Security

Question 1

If you see a question that asks for an Intrusion Prevention System (IPS), think of…

Answer 1

Network Firewall

Question 2

Which AWS service has access to a database of known malicious IPs?

Answer 2

GuardDuty

Question 3

How does a Web ACL relate to AWS WAF?

Answer 3

A Web ACL is a configurable component of AWS WAF.

Question 4

What is GuardDuty?

Answer 4

A threat detection service that uses machine learning to continuously monitor for malicious behaviour.

Question 5

Which AWS services does AWS Shield work with?

Answer 5

ELB, CloudFront, Route53

Question 6

If you see a scenario about multiple AWS accounts and resources that need to be secured centrally, think of…

Answer 6

AWS Firewall Manager

Question 7

Which AWS service provides sign-up and sign-in options for your apps?

Answer 7

Cognito

Question 8

If you see a question about filtering your network traffic before it even reaches your internet gateway, think of…

Answer 8

Network Firewall

Question 9

What two types of assessment does Inspector offer and what do they check for?

Answer 9

Network - ports reachable from outside VPC.
Host - CVEs, security best practices.

Question 10

What is AWS Network Firewall?

Answer 10

A managed service that deploys a physical firewall protection across your VPCs.

Question 11

For exam questions that ask for an AI / automated solution to protect your AWS account, think of…

Answer 11

GuardDuty

Question 12

Apart from DDoS attacks, what kind of attacks can AWS WAF protect against?

Answer 12

SQL injection
Cross-site scripting

Question 13

What is KMS?

Answer 13

A managed services that makes it easy for you to manage the encryption keys used to encrypt your data.

Question 14

Shield/Shield Advanced protects against attacks on which layers?

Answer 14

Layers 3 and 4

Question 15

What logs does AWS GuardDuty monitor?

Answer 15

CloudTrail Logs
VPC Flow Logs
DNS Logs

Question 16

Shield Advanced gives you 24/7 access to…

Answer 16

a dedicated DDoS response team.

Question 17

When should you use Secrets Manager over Parameter Store?

Answer 17

If you need:
- more than 10,000 parameters
- key rotation
- the ability to generate passwords with CloudFormation

Question 18

Where can you view all your alerts from services like GuardDuty, Inspector, Macie, and Firewall Manager, across multiple accounts?

Answer 18

Security Hub

Question 19

What’s a typical use case for pre-signed cookies?

Answer 19

A stock photo website

Question 20

What does Inspector do?

Answer 20

It performs vulnerability scans on EC2 instances and VPCs.

Question 21

If you need to share an object in a bucket, but both bucket and object are private, think of using…

Answer 21

pre-signed URLS.

Question 22

How does GuardDuty work?

Answer 22

It needs 7 - 14 days to set a baseline, then alerts on anomalies.

Question 23

If you enable rotation in Secrets Manager, when will be the next time it rotates the secret?

Answer 23

Immediately

Question 24

Which AWS tool operates across multiple AWS services and uses graph theory to uncover the root cause of an event?

Answer 24

Detective

Question 25

What does CloudTrail do?

Answer 25

It records actions in the AWS console and API calls.

i.e. it increases visibility.

Question 26

When would you use a pre-signed cookie?

Answer 26

When you want to provide access to multiple restricted files in an S3 bucket.

Question 27

What does AWS Certificate Manager do?

Answer 27

Allows you to create, manage, and deploy SSL certificates for use with other AWS services.

Question 28

Which tool can tell you, in real time, if you are being DDoSed?

Answer 28

AWS Shield Advanced

Question 29

When should you use Parameter Store over Secrets Manager?

Answer 29

When trying to minimize costs.

Question 30

How much does Shield Advanced cost?

Answer 30

$3000 per month

Question 31

What does CMK stand for?

Answer 31

Customer Master Key

Question 32

How do you start using KMS?

Answer 32

By requesting the creation of a CMK.

Question 33

To implement ratelimiting, would you use a Web ACL or a NACL?

Answer 33

Web ACL

Question 34

What layer does AWS WAF operate on?

Answer 34

Layer 7 (Application layer)

Question 35

If you need to block specific countries or IP addresses, you can use…

Answer 35

AWS WAF

Question 36

What are two benefits of AWS Certificate Manager?

Answer 36

• Certificates are free.
• It automates the renewal of your SSL certificate.

Question 37

What’s are 3 differences between a Web ACL and a NACL?

Answer 37

Web ACL:
- application layer (Inspects HTTP/S traffic)
- fine-grained control
- stateful

NACL:
- network layer (Inspects IP traffic)
- broad control
- stateless

Question 38

What does Cognito allow your users to do?

Answer 38

Sign in to your web or mobile apps with a username and password they create OR through a third party, e.g. Google, Facebook, Apple.

Question 39

What are the two limitations of Parameter Store?

Answer 39

• There is a limit to the number of parameters you can store (currently 10,000)
• No automatic key rotation

Question 40

For questions about HIPAA or GDPR compliance that asks about continuous auditing or automating audit reports, think of…

Answer 40

AWS Audit Manager

Question 41

What is Parameter Store?

Answer 41

Storage for configuration data management and secrets management.

Question 42

TRUE or FALSE?
Secrets Manager automatically rotates credentials

Answer 42

TRUE

Question 43

Where does CloudTrail store the logs?

Answer 43

S3

Question 44

In Cognito, what does an identity pool do?

Answer 44

It allows your users to access other AWS services.

Question 45

How can AWS Shield Advanced help with cost savings?

Answer 45

It protects your AWS bill against higher fees due to usage spikes during a DDoS attack.

Question 46

What can you do with Detective?

Answer 46

It lets you analyse the root cause of potential security issues or suspicious activities.

Question 47

What is AWS Shield?

Answer 47

Free DDoS protection

Question 48

What does AWS WAF do?

Answer 48

Monitors the HTTP(S) requests to CloudFront or an Application Load Balancer, and controls access to your content.

Question 49

What should you make sure of before enabling rotation in Secrets Manager?

Answer 49

That all applications that use those credentials are updated to retrieve them from Secrets Manager, and don’t have them embedded.

This is because Secrets Manager will rotate the credentials immediately, and your application will break.

Question 50

What does Macie do?

Answer 50

Uses machine learning and pattern matching to discover sensitive data stored in S3, e.g. PII

Question 51

If you want to get alerts on unencrypted or public S3 buckets, use…

Answer 51

Macie