Security

Question 1

What is Cloud Trail?

Answer 1

A service that logs all API calls made your AWS account and stores these in logs in S3.

It monitors whats going on via API or console.

Question 2

What is AWS Shield?

Answer 2

Free DDOS Protection

Protects agains layer 3 and 4 attacks

Question 3

What does AWS Shield Advanced give you?

Answer 3

A 24/7 DDoS Response team at $3,000 a month

Question 4

What is AWS WAF?

Answer 4

Web Application Firewall

Lets you monitor the HTTP and HTTPS requests to your application.

Question 5

What layer does WAF work on?

Answer 5

Layer 7

Question 6

What is AWS Guard Duty?

Answer 6

GuardDuty is a threat detection service that uses machine learning to continuously monitor for malicious behavior.

Question 7

What is AWS Macie?

Answer 7

A service that uses machine learning to find PII information in S3

Question 8

What is AWS Inspector?

Answer 8

Automated security assessment service that helps improve the security and compliance of applications deployed on AWS

Question 9

What is AWS Key Management Service? (AWS KMS?)

Answer 9

A managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

Question 10

What are the three ways to generate a CMK?

Answer 10

1) AWS Creates the CMK for you

2) You import key material from your own key management infrastructure and associate it with a CMK

3) Have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWK KMS

Question 11

What is AWS Secrets Manager?

Answer 11

A service that securely stores, encrypts, and rotates your database credentials and other secrets.

Question 12

What is AWS Parameter Store?

Answer 12

A free version of AWS Secrets manager but you don’t get auto key rotation and need to have 10,000 or less parameters

Question 13

What is AWS Cognito?

Answer 13

Provides authentication, authorization, and user management for your web and mobile apps.

Question 14

In general, what does a DDoS attack entail?

Answer 14

A large number of connections overwhelms your architecture. Your application is unable to answer the legitimate requests that are sent to it.

Question 15

What is the best way to deliver content from an S3 bucket that only allows users to view content for a set period of time?

Answer 15

Create a presigned URL using S3.

Question 16

You need a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements. Which service should you use?

Answer 16

AWS Artifact

Question 17

What does DDoS stand for?

Answer 17

Distributed Denial of Service

Question 18

True or False? Amazon Inspector requires an agent for host assessment rules packages.

Answer 18

True

Question 19

Which of the following is NOT a data source for GuardDuty?

A) RDS event history

B) VPC Flow Logs

C) CloudTrail logs

D) DNS query logs

Answer 19

A) RDS Event History

Question 20

What is a good use case for AWS Audit Manager?

Answer 20

To automatically produce reports specific to auditors for PCI compliance, GDPR, and more.

Question 21

What is the minimum length of time before you can schedule a KMS key to be deleted?

Answer 21

7 days

Question 22

Which of the following best describes AWS Firewall Manager?

A) A managed service that makes it easy to deploy physical firewall protection across your VPCs via its managed infrastructure (e.g., a physical firewall that is managed by AWS).

B) A service that provides authentication, authorization, and user management for your web and mobile apps without the need for custom code.

C) A security management service that allows you to centrally configure and manage firewall rules across your accounts and applications.

D An automated service that produces reports specific to auditors for PCI compliance, GDPR, and more.

Answer 22

C) A security management service that allows you to centrally configure and manage firewall rules across your accounts and applications.

Question 23

Which Layers does WAF provide protection on?

Answer 23

Layer 7

Question 24

Which service provides authentication, authorization, and user management for your web and mobile apps without the need for custom code?

Answer 24

Amazon Cognito

Question 25

What kind of findings can AWS Inspector discover?

Answer 25

Insufficient patching of applications on an EC2 instance.

Question 26

True or False? For customers on Business or Enterprise support plans, AWS Shield Advanced provides access to a 24/7 support team to help with DDoS issues.

Answer 26

True

Question 27

True or False? You must explicitly deny all IAM policy API calls that a user shouldn’t be able to make.

Answer 27

False

Question 28

You need a managed service that makes it easy to deploy physical firewall protection across your VPCs. Which service should you use?

Answer 28

AWS Network Firewall

Question 29

Where is the most cost effective place to store your database passwords in a secure manner?

Answer 29

Parameter Store

Question 30

What would you use AWS Network Firewall for?

Answer 30

As a way to deploy physical firewall protection across your VPCs via its managed infrastructure (e.g., a physical firewall that is managed by AWS).

Question 31

What is the easiest way to log API calls in AWS?

Answer 31

Enable CloudTrail and pick an S3 bucket to store the logs in.

Question 32

Which AWS service supports automatic rotation of RDS security credentials?

Answer 32

Secrets Manager

Question 33

Your boss requires automatic key rotation for your encrypted data. Which AWS service supports this?

Answer 33

KMS

Question 34

What kind of data can Macie identify?

Answer 34

Personal identifiable information (PII) such as names and addresses, Social Security numbers, credit card numbers

Question 35

Which Layers does AWS Shield Standard provide protection on?

Answer 35

Layers 3 and 4