Security

Question 1

What does AWS Shield protect

Answer 1

It protects against DDoS

Question 2

What is Amazon GuardDuty?

Answer 2

Amazon GuardDuty is a threat detection service that continuously monitors, analyzes, and processes AWS data sources and logs in your AWS environment

Question 3

Is it possible to disable GuardDurty

Answer 3

Yes it’s possible to suspend and disable it

Question 4

What is the default security policy for TLS listeners created using the AWS Management Console?

Answer 4

The ELBSecurityPolicy-TLS13-1-2-2021-06 policy, which includes TLS 1.3, and is backwards compatible with TLS 1.2, is the default security policy for TLS listeners created using the AWS Management Console

Question 5

What is the type of resource-based policy which can be attached to an IAM role?

Answer 5

The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role.

Question 6

AWS WAF can protect:

Answer 6

• Amazon CloudFront
• Amazon API Gateway
• Application Load Balancer
• AWS AppSync
• Amazon Cognito user pool
• AWS App Runner service
• AWS Verified Access instance

Question 7

What is AWS Security Hub?

Answer 7

AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts.

Question 8

AWS WAF can use criteria like the following to allow or block requests:

Answer 8

• IP address origin of the request
• Country of origin of the request
• String match or regular expression (regex) match in a part of the request
• Size of a particular part of the request
• Detection of malicious SQL code or scripting
• You can also test for any combination of these conditions.
• You can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in a single minute.

Question 9

Can you share a KMS key with another accounts?

Answer 9

Yes. Cross-account access is supported.

Question 10

What is the KMS default rotation time

Answer 10

1 year. Can be changed to a custom value.

Question 11

What is the AWS service that provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices?

Answer 11

AWS Security Hub

Question 12

What is the AWS service that provides collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

Answer 12

AWS Security Hub

Question 13

What is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.

Answer 13

Conformance pack

Question 14

GuardDuty foundational data sources?

Answer 14

• AWS CloudTrail management events
• VPC Flow Logs
• Route53 Resolver DNS query logs

Question 15

SCPs affect:

Answer 15

• the member accounts in your organization
• IAM users and roles
• the root user

Question 16

SCPs don’t affect:

Answer 16

• resource-based policies directly.
• any service-linked role
• users or roles in the management account

Question 17

What is the main difference between Security Groups and Network ACL in terms of inbound/outbound rules?

Answer 17

• Security Groups: Stateful / inbound is enough.
• Network ACLs: Stateless / both inbound and outbound required.