Security

Question 1

When creating an IAM user group, is it best practice to attach a policy or role?

Answer 1

Policy

You can not attach a role to a group

Question 2

You have been asked by the auditors to produce regular reports in regards to your PCI compliance. Which service should you use to produce this as fast and as efficiently as possible?

Answer 2

AWS Audit Manager

AWS Audit Manager is an automated service that produces reports specific to auditors for PCI compliance, GDPR, and more.

Question 3

AWS service that acts as a single source to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements.

Answer 3

AWS Artifact

Question 4

Which web service can be used to provide users that you authenticate with short-term security credentials that can control access to your AWS resources?

Answer 4

AWS STS

Question 5

Default Configuration of the Default NACL

Answer 5

Allow

Question 6

Default Configuration of a Custom NACL

Answer 6

Deny

Question 7

Instance states in which an attached security group can be changed?

Answer 7

Running
Stopped

Question 8

For auditing purposes you would like to be informed if an object is restored to S3 from Glacier. What is the most efficient way you can do this?

Answer 8

Configure S3 notifications for restore operations from Glacier

• first add a notification configuration that identifies the events you want Amazon S3 to publish and the destinations where you want Amazon S3 to send the notification

Question 9

Steps to Authenticate with Cognito

Answer 9

1. Authenticate and Get Tokens
2. Exchage Token for AWS credentials
3. Access AWS services using credentials

Question 10

How to easily generate Cost and Billing reports for multiple AWS Accounts?

Answer 10

AWS Cost and Usage Reports to generate reports,

Question 11

How to easily put AWS Cost and Usage Reports to generate reports in CSV format into an S3 bucket

Answer 11

Can be setup to automatically store updated reports in Amazon S3 every 24 hours.

Question 12

WS service can help you optimize your AWS environment by giving recommendations to reduce cost, increase performance, and improve security

Answer 12

Trusted Advisor

Question 13

Which AWS service can you use to help ensure you don’t have cost overruns for your AWS resources?

Answer 13

AWS Budgets

Allows you to have alerts when getting to a certain budget threshold

Question 14

AWS AI service that is built to detect fraud in your data.

Answer 14

AWS Fraud Detector

Question 15

This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.

Answer 15

AWS Firewall Manager

Question 16

You suspect an EC2 it is being used to mine bitcoin rather than for educational purposes. Somehow, your production environment has been compromised and you need to quickly identify the root cause of this compromise. Which service?

Answer 16

AWS Detective

Question 17

A Cloud Security Posture Management service that performs security best practice checks, aggregates alerts, and enables automated remediation.

Answer 17

AWS Security Hub

Question 18

AWS Service that can help run vulnerability scans on EC2 instances

Answer 18

AWS Inspector

Question 19

Continuous security monitoring service that analyzes and processes several AWS services using AI to detect if there is suspicious activity

Answer 19

AWS Guard Duty

Question 20

You want to distribute private content to users for a limited amount of time. Which CloudFront feature allows you to securely distribute this private content?

Answer 20

CloudFront Signed URLS

Question 21

How to add or deny access to another AWS Account or OU using AWS Organizations servic

Answer 21

Create a Service control Policy (SCP)

Question 22

How to grant cross account access if you do not have AWS Organizations setup?

Answer 22

You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access.

Question 23

An IAM user account was compromised, how to act immediately to deny any further access

Answer 23

1st update the Permission Policy AWSRevokeOlderSessions inline deny signs out all polices currently using role and implies new policies.

Trust Policy - then update trust policy. These do not impact current sessions but only new sessions.

Question 24

AWS Service that service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Answer 24

AWS Config

Question 25

AWS Service that allows you to issue short-lived access tokens that act as temporary security credentials to allow access to your AWS resources?

Answer 25

AWS STS

Question 26

AWS Service that makes it easy to centrally manage Single Sign On access to multiple AWS accounts

Answer 26

AWS SSO

Question 27

What service can you use to create rate-based rules to prevent against HTTP flood attacks

Answer 27

AWS WAF

or AWS Shield Advanced

Question 28

Services you can use to help protect DDoS attacks

Answer 28

AWS Sheild
AWS WAF
CloudFront
Autoscaling

Question 29

I want a Lambda function to have access to my KMS key, what 2 steps do I need to do to ensure it has access

Answer 29

Add the kms:decrypt permission to the lambda exectution role

Add the lambda execution role to the KMS key policy with the kms:decrypt permission

Question 30

What can a SCP be attached to?

Answer 30

An orginizational root, an organizational unit (OU) or an account