Lecture 14: Secuirty and Compliance

Question 1

The security of the cloud and protecting the infrastructure that runs all the AWS services and your responsible for everything you do in the cloud

Answer 1

AWS responsibility is what?

Question 2

It’s when your server is overload with a lot of bots sending request to your server to shut down your service

Answer 2

What is a DDOS attack (distributed denial of service)

Question 3

____________ protects against DDOS attack for your website and applications, for all customers at no additional costs

Answer 3

AWS shield standard

Question 4

____________ is a 24/7 premium DDOS protection

Answer 4

AWS shield advanced

Question 5

_________ filter specific request based on rules

Answer 5

AWS WAF

Question 6

__________ available protection using global edge network and combined with AWS shriek, provides attack mitigation at the edge

Answer 6

Cloudfront and Route 53

Question 7

AWS Auto scaling

Answer 7

If your scaling and under a DDOS attack then can use __________

Question 8

_________ is a free service that is activated for every AWS customer and provides protection from attack such as SYN/UDP floods, reflection attacks and other layer 3/ layer 4 attack

Answer 8

AWS shield standard (activated by default for every customer)

Question 9

_________ optional DDOS mitigation service (3k per month per organization) and it protects against more sophisticated attacks on other AWS services and it has 24/7 access to AWS DDOD response team

Answer 9

AWS shield Advanced

Question 10

____________ protects your web applications from common web exploits (layer 7) and layer 7 is HTTP

Answer 10

AWS WAF (Web application firewall)

Question 11

Application load balancer, API gateway, and cloudfront

Answer 11

With AWS WAF you can deploy on ___________________

Question 12

Web ACL (web access control list) such as :
1. Rules can include IP address, HTTP headers, HTTP body, or URI strings

2. Protects from common attack-SQL injection and cross site scripting (XSS)
3. Size constraints, geo-match (block countries)
4. Rate based rules (to count occurrences of events) for DDOS protection

Answer 12

With WAF you can define what?

Question 13

How would you protect your VPC entirely?

Answer 13

Using a AWS network firewall

Question 14

_________ manage security rules in all accounts of an AWS organization

Answer 14

AWS Firewall Manager

Question 15

What are the common set of security rules made with AWS firewall manager?

Answer 15

• VPC Security groups for EC2, applications load balancer, etc
• WAF rules
• AWA Shield advance

Question 16

new resources

Answer 16

With AWS Firewall Manager, rules are applied to __________ as they are created across all and future accounts in your organization

Question 17

With __________ AWS customers are welcomed to carry out security assessments or ____________ against their AWS infrastructure without prior approval for 8 services

Answer 17

Penetration testing

Question 18

Prohibited activities (anything that looks like an attack)

Answer 18

With penetration testing you can’t do what _______________

Question 19

What does data at rest mean?

Answer 19

At rest data is stored or Archie bed on a device (like on a hard disk, etc)

Question 20

What does data in transit mean?

Answer 20

Data being moved from one location to another (transfer from on premises to AWS, EC2, DynamoDB, etc. (the data is transferred on the network)

Question 21

Encryption keys

Answer 21

By using _____________ you can encrypt both data at rest and transit data

Question 22

Anytime you hear encryption for an AWS service it’s most likely _______

Answer 22

KMS

Question 23

What is KMS?

Answer 23

AWS manages the encryption keys for you

Question 24

With ________ AWS provisions the hardware security module but you manage the encryption keys yourself

Answer 24

CloudHSM (Hardware security module)

Question 25

1. Customer managed keys
2. AWS managed key (AWS/ -if you see tht)
3. AWS owned keys
4. CloudHSM keys

Answer 25

What are the types of KMS keys?

Question 26

__________ let’s you easily provision,manage, and deploy SSL/TLS certificates and is used to provide in flight encryption for websites (HTTPS)

Answer 26

AWS certificate manager (ACM)

Question 27

__________ is meant to store secrets and has the capability to force rotation of secrets every X days and has an integration with AMAZON RDS

Answer 27

AWS secret Manager

Question 28

________ is a portal that provides customers with on demand access to AWS compliances documentation and AWS agreements and can be used to support internal audit or compliance

Answer 28

AWS artifact

Question 29

___________ helps you do intelligent threat discovery to protected your AWS account and it does it my using machine learning algorithms, anomaly detection and 3rd party

Answer 29

Amazon GaurdDuty

Question 30

• CloudTrail event logs
• VPC flow logs
• DNS Logs
• Optional features

Answer 30

What are the different input data the Amazon gaurduty looks at?

Question 31

Can also setup _______ with Amazon gaurduty to be notified in case of findings

Answer 31

EventBridge rules (can target AWS lambda or SNS)

Question 32

Amazon GuardDuty can protect against _______________ attacks (has a dedicated “finding” for it)

Answer 32

CryptoCurrency attacks

Question 33

__________ is a service that allows you to run automated servility assessments

Answer 33

Amazon inspector

Question 34

• Leverges the AWS system manager (SSM) agent
• Analyze against unintended network accessibility
• Analyze the running OS against known vulnerabilities

Answer 34

With EC2 instance what does Amazon inspector do?

Question 35

Lambda functions and for container images push to Amazon ECR

Answer 35

Amazon inspector is also use for what?

Question 36

Only EC2 instances, container images & lambda functions

Answer 36

What does Amazon inspector evaluate?

Question 37

________ helps with auditing and recording compliance of your AWS resources and helps record configurations and changes overtime

Answer 37

AWS config

Question 38

_________ is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS

Answer 38

Amazon Maice

Question 39

Macie helps identify and alert you to sensitive information data, such as ______________

Answer 39

Personally identifiable information (PII)

Question 40

__________ is a central security tool to manage security across several AWS accounts and automate security checks

Answer 40

AWS security Hub

Question 41

_________ analyze, investigates, and quickly identifies the root cause of security issues or suspicious activities (using ML and graphs)

Answer 41

Amazon Detective

Question 42

automatically collects and processes events

Answer 42

Amazon Detective also _____________ from VPC flow logs, CloudTrail, guarduty, and create a unified view

Question 43

_________ is when you report suspected AWS resources are being used for abusive or illegal purposes

Answer 43

AWS abuse

Question 44

1. Spam
2. Port scanning
3. DDOs attacks
4. Intrusion attempts
5. Hosting objectionable or copyrighted content
6. Distributing malware

Answer 44

What are some abusive & prohibited behaviors?

Question 45

What is a root user?

Answer 45

The account owner (created when the account is created), has complete access to all AWS services)

Question 46

What must you do with your root user account?

Answer 46

Lock away your root user access keys

Question 47

1. Change account settings
2. Close your AWS account
3. Change or cancel your AWS support plan
4. Register as a seller in the reserved instance marketplace

Answer 47

What actions can be performed only by the root user?

Question 48

____________ used to find out which resources are shared externally (like S3 buckets, IAM roles, KMS keys, etc)

Answer 48

IAM access analyzer

Question 49

With IAM access analyzer, you have to define ____________ which corresponds to your AWS account or organization, and anything outside of it is considered your findings

Answer 49

Zone of trust

Question 50

____________ is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS, such as personally identifiable information (PII) or intellectual property.

Answer 50

Amazon Macie

Question 51

___________ is your go-to, central resource for compliance-related information that matters to you.

Answer 51

AWS Artifact

Question 52

Penetration Testing is allowed without prior approval on ___________. DDoS, port flooding and protocol flooding are examples of prohibited activities.

Answer 52

8 services

Question 53

___________ is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/ TLS) certificates for use with AWS services and your internal connected resources.

Answer 53

AWS Certificate Manager

Question 54

infrastructure, OS and applications

Answer 54

AWS is responsible for patching and fixing flaws within the __________, but customers are responsible for patching their guest ____________. Shared Controls also includes Configuration Management, and Awareness and Training.

Question 55

___________ is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances.

Answer 55

Amazon Inspector

Question 56

hardware

Answer 56

AWS is responsible for protecting __________. AWS is responsible for “Security OF the Cloud”. AWS is also responsible for the infrastructure that runs all services in the AWS Cloud, etc.

Question 57

continuously monitors

Answer 57

Amazon GuardDuty is a threat detection service that _____________ for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.