

Yes, interface endpoints

32
Q

What additional access is needed when using KCL with Kinesis Data Streams?

A

DynamoDB access?

33
Q

What is an additional security level for SQS beyond IAM roles?

A

SQS queue access policies

34
Q

What are the two options for what you can attach IoT policies to?

A

X.509 certificates or Cognito Identities

35
Q

What language are IoT policies written in?

A

JSON

36
Q

Should you attach IAM roles to IoT Rules Engine?

A

Yes

37
Q

What does WORM stand for in Glacier?

A

Write Once Read Many

38
Q

How is data encrypted in flight in DynamoDB?

A

TLS / HTTPS

39
Q

Can KMS encryption be used on secondary indexes in DynamoDB?

A

Yes

40
Q

How do you encrypt an unencrypted table in DynamoDB?

A

Create a new encrypted table and migrate the data from the unencrypted table

41
Q

Do DynamoDB Streams support encryption?

A

No

42
Q

What do IAM policies provide protection for in the context of RDS?

A

RDS APIs

43
Q

Which two RDS technologies support IAM authentication?

A

PostgreSQL and MySQL

44
Q

Where are user permissions managed in RDS?

A

Within the database itself, NOT through IAM

45
Q

Which two RDS technologies support Transparent Data Encryption (TDE)?

A

Microsoft SQL and Oracle

46
Q

Which two database APIs are compatible with Aurora?

A

PostgreSQL and MySQL

47
Q

How can Lamba functions be configured to access resources within a VPC?

A

Deploy the Lamba function within the VPC

48
Q

How should Glue be configured to securely access data sources?

A

JDBC through SSL

49
Q

In addition to KMS encryption, what else can be used to secure Glue Data Catalog resources?

A

Resource policies (similar to S3 bucket policies)

50
Q

How are Glue connection passwords encrypted?

A

KMS

51
Q

What Glue data output destinations offer encryption?

A

S3, CloudWatch, Job bookmarks