Section 16 - Security & Compliance

Question 1

Two types of AWS Shield (choose two)
Standard
Basic
Advanced
MegaExtreme
Deluxe

Answer 1

Standard
Advanced

Question 2

Characteristics of Shield Standard (choose three)
free
free tier access for 1st year
enabled by user
activated by default
protects against layer 1 & 7 attacks
protects against layer 3 & 4 (TCP) attacks

Answer 2

free
activated by default
protects against layer 3 and 4 attacks

Question 3

Characteristics of Shield Advanced (choose four)
1 Optional DDoS mitigation service for $3k/mo
2 - free tier access for 1st year
3 - protect against more sophisticated attacks
4 - 24/7 access to AWS DDoS Response Team (DRP)
5 - protects against layer 1 & 7 attacks
6 - protect against higher fees during usage spikes due to DDoS

Answer 3

1,3,4,6

Question 4

Which protection service operates at Layer 7 (http) of the OSI model
Data Shield
CloudWatch
OnGuard
WAF (Web Application Firewall)

Answer 4

web application firewall

Question 5

When attempting penetration testing on your own environment, approval (is/not) needed.

Answer 5

Is not needed for 15 specific services

Question 6

When engaging in penetration testing of your environment, these types of tests are not allowed (this is for informational purposes, there’s no associated question)
DNS Zone walking via Amazon Route 53 Hosted Zones
Denial of Service
Port flooding
Protocol flooding
Request flooding

Answer 6

n/a

Question 7

We used this to encrypt data at rest and data in transit
Encryption chips
Encryption crypts
Encryption keys
You Can’t See Mees

Answer 7

encryption keys

Question 8

Anytime you hear “encryption” for an AWS service, it is most likely:
Key Management Service
Keys and Manage Service
Data Encrypt keys
Encryptokeys

Answer 8

Key Management Service

Question 9

Three services that have encryption automatically enabled:
CloudTrail logs
CloudWatch logs
S3 Glacier
S3 Standard
Storage Gateway

Answer 9

Cloud Trail logs
S3 glacier
Storage Gateway

Question 10

With KMS, who manages the keys?
Organization
AWS
Both AWS and organization
neither AWS nor organization but rather, a 3rd party

Answer 10

AWS

Question 11

With HSM, who manages the keys?
Organization
AWS
Both AWS and organization
neither AWS nor organization but rather, a 3rd party

Answer 11

the organization

Question 12

What does HSM stand for?
HotSexMany
Hardware Sex Module
Hardware Security Module
Happy Stand Mixer

Answer 12

hardware security module

Question 13

What type of data encryption involves physical hardware?
Key Management Service
Bit locker
HSM (hardware security module)
Norton

Answer 13

HSM (Hardware security module)

Question 14

For Hardware security module (HSM), who manages the actual hardware?
AWS
organization
both AWS and organization
3rd party

Answer 14

AWS

Question 15

How does an organization manage HSM encryption with the HSM hardware on the AWS side?
using a “Cloud HSM client” that integrates with AWS CloudHSM service
with matching hardware on the organization side
Fred
with encrypto keys

Answer 15

using a “Cloud HSM client” that integrates with the AWS CloudHSM service

Question 16

1 - Cloud HSM keys
2 - AWS owned CMK
3 - AWS managed CMK
4 - customer managed CMK

A - create, manage and used by customer, can enable or disable // possibility of rotation policy (new key generated every year, old key preserved) // possibility to bring-your-own -key

B - Created, managed and used on the customer’s behalf by AWS // Used by AWS services (aws/s3, aws/ebs, aws/redshift)

C - Collection of CMKs that an AWS service owns and manages to use in multiple accounts // AWS can use those to protect resources in your account (but you can’t view the keys)

D - keys generated from your own CloudHSM hardware device // cryptographic operations are performed within the CloudHSM cluster

Answer 16

1 - D
2 - C
3 - B
4 - A

Question 17

A service that let’s you easily provision, manage, and deploy SSL/TLS certificates
AWS Certified
AWS SSL/TLS Assign
AWS Certificate Manager (ACM)
AWS CertsAreUs

Answer 17

AWS Certificate Manager (ACM)

Question 18

If you see a question on the exam regarding certificates and in-flight services, think:
AWS Certified
AWS SSL/TLS Assign
AWS Certificate Manager (ACM)
AWS CertsAreUs

Answer 18

AWS Certificate Manager (ACM)

Question 19

ACM (AWS Certificate Manager) supports (choose three)
Public and private TLS certificates
Is free of charge for public TLS certificates
automatic TLS certificate renewal
charges a fee for both public and private TLS certificates

Answer 19

Public and private TLS certificates
Is free of charge for public TLS certificates
automatic TLS certificate renewal

Question 20

Newer service meant for storing secrets
AWS MySecret
AWS HushorWeWillFindYou
AWS Secrets Manager
AWS STFU

Answer 20

AWS Secrets Manager

Question 21

Secrets Manager is a (paid/free (w/30 day free trial)/free tier) service?

Answer 21

paid w/30 day free trial

Question 22

AWS Secrets Manager encrypts secrets using
HSM
KMS
MmmmK
threats of taking away video game time

Answer 22

KMS

Question 23

A portlal which provides a way to download “compliance” and “agreements” documents
AWS Documents
AWS CompliAgree
AWS DownloadMe
AWS Artifact

Answer 23

AWS Artifact

Question 24

Amazon Guard Duty

for information only - no question to answer

• Intelligent threat discovery to protect your AWS account
• uses info from VPC Flow logs, CloudTrail logs, DNS logs, EKS Audit logs
• machine learning algorithms
• 30 day trial
• no need to install software
• can setup EventBridge rules
• very good tool to protect againt CryptoCurrency attacks

Answer 24

n/a

Question 25

Allows you to run automated security assessments on running EC2 instances, ECR, and Lambda functions

Amazon Monitoring
Amazon SecurityAssessment
Amazon InspectSomeShit
Amazon Inspector

Answer 25

Amazon Inspector

Question 26

Amazon Inspector can send it’s finding here (choose two)
CloudWatch
CloudTrail logs
AWS Security Hub
Amazon Event Bridge

Answer 26

AWS Security Hub
Amazon Event Bridge

Question 27

Helps with auditing and recording compliance of your AWS resources, records configurations and changes over time, possibility of storing data into S3 (analyzed by Athena)
AWS TrackChange
AWS Config
AWS ConfigMonitor
AWS Conigurator

Answer 27

AWS Config

Question 28

Info only - no question to answer
Questions that can be answered by AWS Config:
Is there unrestricted SSH access to my security groups?
Do my buckets have any public access?
How has my ALB configuration changed over time?

Answer 28

n/a

Question 29

A fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data
Amazon Marcel
Amazon Mercy
Amazon Macie
Amazon Merce beau coup

Answer 29

Amazon Macie

Question 30

Helps identify and alert you to sensitive data, such as personally identifiable information (PII)
Amazon Marcel
Amazon Mercy
Amazon Macie
Amazon Merce beau coup

Answer 30

Amazon Macie

Question 31

A way to have a central security hub that can manage security across multiple accounts and automate security checks
AWS Secure
AWS Security Hub
AWS Web of Security
AWS Call Big Vito or Tony

Answer 31

AWS Security Hub

Question 32

information - not a question

AWS Security Hub aggregates alerts from all of the following:
GuardDuty
Inspector
Macie
IAM Access Analyzer
AWS Systems Manager
AWS Firewall Manager
AWS Partner Network Solutions

Answer 32

n/a

Question 33

In order for AWS Security Hub to work, you first need to enable
AWS Config Service
AWS Systems Manager
Macie
Guard Duty

Answer 33

AWS Config Service

Question 34

AWS Security Hub - click two that apply
A - Has a free tier service
B - Has a 30 day free trial
C - is how you run antivirus checks on your EC2 instances
D - requires AWS Config to be enabled

Answer 34

B
D

Question 35

The following apps are used to identify potential security issues or findings (choose three)
GuardDuty
CloudTrail
Macie
Security Hub
CloudWatch

Answer 35

GuardDuty, Macie, Security Hub

Question 36

automatically collects log data from your AWS resources and uses machine learning (ML), statistical analysis, and graph theory to build a linked dataset that you can use to conduct more efficient security investigations.

CloudTrail
Macie
SecurityHub
Amazon Detective

Answer 36

Amazon Detective

Question 37

two ways to contact the AWS Abuse team to report suspected abuse:
AWS abuse form
Call their 800 #
Just look the other way
abuse@amazonaws.com

Answer 37

AWS Abuse Form
abuse@amazonaws.com

Question 38

Info only - no question to answer

Only the root user can make the following changes:

Change account settings
View certain tax invoices
Close your AWS account
Restore IAM user permissions
Change or cancel your AWS Support plan
Register as a seller in the Reserved instance Marketplace
Configure an Amazon S3 bucket to enable MFA
Edit or delete an Amazon S3 bucket policy that includes invalid VPC ID or VPC endpoint ID
Sign up for GovCloud

Answer 38

n/a

Question 39

Used to find out which resources are shared externally

CloudWatch
CloudTrail
IAM Access Analyzer
Security Hub
Amazon Detective

Answer 39

IAM Access Analyzer

Question 40

This is a user defined zone in IAM Access Analyzer where you determine what is in your trusted zone

Zone of Moldar
Lord of the Zone
Zone 1
Zone of Trust

Answer 40

Zone of Trust

Question 41

AWS Detective
AWS Guard Duty

A - a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect AWS accounts and workloads.

B - simplifies the process of investigating security findings and identifying the root cause.

Answer 41

Amazon Detective - B

AWS Guard Duty - A

Question 42

AWS Inspector
AWS Guard Duty

A - a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect AWS accounts and workloads.

B - simplifies the process of investigating security findings and identifying the root cause.