security

Question 1

AWS responsibility?

Answer 1

Physical
Network
Hypervisor
Virtualization infrastructure

Question 2

Customer responsibility?

Answer 2

Data
Application
OS
Permissions
Patching OS software

Question 3

AWS Identity and Access Management (IAM)

Answer 3

enables you to manage access to AWS services and resources securely

Question 4

IAM Root user

Answer 4

created by default, should not share, has the most power
MFA should be enabled

Question 5

IAM Users

Answer 5

can be part of 0 to n groups

no permission by default.
need permission to provide :
launching an Amazon EC2 instance or creating an Amazon S3 bucke

Question 6

IAM Identities

Answer 6

Users
Groups
Roles

Question 7

IAM Group

Answer 7

Contains users only

Question 8

IAM policy

Answer 8

JSON document that describes that what API calls that a user can and cannot make.

Question 9

IAM role

Answer 9

an identity that you can assume to gain temporary access to permissions.

Question 10

AWS organization

Answer 10

allows to manage multiple aws accounts from a central location
centralized management
bulk discounts
consolidated bills
hierarchical groupings of accounts
control for Aws sercie and API actions access control

Question 11

you can apply SCP to whom?

Answer 11

Organization root,
individual member account
OU (Organizational Unit)

if affects all IAM users, groups and roles within an account

Question 12

DDOS

Answer 12

is a deliberate attempt to make a website or application unavailable to users.

Question 13

AWS Shield

Answer 13

no cost

Question 14

AWS Shield Advanced

Answer 14

paid service.
provided detailed attack diagnosis
ability to detect and mitigate sophisticated DDoS attack

Question 15

KMS (Key manager service)

Answer 15

Data at rest (lying in storage)
Data in transit (Moving from one location to another)
AWS manages the encryption key
Services that have encyption enabled by default:
CloudTrail logs
S3 Glacier
Storage Gateway

Question 16

AWS WAF

Answer 16

is a web application firewall that lets you monitor network requests that come into your web applications.

Question 17

aws kms

Answer 17

Create cryptographic keys.

Question 18

amazon guard duty

Answer 18

A service that provides intelligent threat detection for your AWS infrastructure and resources.

Question 19

amazon inspector

Answer 19

A service that checks applications for security vulnerabilities and deviations from security best practices

Question 20

Security group

Answer 20

controls inbound and outbound traffic for Amazon EC2 instances?

Question 21

ACL network access control list

Answer 21

virtual firewall that controls inbound and outbound traffic at the subnet level.

Question 22

subnet

Answer 22

a section of a VPC in which you can group resources based on security or operational needs.