SECURITY

Question 1

Identity and Access Management (IAM)

Answer 1

IAM allows you to control access to your AWS services and resources

Question 2

Web Application Firewall(WAF)

Answer 2

WAF helps protect your web applications against common web attacks.

Question 3

Shield

Answer 3

Shield is a managed distributed dental of services (DDOS) protection service.

Question 4

Macie

Answer 4

Macie helps you discover and protect sensitive data – Discover passport numbers stored on S3 – Macie can be used to find sensitive data like passport numbers, social security numbers, and credit card numbers on S3

Question 5

Config

Answer 5

Config allows you access, audit and evaluate the configurations of your resources. Identify system – level configuration changes made to your EC2 instances. Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.

Question 6

GuardDuty

Answer 6

Guard duty is an intelligent threat detection system that uncovers unauthorized behavior.Detect Unusual API calls in your account. GuardDuty’s anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.

Question 7

Inspector

Answer 7

Inspector works with EC2 instances to uncover and report vulnerabilities. Identify unintended network access to an EC2 instance via a detailed report of security finding – inspector has several built-in-rules your EC2 instances to find vulnerabilities and report them prioritized by level of severity

Question 8

Artifact

Answer 8

Artifact offers on-demand access to AWS Security and Compliance reports.

Question 9

Key Management Service (KMS)

Answer 9

KMS allows you to generate and store encryption keys.

Question 10

CloudHSM

Answer 10

CloudHSM is a hardware security module (HSM) used to generate encryption keys.

Question 11

AWS Responsibility(Security of the Cloud)

Answer 11

• AWS Global Infrastructure: AWS is responsible for its global infrastructure elements: Regions, Edge locations, and Availability Zones.
• Building Security: AWS controls access to its data centers where your data resides.
• Networking Components: AWS maintains networking components: Generators, uninterruptible power supply(UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.
• Software: AWS is responsible for any managed service like RDS, S3, ECS, or lambda, patching of host operating systems, and data access endpoints.

Question 12

Customer Responsibility (Security in the Cloud)

Answer 12

Security in the Cloud:
Application Data: You are responsible for managing your application data, which includes encryption options.
Security Configuration: You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.
Patching: You are responsible for the guest operating system(OS), which includes updates and security patches.
IAM: You are responsible for application security and access management.
Network Traffic: You are responsible for network traffic protection, which included security group firewall configuration.
Installed: You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.

Question 13

Customer Responsibility

Answer 13

Firewall
Encryption of EBS Volumes
Taking DB backups in RDS
Ensuring in encrypted at rest
Patching the guest operating system for EC2

Question 14

AWS

Answer 14

Data Center security for the physical building
Language versions of lambda
Updating the fireware on the underlying EC2 hosts
Managing the network infrastructure
Physically destroying storage media at end of life.

Question 15

5 Pillars of the Well Architected Framework

Answer 15

• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Cost Optimization

Question 16

Operational Excellence

Answer 16

This pillar focuses on creating applications that effectively support production workloads.
o Plan for anticipate failure
o Script operations as code
o Deploy smaller, reversible changes
o Learn from failure and refine

Question 17

Security

Answer 17

The pillar on putting mechanisms in place that help protect your systems and data.
o Automate security tasks
o Assign only the least privileges required
o Encrypt data in transit and the rest
o Track who did what and when
o Ensure security at all application layers

Question 18

Reliability

Answer 18

o Recover from failure automatically
o Scale horizontally for resilience
o Reduce idle resources
o Manage change through automation
o Test recovery procedures

Question 19

Performance Efficiency

Answer 19

This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.
o Use serverless ar
o Use multi-region deployments
o Delegate tasks to a cloud vendor
o Experiment with virtual resources

Question 20

Cost Optimization

Answer 20

The pillar focuses on delivering optimum and resilient solutions at the least cost to the user.
o Utilize consumption-based pricing
o Measure overall efficiency
o Implement Cloud Financial Management
o Pay only for resources your application requires.

Question 21

AWS Global Accelerator

Answer 21

Receive real-time notifications of suspected DDoS incidents and assistance from AWS during the attack. Shield Advanced will give you notifications of DDos attacks via CloudWatch metrics. Additionally, with Shield Advanced, you have 24/7 access to AWS experts to assist during an attack.