Section 26: AWS Security and Encryption

Question 1

A managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data

Answer 1

AWS Key Management Service (KMS)

Question 2

How often do AWS Managed Keys rotate?

Answer 2

Once per year

Question 3

What are the three types of KMS keys in AWS KMS?

Answer 3

AWS Managed Key
Customer Managed Keys (CMK) created in KMS
Customer Managed Keys Imported

Question 4

True/False: KMS keys are global

Answer 4

False - KMS keys are scoped per region

Question 5

What are the two KMS Key Policy types?

Answer 5

Default KMS Key Policy
Custom KMS Key Policy

Question 6

A capability of AWS Systems Manager that provides secure, hierarchical storage for configuration data management and secrets management

Answer 6

AWS Systems Manager Parameter Store

Question 7

AWS service that enables you to replace hardcoded credentials in your code, including passwords, with an API call to retrieve the secret programmatically

Answer 7

AWS Secrets Manager

Question 8

AWS service that handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications

Answer 8

AWS Certificate Manager

Question 9

True/False: AWS Web Application Firewall can be deployed on the following:
Network Load Balancer
API Gateway
CloudFront
AppSync GraphQL API
Cognito user Pool

Answer 9

False -
Application Load Balancer
API Gateway
CloudFront
AppSync GraphQL API
Cognito user Pool

Question 10

A managed DDoS protection service that safeguards applications running on AWS

Answer 10

AWS Shield

Question 11

A security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations

Answer 11

AWS Firewall Manager

Question 12

A security monitoring service that analyzes and processes data sources, such as AWS CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Kubernetes audit logs, Amazon VPC flow logs, and RDS login activity

Answer 12

Amazon GuardDuty

Question 13

A vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure

Answer 13

Amazon Inspector

Question 14

A data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks

Answer 14

Amazon Macie

Question 15

What three object types does Amazon Inspector evaluate?

Answer 15

EC2 instances, container images, and Lambda functions

Question 16

True/False: To enable In-flight Encryption (In-Transit Encryption), we need to have an HTTPS endpoint with an SSL certificate

Answer 16

True

Question 17

True/False: Server-Side Encryption means that the data is sent encrypted to the server.

Answer 17

False - The server encrypts the data for “data-at-rest”

Question 18

In Server-Side Encryption, where do the encryption and decryption happen?

Answer 18

Both happen on the server

Question 19

True/False: In Client-Side Encryption, the server must know our encryption scheme before we can upload the data

Answer 19

False - The server needs no information about the encryption scheme

Question 20

True/False: AWS KMS supports both symmetric and asymmetric KMS keys.

Answer 20

True

Question 21

You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?

Answer 21

SSM Parameter Store

Question 22

Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use?

Answer 22

AWS Shield Advanced

Question 23

You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)?

Answer 23

AWS WAF

Question 24

You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use?

Answer 24

AWS Inspector

Question 25

What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation?

Answer 25

AWS Secrets Manager

Question 26

Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?

Answer 26

AWS Firewall Manager

Question 27

What are three AWS data sources that GuardDuty analyzes for malicious activity and unauthorized behavior?

Answer 27

AWS CloudTrail Events
Amazon VPC Flow Logs
DNS logs

Question 28

True/False: If you delete a customer master key (CMK) in AWS Key Management Service (AWS KMS), then the key is immediately lost

Answer 28

False - KMS enforces a waiting period of 7-30 days before the key is deleted

Question 29

If a company decides to stop using AWS GuardDuty, how can you ensure that all data gets deleted?

Answer 29

Disable the service in the general settings

Question 30

What resources can you protect using a Web Application Firewall (WAF)?

Answer 30

Amazon CloudFront distribution
Amazon API Gateway REST API
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool