Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Cloud Practitioner > Revisit Domain 3: Security and Compliance > Flashcards

Revisit Domain 3: Security and Compliance Flashcards

1
Q

Which AWS Service can be used to mitigate a Distributed Denial of Service (DDoS) attack?

  • Amazon CloudWatch
  • AWS Shield
  • AWS Key Mngmt Service
  • AWS Systems Manager
A

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following AWS services support VPC Endpoint Gateway for a private connection from a VPC? (Select two)

  • Amazon Simple Storage Service (Amazon S3)
  • Amazon DynamoDB
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Notification Service (SNS)
A

Amazon Simple Storage Service (Amazon S3)

Amazon DynamoDB

You may see a question around this concept in the exam. Just remember that only Amazon S3 and Amazon DynamoDB support VPC gateway endpoint. All other services that support VPC Endpoints use a VPC interface endpoint (note that Amazon S3 supports the VPC interface endpoint as well).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which security service of AWS is enabled for all AWS customers, by default, at no additional cost?

  • AWS Secrets Manager
  • AWS Shield Standard
  • AWS WAF
  • AWS Shield Advanced
A

AWS Shield Standard

AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. While AWS Shield Standard helps protect all AWS customers, you get better protection if you are using Amazon CloudFront and Amazon Route 53. All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A company uses reserved EC2 instances across multiple units with each unit having its own AWS account. However, some of the units under-utilize their reserved instances while other units need more reserved instances. As a Cloud Practitioner, which of the following would you recommend as the most cost-optimal solution?

  • Use AWS Organizations to manage AWS accounts of all units and then share the reserved EC2 instances amongst all units
  • Use AWS Trusted Advisor to manage AWS accounts of all units and then share the reserved EC2 instances amongst all units
  • Use AWS Cost Explorer to manage AWS accounts of all units and then share the reserved EC2 instances amongst all units
  • ## Use AWS Systems Manager to manage AWS accounts of all units and then share the reserved EC2 instances amongst all units
A

Use AWS Organizations to manage AWS accounts of all units and then share the reserved EC2 instances amongst all units

AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts. AWS Organizations is available to all AWS customers at no additional charge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A company runs an application on a fleet of EC2 instances. The company wants to automate the traditional maintenance job of running timely assessments and checking for OS vulnerabilities. As a Cloud Practitioner, which service will you suggest for this use case?

  • Amazon Inspector
  • Amazon Macie
  • Amazon Guard Duty
  • AWS Shield
A

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on your Amazon EC2 instances. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AWS Shield Advanced provides expanded DDoS attack protection for web applications running on which of the following resources? (Select two)

  • Amazon Route 53
  • AWS Global Accelerator
  • Amazon API Gateway
  • AWS CloudFormation
  • AWS Elastic Beanstalk
A

Amazon Route 53

AWS Global Accelerator

AWS Shield Advanced provides expanded DDoS attack protection for web applications running on the following resources: Amazon Elastic Compute Cloud, Elastic Load Balancing (ELB), Amazon CloudFront, Amazon Route 53, AWS Global Accelerator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company wants to have control over creating and using its own keys for encryption on AWS services. Which of the following can be used for this use-case?

  • AWS Secrets Manager
  • AWS managed key
  • AWS owned key
A

customer managed key (CMK)

An AWS KMS key is a logical representation of a cryptographic key. A KMS key contains metadata, such as the key ID, key spec, key usage, creation date, description, and key state. Most importantly, it contains a reference to the key material that is used when you perform cryptographic operations with the KMS key.

The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A medical research startup wants to understand the compliance of AWS services concerning HIPAA guidelines. Which AWS service can be used to review the HIPAA compliance and governance-related documents on AWS?

  • AWS Trusted Advisor
  • AWS Artifact
  • AWS Secrets Manager
  • AWS Systems Manager
A

AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to your organization. It provides on-demand access to AWS security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Different types of agreements are available in AWS Artifact Agreements to address the needs of customers subject to specific regulations. For example, the Business Associate Addendum (BAA) is available for customers that need to comply with the Health Insurance Portability and Accountability Act (HIPAA). It is not a service, it’s a no-cost, self-service portal for on-demand access to AWS compliance reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to?

A

An individual Account

An Organizational Unit (OU)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

As per the AWS Shared Responsibility Model, which of the following is a responsibility of AWS from a security and compliance point of view?

  • Customer Data
  • Server-side Encryption
  • Edge Location Management
  • IAM
A

Edge Location Management

Security and Compliance is a shared responsibility between AWS and the customer. The AWS Shared Responsibility Model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

AWS is responsible for security “of” the cloud. This covers their global infrastructure elements including Regions, Availability Zones (AZ), and Edge Locations.

  • SSE is considered the customer taking care of their data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An organization has a complex IT architecture involving a lot of system dependencies and it wants to track the history of changes to each resource. Which AWS service will help the organization track the history of configuration changes for all the resources?

A

AWS Config

Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. Think resource-specific history, audit, and compliance; think Config.

  • NOT CloudTrail
    Think account-specific activity and audit; think CloudTrail. You cannot use CloudTrail to track changes to each resource on AWS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

AWS Cloud Practitioner (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions