Section 16 - Security & Compliance Flashcards

1
Q

Two types of AWS Shield (choose two)
Standard
Basic
Advanced
MegaExtreme
Deluxe

A

Standard
Advanced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Characteristics of Shield Standard (choose three)
free
free tier access for 1st year
enabled by user
activated by default
protects against layer 1 & 7 attacks
protects against layer 3 & 4 (TCP) attacks

A

free
activated by default
protects against layer 3 and 4 attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Characteristics of Shield Advanced (choose four)
1 Optional DDoS mitigation service for $3k/mo
2 - free tier access for 1st year
3 - protect against more sophisticated attacks
4 - 24/7 access to AWS DDoS Response Team (DRP)
5 - protects against layer 1 & 7 attacks
6 - protect against higher fees during usage spikes due to DDoS

A

1,3,4,6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which protection service operates at Layer 7 (http) of the OSI model
Data Shield
CloudWatch
OnGuard
WAF (Web Application Firewall)

A

web application firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When attempting penetration testing on your own environment, approval (is/not) needed.

A

Is not needed for 15 specific services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When engaging in penetration testing of your environment, these types of tests are not allowed (this is for informational purposes, there’s no associated question)
DNS Zone walking via Amazon Route 53 Hosted Zones
Denial of Service
Port flooding
Protocol flooding
Request flooding

A

n/a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

We used this to encrypt data at rest and data in transit
Encryption chips
Encryption crypts
Encryption keys
You Can’t See Mees

A

encryption keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Anytime you hear “encryption” for an AWS service, it is most likely:
Key Management Service
Keys and Manage Service
Data Encrypt keys
Encryptokeys

A

Key Management Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Three services that have encryption automatically enabled:
CloudTrail logs
CloudWatch logs
S3 Glacier
S3 Standard
Storage Gateway

A

Cloud Trail logs
S3 glacier
Storage Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

With KMS, who manages the keys?
Organization
AWS
Both AWS and organization
neither AWS nor organization but rather, a 3rd party

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

With HSM, who manages the keys?
Organization
AWS
Both AWS and organization
neither AWS nor organization but rather, a 3rd party

A

the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does HSM stand for?
HotSexMany
Hardware Sex Module
Hardware Security Module
Happy Stand Mixer

A

hardware security module

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of data encryption involves physical hardware?
Key Management Service
Bit locker
HSM (hardware security module)
Norton

A

HSM (Hardware security module)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

For Hardware security module (HSM), who manages the actual hardware?
AWS
organization
both AWS and organization
3rd party

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How does an organization manage HSM encryption with the HSM hardware on the AWS side?
using a “Cloud HSM client” that integrates with AWS CloudHSM service
with matching hardware on the organization side
Fred
with encrypto keys

A

using a “Cloud HSM client” that integrates with the AWS CloudHSM service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

1 - Cloud HSM keys
2 - AWS owned CMK
3 - AWS managed CMK
4 - customer managed CMK

A - create, manage and used by customer, can enable or disable // possibility of rotation policy (new key generated every year, old key preserved) // possibility to bring-your-own -key

B - Created, managed and used on the customer’s behalf by AWS // Used by AWS services (aws/s3, aws/ebs, aws/redshift)

C - Collection of CMKs that an AWS service owns and manages to use in multiple accounts // AWS can use those to protect resources in your account (but you can’t view the keys)

D - keys generated from your own CloudHSM hardware device // cryptographic operations are performed within the CloudHSM cluster

A

1 - D
2 - C
3 - B
4 - A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A service that let’s you easily provision, manage, and deploy SSL/TLS certificates
AWS Certified
AWS SSL/TLS Assign
AWS Certificate Manager (ACM)
AWS CertsAreUs

A

AWS Certificate Manager (ACM)

18
Q

If you see a question on the exam regarding certificates and in-flight services, think:
AWS Certified
AWS SSL/TLS Assign
AWS Certificate Manager (ACM)
AWS CertsAreUs

A

AWS Certificate Manager (ACM)

19
Q

ACM (AWS Certificate Manager) supports (choose three)
Public and private TLS certificates
Is free of charge for public TLS certificates
automatic TLS certificate renewal
charges a fee for both public and private TLS certificates

A

Public and private TLS certificates
Is free of charge for public TLS certificates
automatic TLS certificate renewal

20
Q

Newer service meant for storing secrets
AWS MySecret
AWS HushorWeWillFindYou
AWS Secrets Manager
AWS STFU

A

AWS Secrets Manager

21
Q

Secrets Manager is a (paid/free (w/30 day free trial)/free tier) service?

A

paid w/30 day free trial

22
Q

AWS Secrets Manager encrypts secrets using
HSM
KMS
MmmmK
threats of taking away video game time

A

KMS

23
Q

A portlal which provides a way to download “compliance” and “agreements” documents
AWS Documents
AWS CompliAgree
AWS DownloadMe
AWS Artifact

A

AWS Artifact

24
Q

Amazon Guard Duty

for information only - no question to answer

  • Intelligent threat discovery to protect your AWS account
  • uses info from VPC Flow logs, CloudTrail logs, DNS logs, EKS Audit logs
  • machine learning algorithms
  • 30 day trial
  • no need to install software
  • can setup EventBridge rules
  • very good tool to protect againt CryptoCurrency attacks
A

n/a

25
Q

Allows you to run automated security assessments on running EC2 instances, ECR, and Lambda functions

Amazon Monitoring
Amazon SecurityAssessment
Amazon InspectSomeShit
Amazon Inspector

A

Amazon Inspector

26
Q

Amazon Inspector can send it’s finding here (choose two)
CloudWatch
CloudTrail logs
AWS Security Hub
Amazon Event Bridge

A

AWS Security Hub
Amazon Event Bridge

27
Q

Helps with auditing and recording compliance of your AWS resources, records configurations and changes over time, possibility of storing data into S3 (analyzed by Athena)
AWS TrackChange
AWS Config
AWS ConfigMonitor
AWS Conigurator

A

AWS Config

28
Q

Info only - no question to answer
Questions that can be answered by AWS Config:
Is there unrestricted SSH access to my security groups?
Do my buckets have any public access?
How has my ALB configuration changed over time?

A

n/a

29
Q

A fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data
Amazon Marcel
Amazon Mercy
Amazon Macie
Amazon Merce beau coup

A

Amazon Macie

30
Q

Helps identify and alert you to sensitive data, such as personally identifiable information (PII)
Amazon Marcel
Amazon Mercy
Amazon Macie
Amazon Merce beau coup

A

Amazon Macie

31
Q

A way to have a central security hub that can manage security across multiple accounts and automate security checks
AWS Secure
AWS Security Hub
AWS Web of Security
AWS Call Big Vito or Tony

A

AWS Security Hub

32
Q

information - not a question

AWS Security Hub aggregates alerts from all of the following:
GuardDuty
Inspector
Macie
IAM Access Analyzer
AWS Systems Manager
AWS Firewall Manager
AWS Partner Network Solutions

A

n/a

33
Q

In order for AWS Security Hub to work, you first need to enable
AWS Config Service
AWS Systems Manager
Macie
Guard Duty

A

AWS Config Service

34
Q

AWS Security Hub - click two that apply
A - Has a free tier service
B - Has a 30 day free trial
C - is how you run antivirus checks on your EC2 instances
D - requires AWS Config to be enabled

A

B
D

35
Q

The following apps are used to identify potential security issues or findings (choose three)
GuardDuty
CloudTrail
Macie
Security Hub
CloudWatch

A

GuardDuty, Macie, Security Hub

36
Q

automatically collects log data from your AWS resources and uses machine learning (ML), statistical analysis, and graph theory to build a linked dataset that you can use to conduct more efficient security investigations.

CloudTrail
Macie
SecurityHub
Amazon Detective

A

Amazon Detective

37
Q

two ways to contact the AWS Abuse team to report suspected abuse:
AWS abuse form
Call their 800 #
Just look the other way
abuse@amazonaws.com

A

AWS Abuse Form
abuse@amazonaws.com

38
Q

Info only - no question to answer

Only the root user can make the following changes:

Change account settings
View certain tax invoices
Close your AWS account
Restore IAM user permissions
Change or cancel your AWS Support plan
Register as a seller in the Reserved instance Marketplace
Configure an Amazon S3 bucket to enable MFA
Edit or delete an Amazon S3 bucket policy that includes invalid VPC ID or VPC endpoint ID
Sign up for GovCloud

A

n/a

39
Q

Used to find out which resources are shared externally

CloudWatch
CloudTrail
IAM Access Analyzer
Security Hub
Amazon Detective

A

IAM Access Analyzer

40
Q

This is a user defined zone in IAM Access Analyzer where you determine what is in your trusted zone

Zone of Moldar
Lord of the Zone
Zone 1
Zone of Trust

A

Zone of Trust

41
Q

AWS Detective
AWS Guard Duty

A - a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect AWS accounts and workloads.

B - simplifies the process of investigating security findings and identifying the root cause.

A

Amazon Detective - B

AWS Guard Duty - A

42
Q

AWS Inspector
AWS Guard Duty

A - a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect AWS accounts and workloads.

B - simplifies the process of investigating security findings and identifying the root cause.

A