Module 9: Securing application, user and data access

Question 1

Why is it difficult to manage users when assigning individual rights ?

Answer 1

Each change, team growth, new access, policy… needs to be manually updated by an admin.

Question 2

What mechanism makes it easier to manage users?

Answer 2

Create groups based on job function.The policy is attached to the group not the user

Question 3

Can a user belong to multiple groups ?

Answer 3

Yes

Question 4

Can a group belong to another group ?

Answer 4

No

Question 5

How can group be granted permissions ?

Answer 5

By using access control policies

Question 6

Groups do not have security credentials and cannot access web services directly. They exist solely to make it easier to manage user permissions.
TRUE or FALSE ?

Answer 6

TRUE

Question 7

What take precedence if two rules conflict ?

Answer 7

The most restrictive rule takes precedence

Question 8

What does it mean if i see the term RBAC in the context of managing permissions ?

Answer 8

Role-Based Access Control

Question 9

What is the role based access control?

Answer 9

Create a policy and attach it to an entity (user group or role). Traditionally permissions are defined based on job function.

Question 10

What does it mean if I see ABAC in the context of managing permissions

Answer 10

Attribute Based permissions

Question 11

What are attribute based permissions ?

Answer 11

Permissions based on attributes (key-value paris called tags).
More flexible than policies, allows to manage granular permissions, highly scalable and fully auditable.

Question 12

What is the pre-requisite of a clean ABAC ?

Answer 12

Correct Tagging

Question 13

What is an identity federation ?

Answer 13

An agreement between a Service provider and an identity provider. (Like connect with facebook, or connect with apple)
IdP is identity provider, SP is the service provider.

Question 14

What are AWS service supporting identity federation

Answer 14

AWS IAM
Aws IAM Identity center
AWS Security Token Services
Amazon Cognito

Question 15

What is IAM Identity center ?

Answer 15

A service to create or connect identities and manage access centrally

Question 16

What is AWS Security Token Service?

Answer 16

It’s a web service to request temporary limited priviledge credentials. Can be used by users or applications

Question 17

What is AWS Organizations?

Answer 17

A service that helps you centrally manage and govern multiple AWS accounts.

Question 18

What is a Service Control Policy (SCP)?

Answer 18

SCPs allow administrators to control permissions for accounts in an AWS Organization, applying restrictions across accounts.

Question 19

How can AWS SSO simplify access management across multiple accounts?

Answer 19

WS SSO (Single Sign-On) enables users to log in once and gain access to all assigned accounts and applications without needing multiple credentials.

Question 20

What is a primary advantage of using AWS Control Tower?

Answer 20

It automates the setup of a multi-account environment following AWS best practices.

Question 21

How does IAM role switching work in a multi-account setup?

Answer 21

Users in one AWS account assume a role in another account to gain temporary, limited access without creating additional IAM users.

Question 22

What is the purpose of tagging AWS resources across accounts?

Answer 22

ags help track resource usage, apply policies, and simplify management across accounts

Question 23

Why is it important to use separate accounts for different environments (e.g., dev, test, prod)?

Answer 23

To enforce isolation and reduce the risk of unintended impacts across environments

Question 24

What feature of AWS Organizations ensures billing is centralized?

Answer 24

Consolidated billing aggregates costs across accounts, simplifying billing and enabling volume discounts.

Question 25

Can SCPs grant permissions?

Answer 25

No, SCPs only restrict permissions; they cannot grant permissions beyond what IAM allows.

Question 26

What is the benefit of enabling AWS CloudTrail across all accounts?

Answer 26

Ensures centralized logging of API activities for security and compliance monitoring.

Question 27

What service can be used to manage encryption keys in AWS?

Answer 27

AWS Key Management Service (KMS).

Question 28

What is server-side encryption (SSE)?

Answer 28

Encryption that AWS performs on your behalf when storing data in services like S3, RDS, or EBS.

Question 29

What is the difference between SSE-S3, SSE-KMS, and SSE-C?

Answer 29

SSE-S3: Managed by AWS with default keys.
SSE-KMS: Uses customer-managed keys via AWS KMS.
SSE-C: Customer provides and manages encryption keys.

Question 30

How does client-side encryption differ from server-side encryption?

Answer 30

Data is encrypted by the client before being sent to AWS, ensuring AWS only stores encrypted data.

Question 31

What is an AWS CMK?

Answer 31

Customer Master Key used in KMS to encrypt and decrypt data securely.

Question 32

How can you ensure encryption at rest for S3 objects?

Answer 32

By enabling default encryption at the bucket level or applying encryption settings to individual objects.

Question 33

What AWS service automatically encrypts data stored in a database?

Answer 33

Amazon RDS can automatically encrypt databases using KMS keys.

Question 34

How is EBS volume encryption enabled?

Answer 34

By enabling encryption when creating a volume or enforcing it using an account-level default.

Question 35

What is envelope encryption?

Answer 35

Encrypting data keys with a master key (like KMS CMK), which in turn encrypts the actual data.

Question 36

Can you encrypt data in transit and at rest simultaneously?

Answer 36

Yes, by using TLS for in-transit encryption and KMS or server-side encryption for data at rest.

Question 37

What is the purpose of AWS Identity and Access Management (IAM)?

Answer 37

To control access to AWS resources securely by defining policies and roles.

Question 38

What does Amazon Cognito provide for application developers?

Answer 38

User authentication, authorization, and user pool management for web and mobile apps.

Question 39

What is AWS WAF and its use case?

Answer 39

AWS Web Application Firewall protects web applications from common exploits like SQL injection and cross-site scripting.

Question 40

How does AWS Shield enhance security?

Answer 40

AWS Shield provides DDoS protection for applications running on AWS.

Question 41

What does AWS Secrets Manager manage?

Answer 41

Storage, retrieval, and rotation of sensitive information like database credentials and API keys.

Question 42

What is the use of AWS Certificate Manager (ACM)?

Answer 42

Simplifies provisioning, managing, and deploying SSL/TLS certificates for secure communications.

Question 43

How does Amazon Macie protect sensitive data?

Answer 43

By using machine learning to discover, classify, and protect sensitive data like PII stored in S3.

Question 44

What is AWS Config used for in security?

Answer 44

Ensures resource configurations comply with governance and compliance rules

Question 45

How does AWS CloudTrail improve application security?

Answer 45

By logging all API requests, enabling audit trails for activity analysis.

Question 46

What AWS service can manage permissions boundaries?

Answer 46

IAM allows setting permissions boundaries to restrict the maximum permissions a role or user can have.