Other Security Aspects Flashcards

To fill gaps between ACG training, and new exam topics that have come up.

1
Q

Are security groups stateful, or stateless?

A

Stateful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does it mean when we talk about stateful, vs stateless when it comes to network traffic?

A

Stateful means responses to inbound traffic are allowed regardless of SG rules. Responses to outbound requests are allowed regardless of SG rules.
Stateless requires responses to be allowed explicitly by having the ports open for them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

If you have a security group that allows traffic in from a given port, from a source of 0.0.0.0/0, who has access to the instance?

A

Everyone. 0.0.0.0/0 is the CIDR address equivalent of everyone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You create a Bastion host to only allow ssh instances from there. If you examine your logs to find that there are ssh sessions from IP addresses that are not the Bastion host, what could be the problem?

A

Check your security groups to ensure you didn’t allow ingress from another security group over 0.0.0.0/0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

you need to review your CloudTrail logs for unauthorized API calls. You noticed that there are enormous amounts of logs to review. Which AWS service should you use to query the logs and find what you need automatically?

A

AWS Athena

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is AWS Artifact?

A

It provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, PCI, and SOC reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Can you use AWS Artifact to upload your security and compliance documents to your auditors and regulators to demonstrate the security and compliance of your AWS infrastructure?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False: You should let SysOps examination questions about security compliance confuse you through red herring questions that make you confuse AWS artifact/Trusted Advisor/ or Inspector?

A

False. Make sure you understand the differences between Artifact, Trusted Advisor, and Inspector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or false: AWS Artifact provides audit reports of your AWS infrastructure?

A

False. Artifact is for downloading compliance documentation, and to upload reports for auditors and regulators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

True or false: AWS Artifact is more than just a place to download compliance documentation and a place to upload your audit and regulation reports?

A

False: It’s just a place to upload and download documents. Don’t confuse it with other security services such as Trusted Advisor or Inspector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

True or False: CloudHSM is a single tenancy service?

A

True: It is dedicated hardware for use with only your AWS account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Is KMS single or multi tenancy?

A

KMS is a multi-tenancy shared service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False: With CloudHSM, you are responsible for scaling and availability, patching, etc.

A

False, AWS provides all maintanence operations including scaling and HA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who has key control in CloudHSM, you or AWS?

A

You

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Who has key control in KMS, you or AWS?

A

You and AWS - Kind of a trick question I guess.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False: If your organization requires asymmetric keys, you should use KMS?

A

False. You will need CloudHSM

17
Q

If you need a managed key service that is FIPS 140-2 level 3 overall compliant, would you need CloudHSM or KMS?

A

CloudHSM

18
Q

If you need a managed key service that EAL-4 compliant, would you need CloudHSM or KMS?

A

CloudHSM

19
Q

True or False: If you just need a cheap, well guarded managed key service, you should choose KMS?

A

True

20
Q

True or False: If your organization requires extremely high security compliant managed key services, you should choose CloudHSM?

A

True

21
Q

True or false: unencrypted s3 buckets can be encrypted in place?

A

True: you do not need to create a new encrypted bucket and migrate data to it

22
Q

Your application currently stores data in an unencrypted DynamoDB cluster. Management is now requiring all data to be encrypted at rest. How can you achieve this?

A

Create a new encrypted DynamoDB and migrate the old database to the new.

23
Q

Your application currently stores data in an unencrypted RDS cluster. Management is now requiring all data to be encrypted at rest. How can you achieve this?

A

Create a new encrypted RDS and migrate the old database to the new.

24
Q

Your EC2 instance has a mounted EFS that is not encrypted. With the new encryption at rest policy, how can you achieve EFS encryption?

A

Create a new encrypted EFS and migrate from the old EFS to the new

25
Q

Your EC2 instance has a mounted EBS that is not encrypted. With the new encryption at rest policy, how can you achieve EBS encryption?

A

Create a new encrypted EBS volume and migrate from the old EBS to the new.

26
Q

Which data storage service can be encrypted in place?

A

S3

27
Q

Which data storage services do not support encryption in place and require migration from an unencrypted source to an encrypted target.

A

DynamoDB
RDS
EFS
EBS

28
Q

True or false: AWS has hinted at adding encryption in place for DynamoDB and you should do your own research on this before you take your exam to ensure you have the right information?

A

True.

29
Q

What do we mean by “encrypt in place”?

A

The ability to encrypt data after provisioning the service.

30
Q

For more information on KMS compliance, where would you look?

A

https://aws.amazon.com/kms/features/

31
Q

Should you read the AWS DDoS Whitepaper?

A

Yes: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

32
Q

for more information about CloudHSM, where would you look?

A

https://aws.amazon.com/cloudhsm/features/

33
Q

True or False: AWS Shield basic is turned on by default?

A

True