SAA - Security Flashcards
How do you protect objects in your Amazon S3 buckets from deletion or overwrite?
Turn on versioning and MFA delete
How do you secure sensitive data in Amazon EBS volumes?
Ensure you turn on EBS encryption when creating the volume.
What AWS service can you use to provide short-term access that acts as temporary security credentials for access to your AWS resources?
AWS Security Token Service
What permissions do IAM identities start with when you create a new user, group, or role?
No permissions, all permissions must be explicitly granted.
What two types of policies can be attached to an IAM role?
Trust policy and permission policy
What two main ways are Service Control Policies used?
- To block services by default and then allow certain services. (allow list).
- Allow by default and block access to certain services (deny list)
What are some differences between network access control lists and security groups?
- Network ACLs are used with subnets and are used for explicit denies and allows
- Security groups are used for almost everything else and are simpler because they are stateful, so there are less rules needed to secure your environment
- Security groups are used with the elastic network interfaces of your Amazon EC2 instances or resources
- Security groups have an explicit deny, meaning anything not explicitly allowed will be denied
- Network ACLs are processed in order from the lowest rule number to the highest rule number
- Network ACLs are stateless and security groups are stateful
What are the two types of endpoints that you can create inside your Amazon VPC?
- Gateway Endpoints are used for AWS public services. Sometimes we want to connect to these public services like S3 or DynamoDB from a private instance or subnet that does not have access to the internet or a NAT Gateway setup. Gateway endpoints can be restricted using policies, use routing, and need an entry on the route table.
- Interface Endpoints are used for everything else, and you have to pick the correct endpoint depending on the AWS services. Interface endpoints use security groups, not policies. They also use DNS with a prefix list.
Which AWS service do you integrate to encrypt and rotate all database credentials, API keys, and secrets?
AWS Secrets Manager
Which AWS service do you integrate to secure your web application and allow multiple domains to serve SSL traffic over the same IP address?
AWS Certificate Manager
Which AWS Directory Service do you implement to access resources both on premises and in AWS using the on premises credentials?
AWS Directory Service for Microsoft Active Directory
You need to limit the maximum number of requests from a single IP address for your AWS WAF rule. What do you create?
A rate-based rule and set the rate limit.
