Domain 6: Security Flashcards
We need to gain access to a Role in another AWS account. How is it done?
1) We should ask for them to create a user for us
2) We should ask for them to send us access keys
3) We should use STS service to gain temporary credentials
3) STS
AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).
You have a mobile application and would like to give your users access to their own personal space in Amazon S3. How do you achieve that?
1) Generate IAM user credentials for each of your application users
2) Use Cognito Identity Federation
3) Use SAML Identity Federation
4) Use a Bucket Policy to make your bucket public
2) The key hint is “mobile”
1) and 4) are obviously wrong.
3) I don’t think S3 can do SAML directly
You need an encryption service that supports asymmetric encryption schemes. Which service could you use?
1) CloudHSM
2) KMS
3) Lambda
1) HSM supports both symmetric and asymmetric encryption; KMS is symmetric only
We’d like to encrypt 100MB of data client side before uploading it to S3. We should use
1) KMS Encrypt call
2) Envelope Encryption
3) SSE-S3
4) SSE-KMS
2) Envelope Encryption - is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
1) also doesn’t look right
3) and 4) are obviously not the answer
You would like to ensure data is encrypted client side before being sent to Kinesis. What should you use?
1) The client side encryption option of AWS SDK
2) Client side encryption of the KPL library
3) Client side encryption of the KCL library
4) You must create custom code
4) You would have to take care of encryption and decryption yourself. Kinesis base64 encode your payload, so binary encrypted data should be ok
1) not clear at all
2) KPL takes care of lots of things for us but how the data is decrypted by consumer?
3) is obviously not the answer
What do you need to attach to an IoT rule’s engine action to ensure it’s capable of sending data directly into Kinesis?
1) An IAM user
2) An IoT policy
3) An IAM group
4) An IAM role
4) An IAM role
Which of the following statement is wrong?
1) DynamoDB Streams can not be encrypted
2) DynamoDB security is done through IAM
3) Users must be created within DynamoDB
4) DynamoDB supports only table creation, not database creation
3) The entire security in DynamoDB is managed through IAM, we don’t need to create users within DynamoDB (unlike RDS)
Fact: DynamoDB Streams can not be encrypted
Which of the following services is accessed through a VPC Endpoint of type Interface ?
1) Kinesis
2) DynamoDB
3) S3
1) Kinesis uses interface endpoint
S3 and DynamoDB can be accessed via Gateway endpoint
What security mechanism does not exist for RDS?
1) KMS at rest encryption
2) CloudHSM at rest encryption
3) SSL encryption
4) Transparent Data Encryption
2) CloudHSM at rest encryption
Transparent Data Encryption (TDE) - Amazon RDS supports using TDE to encrypt stored data on your DB instances running Microsoft SQL Server. TDE automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.
You would like to deploy a Lambda function to privately access your RDS database. Under the default options, your Lambda function cannot reach your RDS database due to a network issue. How can you resolve it?
1) Encrypt the database password with KMS
2) Deploy your Lambda function in your VPC
3) Increase the Lambda timeout
4) Attach a VPC endpoint to RDS
2) Deploy your Lambda function in your VPC
Lambda has improved VPC networking capabilities
The question already said it is a network issue, so only 2) and 4) are possible answers
Which statement about EMR security is incorrect?
1) You can ssh into your cluster nodes
2) EMRFS supports S3 encryption
3) Apache Ranger is packaged with EMR
4) EMR supports LUKS encryption
5) EMR support Kerberos
6) There are 2 security groups assigned between your different cluster nodes
3) If you choose to use Ranger, it must be installed externally from your EMR cluster. Recommended read: https://aws.amazon.com/blogs/big-data/best-practices-for-securing-amazon-emr/
Others I just have to memorize
Which of the following login is not supported by Kibana?
1) Using an IAM user
2) Using Cognito
3) Using an email/password combo
3) ? Not sure why
Which at rest encryption is not supported by Redshift?
1) KMS
2) CloudHSM
3) External HSM
4) LUKS
4) LUKS
EMR supports LUKS but Redshift doesn’t?
Which following service support resource-based policies?
1) Kinesis Data Stream
2) Kinesis Firehose
3) Kinesis Analytics
4) Elasticsearch
5) Lake Formation
6) Cloudwatch
4) ElasticSearch support Resource-based policies
Resource-based policies are attached to a resource.
