Security

Question 1

What model do we use for security in AWS?

Answer 1

The shared responsibility model

Question 2

What is specified in the shared responsibility model in AWS ?

Answer 2

What is the responsibilities for both the AWS side of things as well as the customer.

Question 3

Shared Responsibility Model - Customer

Answer 3

Customer data
Platform, applications, Identity and Access Management (IAM)
Operating systems, and network and firewall configuration
Client-side data encryption, server-side data encryption, and networking traffic protection

Question 4

Shared Responsibility Model - Amazon Web Services (AWS)

Answer 4

Software: Compute, storage, database, networking
Hardware: Regions, Availability Zones, Edge Locations

Question 5

Software: Compute, storage, database, networking
Hardware: Regions, Availability Zones, Edge Locations
Is responsibility of ?

Answer 5

Amazon Web Services (AWS)

Question 6

Customer data
Platform, applications, Identity and Access Management (IAM)
Operating systems, and network and firewall configuration
Client-side data encryption, server-side data encryption, and networking traffic protection
Is responsibility of ?

Answer 6

Customer

Question 7

Which tasks are the responsibilities of customers? (Select TWO.)

Maintaining network infrastructure
Patching software on Amazon EC2 instances
Implementing physical security controls at data centers
Setting permissions for Amazon S3 objects
Maintaining servers that run Amazon EC2 instances

Answer 7

Patching software on Amazon EC2 instances
Setting permissions for Amazon S3 objects

Question 8

When you create AWS account you are given ___ ?

Answer 8

AWS account root user

Question 9

When you are given AWS account root user?

Answer 9

When you create AWS account

Question 10

What can control any resource in the account?

Answer 10

The AWS account root user

Question 11

What can the AWS account root user control and access?

Answer 11

any resource in the account

Question 12

What MFA stands for?

Answer 12

Multi-factor authentication

Question 13

What is the best practice when you create AWS account?

Answer 13

To turn MFA on and not use the root user for everything.

Question 14

What can you create in Amazon IAM ?

Answer 14

IAM users and later you can set up permissions for that user.

Question 15

Describe the least privileged principle :

Answer 15

A user is granted access only to what they need

Question 16

How you give permissions to IAM users?

Answer 16

With IAM policy (json document)

Question 17

Describe IAM groups

Answer 17

You can add IAM users to a group and then attach IAM policy to that group, by doing so the policy applies to every user in the group.

Question 18

Describe AWS IAM roles

Answer 18

Associated permissions, allow or deny , assumed for temporary amounts of time, no username or password (but it is similar), access to temporary permissions, AWS resources/users/external identities/applications/other AWS resources

Question 19

AWS Identity and Access Management (IAM) abbreviation

Answer 19

AWS IAM

Question 20

What is AWS Organizations ?

Answer 20

A central location to manage multiple AWS accounts

Question 21

Charachteristics of AWS Organizations

Answer 21

Centralized management
Consolidated billing
Hierarchical groupings of accounts
AWS service and API actions access control

Question 22

In AWS Organizations, you can centrally control permissions for the accounts in your organization by using what service ? Also it enables you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.

Answer 22

service control policies (SCPs)

Question 23

What are service control policies (SCPs) used for?

Answer 23

In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs).Also it enables you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.

Question 24

In AWS Organizations, you can group accounts into what to make it easier to manage accounts with similar business or security requirements?

Answer 24

organizational units (OUs)

Question 25

What does AWS Artifacts provide?

Answer 25

AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. AWS Artifact consists of two main sections: AWS Artifact Agreements and AWS Artifact Reports.

Question 26

a service that provides on-demand access to AWS security and compliance reports and select online agreements?

Answer 26

AWS Artifacts

Question 27

Which tasks can you complete in AWS Artifact? (Select TWO.)

Access AWS compliance reports on-demand.
Consolidate and manage multiple AWS accounts within a central location.
Create users to enable people and applications to interact with AWS services and resources.
Set permissions for accounts by configuring service control policies (SCPs).
Review, accept, and manage agreements with AWS.

Answer 27

Access AWS compliance reports on-demand.
Review, accept, and manage agreements with AWS.

Question 28

What is DDoS?

Answer 28

Distributed denial-of-serice

Question 29

What service protects applications against DDoS attacks. And also it provides two levels of protection: Standard and Advanced.

Answer 29

AWS Shield

Question 30

Describe AWS Shield

Answer 30

AWS Shield is a service that protects applications against DDoS attacks. AWS Shield provides two levels of protection: Standard and Advanced.

Question 31

Describe Encryption

Answer 31

Securing a message or data in a way that only authorized parties can access it

Question 32

AWS Key Management Service abbreviation ?

Answer 32

Amazon KSM

Question 33

What does Amazon KSM stand for?

Answer 33

Amazon Key Management Service

Question 34

Describe Amazon Inspector

Answer 34

Improves security and compliance of your AWS deployed apps by running an automated security assessment against your infrastructure. It checks for security best practices

It checks applications for security vulnerabilities and deviations from security best practices, such as open access to Amazon EC2 instances and installations of vulnerable software versions.

After Amazon Inspector has performed an assessment, it provides you with a list of security findings. The list prioritizes by severity level, including a detailed description of each security issue and a recommendation for how to fix it.

Question 35

What service consists of the following three parts :
Network configuration reachability piece
Amazon agent
Security assessment service

Answer 35

Amazon Inspector

Question 36

Amazon inspector is composed out of three parts, which are they?

Answer 36

Network configuration reachability piece
Amazon agent
Security assessment service

Question 37

Describe Amazon GuardDuty

Answer 37

It analyzes continuous streams of metadata generated from your account and network activity(found on AWS CloudTrail events, Amazon VPC Flow Logs and DNS logs)
It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
If GuardDuty detects any threats, you can review detailed findings about them from the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty’s security findings.

Question 38

What AWS KMS used for?

Answer 38

You can use AWS KMS to create, manage, and use cryptographic keys.You can also control the use of keys across a wide range of services and in your applications.

Question 39

What is AWS WAF (web application firewall)

Answer 39

Web application firewall that lets you monitor network requests that come into your web applications. (It uses web access control list (ACL) to protect the AWS resources)

Question 40

Which statement best describes an IAM policy?

An authentication process that provides an extra layer of protection for your AWS account
A document that grants or denies permissions to AWS services and resources
An identity that you can assume to gain temporary access to permissions
The identity that is established when you first create an AWS account

Answer 40

A document that grants or denies permissions to AWS services and resources

Question 41

An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?

AWS account root user
IAM group
IAM role
Service control policy (SCP)

Answer 41

IAM role

Question 42

Which statement best describes the principle of least privilege?

Adding an IAM user into at least one IAM group

Checking a packet’s permissions against an access control list

Granting only the permissions that are needed to perform specific tasks

Performing a denial of service attack that originates from at least one device

Answer 42

Granting only the permissions that are needed to perform specific tasks

Question 43

Which service helps protect your applications against distributed denial-of-service (DDoS) attacks?

Amazon GuardDuty
Amazon Inspector
AWS Artifact
AWS Shield

Answer 43

AWS Shield

Question 44

Which task can AWS Key Management Service (AWS KMS) perform?

Configure multi-factor authentication (MFA).
Update the AWS account root user password.
Create cryptographic keys.
Assign permissions to users and groups.

Answer 44

Create cryptographic keys.