Security Flashcards
24% of Exam
Which services are integrated with KMS encryption? (choose 2)
- Amazon RDS
- Amazon EC2
- Amazon EBS
- Amazon SWF
- AWS CloudFormation
- Amazon RDS
- Amazon EBS
• https://aws.amazon.com/kms/features/
Under the AWS shared responsibility model what is the customer responsible for? (choose 2)
- Physical security of the data center
- Replacement and disposal of disk drives
- Configuration of security groups
- Patch management of infrastructure
- Encryption of customer data
- Configuration of security groups
- Encryption of customer data
- AWS are responsible for “Security of the Cloud”
- Customers are responsible for “Security in the Cloud”
Which service records API activity on your account and delivers log files to an Amazon S3 bucket?
- Amazon CloudWatch
- Amazon S3 Event Notifications
- Amazon CloudTrail
- Amazon CloudWatch Logs
- Amazon CloudTrail
- AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket
- CloudTrail is for auditing (CloudWatch is for performance monitoring)
The IAM service can be used to manage which objects? (choose 2)
- Security groups
- Access policies
- Roles
- Network ACLs
- Key pairs
- Access policies
- Roles
- Access policies are objects that you attach to entities and resources to define their permissions
- Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
- Security groups and network ACLs are used as instance-level and subnet-level firewalls respectively
Under the shared responsibility model, what are examples of shared controls? (choose 2)
- Patch management
- Storage system patching
- Physical and environmental
- Configuration management
- Service and Communications Protection
- Patch management
- Configuration management
- Shared Controls– Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives
- Patch Management– AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications
- Configuration Management– AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications
Which of the following are features of Amazon CloudWatch? (choose 2)
- Used to gain system-wide visibility into resource utilization
- Records account activity and service events from most AWS services
- Used for auditing of API calls
- Can be accessed via API, command-line interface, AWS SDKs, and the AWS Management Console
- Provides visibility into user activity by recording actions taken on your account
- Used to gain system-wide visibility into resource utilization
- Can be accessed via API, command-line interface, AWS SDKs, and the AWS Management Console
- Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS
- CloudWatch is for performance monitoring (CloudTrail is for auditing)
- CloudTrail is for auditing (CloudWatch is for performance monitoring)
- CloudTrail records account activity and service events from most AWS services
Which statement below is incorrect in relation to Security Groups?
- Operate at the instance level
- Support allow rules only
- Stateless
- Evaluate all rules
- Stateless
• Security groups are stateful meaning that if traffic is allowed in one direction, the return traffic is automatically allowed regardless of whether there is a matching rule for the traffic
What constraints apply to customers when performing penetration testing? (choose 2)
- Permission is required for all penetration tests
- You can perform penetration testing on your own systems at any time without prior authorization
- You must complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization
- Penetration testing can be performed against any AWS resources
- Penetration testing must be performed by a certified security consultant
- Permission is required for all penetration tests
- You must complete and submit the AWS Vulnerability / Penetration Testing Request Form to request authorization
- There is a limited set of resources on which penetration testing can be performed
- https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/cloud-security/
Which statement below is incorrect in relation to Network ACLs?
- Operate at the Availability Zone level
- Support allow and deny rules
- Stateless
- Process rules in order
- Operate at the Availability Zone level
- Network ACLS operate at the subnet level
- https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-networking/
Which feature can you use to grant read/write access to an Amazon S3 bucket?
- IAM Role
- IAM Policy
- IAM Group
- IAM User
- IAM Policy
- IAM Policies are documents that define permissions and can be applied to users, groups and roles
- IAM policies can be written to grant access to Amazon S3 buckets
- IAM Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
- IAM Groups are collections of users and have policies attached to them
Which AWS service is used to enable multi-factor authentication?
- Amazon STS
- AWS IAM
- Amazon EC2
- AWS KMS
- AWS IAM
- IAM is used to securely control individual and group access to AWS resources
- The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)
- AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
- Amazon EC2 is used for running operating systems instances in the cloud
Which AWS service gives you centralized control over the encryption keys used to protect your data?
- AWS STS
- AWS KMS
- AWS DMS
- Amazon EBS
- AWS KMS
- AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data
- The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users
- AWS Database Migration Service (DMS) helps you migrate databases to AWS quickly and securely
- Amazon Elastic Block Store (Amazon EBS) provides persistent block storage volumes for use withAmazon EC2instances in the AWS Cloud
How can a security compliance officer retrieve AWS compliance documentation such as a SOC 2 report?
- Using AWS Artifact
- Using AWS Trusted Advisor
- Using AWS Inspector
- Using the AWS Personal Health Dashboard
- Using AWS Artifact
- AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements
- You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports
Which service provides visibility into user activity by recording actions taken on your account?
- Amazon CloudWatch
- Amazon CloudFormation
- Amazon CloudTrail
- Amazon CloudHSM
- Amazon CloudTrail
- CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket
- CloudTrail is for auditing (CloudWatch is for performance monitoring)
- CloudFormation is used for deploying infrastructure through code
- CloudHSM is a hardware security module for generating, managing and storing encryption keys
A new user is unable to access any AWS services, what is the most likely explanation?
- The user needs to login with a key pair
- The services are currently unavailable
- By default new users are created without access to any AWS services
- The default limit for user logons has been reached
- By default new users are created without access to any AWS services
- By default new users are created with NO access to any AWS services – they can only login to the AWS console
- https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/
Which of the following compliance programs allows the AWS environment to process, maintain, and store protected health information?
- ISO 27001
- PCI DSS
- HIPAA
- SOC 1
- HIPAA
• AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information
Which file format is used to write AWS Identity and Access Management (IAM) policies?
- DOC
- XML
- JBOD
- JSON
- JSON
• You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. A policy is an object in AWS that, when associated with an entity or resource, defines their permissions. AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents
At what level is a Network ACL applied?
- Instance level
- Region level
- Availability Zone level
- Subnet level
- Subnet level
- Network Access Control Lists (ACLs) provide a firewall/security layer at the subnet level
- Security Groups provide a firewall/security layer at the instance level
Which AWS service protects against common exploits that could compromise application availability, compromise security or consume excessive resources?
- AWS WAF
- AWS Shield
- Security Group
- Network ACL
- AWS WAF
- AWS WAF is a web application firewall that protects against common exploits that could compromise application availability, compromise security or consume excessive resources
- AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
- Security groups and Network ACLs are firewalls protecting at the instance and subnet level respectively
How can an organization assess application for vulnerabilities and deviations from best practice?
- Use AWS Artifact
- Use AWS Inspector
- Use AWS Shield
- Use AWS WAF
- Use AWS Inspector
- Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices
- AWS Artifact is your go-to, central resource for compliance-related information that matters to you
- AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
- AWS WAF is a web application firewall
Which of the following is NOT one of the five AWS Trusted Advisor categories?
- Cost Optimization
- Performance
- Security
- Application transformation
- Application transformation
• The five categories are cost optimization, performance, security, fault tolerance and service limits
Which of the following are AWS recommended best practices in relation to IAM? (choose 2)
- Assign permissions to users
- Create individual IAM users
- Embed access keys in application code
- Enable MFA for all users
- Grant least privilege
- Create individual IAM users
- Grant least privilege
- AWS recommend creating individual IAM users and assigning the least privileges necessary for them to perform their role
- You should use groups to assign permissions to IAM users, should avoid embedding access keys in application code, and should enable MFA for privileged users (not everyone)