Section 16 - Security & Compliance Flashcards
Two types of AWS Shield (choose two)
Standard
Basic
Advanced
MegaExtreme
Deluxe
Standard
Advanced
Characteristics of Shield Standard (choose three)
free
free tier access for 1st year
enabled by user
activated by default
protects against layer 1 & 7 attacks
protects against layer 3 & 4 (TCP) attacks
free
activated by default
protects against layer 3 and 4 attacks
Characteristics of Shield Advanced (choose four)
1 Optional DDoS mitigation service for $3k/mo
2 - free tier access for 1st year
3 - protect against more sophisticated attacks
4 - 24/7 access to AWS DDoS Response Team (DRP)
5 - protects against layer 1 & 7 attacks
6 - protect against higher fees during usage spikes due to DDoS
1,3,4,6
Which protection service operates at Layer 7 (http) of the OSI model
Data Shield
CloudWatch
OnGuard
WAF (Web Application Firewall)
web application firewall
When attempting penetration testing on your own environment, approval (is/not) needed.
Is not needed for 15 specific services
When engaging in penetration testing of your environment, these types of tests are not allowed (this is for informational purposes, there’s no associated question)
DNS Zone walking via Amazon Route 53 Hosted Zones
Denial of Service
Port flooding
Protocol flooding
Request flooding
n/a
We used this to encrypt data at rest and data in transit
Encryption chips
Encryption crypts
Encryption keys
You Can’t See Mees
encryption keys
Anytime you hear “encryption” for an AWS service, it is most likely:
Key Management Service
Keys and Manage Service
Data Encrypt keys
Encryptokeys
Key Management Service
Three services that have encryption automatically enabled:
CloudTrail logs
CloudWatch logs
S3 Glacier
S3 Standard
Storage Gateway
Cloud Trail logs
S3 glacier
Storage Gateway
With KMS, who manages the keys?
Organization
AWS
Both AWS and organization
neither AWS nor organization but rather, a 3rd party
AWS
With HSM, who manages the keys?
Organization
AWS
Both AWS and organization
neither AWS nor organization but rather, a 3rd party
the organization
What does HSM stand for?
HotSexMany
Hardware Sex Module
Hardware Security Module
Happy Stand Mixer
hardware security module
What type of data encryption involves physical hardware?
Key Management Service
Bit locker
HSM (hardware security module)
Norton
HSM (Hardware security module)
For Hardware security module (HSM), who manages the actual hardware?
AWS
organization
both AWS and organization
3rd party
AWS
How does an organization manage HSM encryption with the HSM hardware on the AWS side?
using a “Cloud HSM client” that integrates with AWS CloudHSM service
with matching hardware on the organization side
Fred
with encrypto keys
using a “Cloud HSM client” that integrates with the AWS CloudHSM service
1 - Cloud HSM keys
2 - AWS owned CMK
3 - AWS managed CMK
4 - customer managed CMK
A - create, manage and used by customer, can enable or disable // possibility of rotation policy (new key generated every year, old key preserved) // possibility to bring-your-own -key
B - Created, managed and used on the customer’s behalf by AWS // Used by AWS services (aws/s3, aws/ebs, aws/redshift)
C - Collection of CMKs that an AWS service owns and manages to use in multiple accounts // AWS can use those to protect resources in your account (but you can’t view the keys)
D - keys generated from your own CloudHSM hardware device // cryptographic operations are performed within the CloudHSM cluster
1 - D
2 - C
3 - B
4 - A