security Flashcards
Which of the below are you responsible for when storing data in S3?
Making sure that enough space has been provisioned for your data
Backing up your data
Making sure there is enough physical storage available for your data
Making sure your data is not corrupted
Replicating your data to another Availability Zone if redundancy is needed
Backing up your data
EXPLANATION:
Under the Shared Responsibility Model for managed services, AWS takes responsibility for managing all the hardware (including access, patching and other maintenance). When it comes to S3, this includes all aspects of capacity management, therefore it is an AWS responsibility to make sure that they never run out of storage. Replication to another AZ is also AWS’s responsibility in an applicable storage tier - note that the question asks for AZ replication - not Regional Replication which would normally be the customer’s responsibility to configure. AWS is also responsible for managing data corruption and resolving it if corruption is detected - however if it cannot fix the corruption, or if data is lost, AWS bears no responsibility for the loss - therefore it is a customer’s responsibility to make sure there data is backup up as needed - either though versioning in S3, or through 3rd party tools.
Which of the below statements are correct in relation to security responsibilities in AWS?
AWS is responsible for the security IN the cloud
As an AWS customer, you are responsible for the security OF the cloud
AWS is responsible for the security OF the cloud
As an AWS customer, you are responsible for the security IN the cloud
AWS is responsible for the security OF the cloud
As an AWS customer, you are responsible for the security IN the cloud
EXPLANATION:
AWS is responsible for the security OF the cloud - the security of components that run the cloud service. The customer is responsible for security IN the cloud – that is, the security of their AWS resources and data.
Which of the following are components of the Security Pillar of the AWS Well-Architected Framework?
Technical Account Management Detective Controls Infrastructure protection Customer Service IAM
Detective Controls
Infrastructure protection
IAM
A consulting firm is conducting a Sarbanes-Oxley compliance audit of your IT operations. The auditor requests visibility to logs of event history across your AWS-based employee expense system infrastructure. Which AWS service will record and provide give you the information you need?
AWS Compliance Manager
AWS Systems Manager
AWS CloudWatch Logs
AWS CloudTrail
AWS CloudTrail
EXPLANATION:
AWS CloudTrail provides visibility to API call activity for AWS infrastructure and other services. AWS Cloudwatch Logs might be part of a centralized logging solution, but all API event information will come from CloudTrail. AWS Systems Manager can process EC2 logs only, and AWS Compliance Manager is not a service offered by AWS.
Which of the following are components of the AWS Assurance Program?
Certifications/Attestations Compliance with Laws and Regulations Customer Testimonials Following industry best practices Partner Validations
Certifications/Attestations
Compliance with Laws and Regulations
EXPLANATION:
Certifications/Attestations and Compliance with Laws and Regulations are cornerstones of the of the AWS Assurance Program.
What is the recommended way to give your applications running in EC2 permission to other AWS resources?
Create an IAM Role with appropriate permissions and assign it to the instance.
Create an IAM Group with appropriate permissions and assign it to the instance.
Create an Root Access Key and use it in the application.
Create an IAM User with appropriate permissions and assign it to the instance.
Create an IAM Role with appropriate permissions and assign it to the instance.
EXPLANATION:
You should use IAM Roles wherever possible to enable applications running on EC2 instances to access other AWS resources. This is the most secure method to do so. It is not possible to assign an IAM Group or User to an instance, and although using the Root Keys in you application would work this is HIGHLY insecure and should never be done, as the Root Keys have access to absolutely everything in your account.
Which of the following are components of the AWS Risk and Compliance Program?
Security Principles Information Security Control Environment Identity and Access Management Environment Automation Risk Management Physical Security
Information Security
Control Environment
Risk Management
EXPLANATION:
Control Environment, Risk Management and Information Security are all components of the AWS Risk and Compliance Program. Control Environment includes policies, processes and control activities that are in place to secure the delivery of AWS’ service offerings. AWS management has developed a strategic business plan which includes risk identification and the implementation of controls to mitigate or manage risks as part of the Risk Management component. AWS has implemented a formal information security program designed to protect the confidentiality, integrity, and availability of customers’ systems and data.
You need to use an AWS service to assess the security and compliance of your EC2 instances. Which of the following services should you use?
AWS Trusted Advisor
AWS WAF
AWS Shield
AWS Inspector
AWS Inspector
EXPLANATION:
AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. AWS Trusted Advisor can give security recommendations about your AWS resources, but not within EC2 instances themselves. AWS Shield and WAF can protect EC2 instances, but don’t possess any capabilities to assess their security and compliance
A purchasing department staff member is setup as an AWS user in the company’s procurement AWS account. At each month-end, the staff member needs access to an application running on EC2 in the company’s accounts payable AWS account to reconcile reports. Which of the following provides the most secure and operationally efficient way to give the staff member access to the accounts payable application?
Configure Active Directory integration so that you can federate the staff member’s access to the accounts payable AWS account
Create a user for the staff member in the accounts payable AWS account
Invoke an AWS Lambda function to run the application in the accounts payable AWS account
Have the user request temporary security credentials for the application by assuming a role
Have the user request temporary security credentials for the application by assuming a role
EXPLANATION:
The staff member should be given the ability to assume a role programmatically with the permissions necessary to run the accounts payable application. Setting up another AWS user for the staff member in the accounts payable account will require the presentation of hard credentials programmatically. Both federation and Lambda will require the use of a role as well, but with the added overhead of maintaining Active Directory or the Lambda function.
Which of the below are TRUE statements when it comes to data security in AWS?
AWS is responsible for the security of the hardware the data resides on
The customer is responsible for managing who can access the data
The customer is responsible for the security of the hardware the data resides on
AWS is responsible for the security of the software that manages the data
AWS is responsible for managing who can access the data
The customer is responsible for the security of the software that manages the data
AWS is responsible for the security of the hardware the data resides on
The customer is responsible for managing who can access the data
AWS is responsible for the security of the software that manages the data
EXPLANATION:
Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching and other maintenance) and software required to deliver the service - which includes security. The customer is responsible for who can access the data itself.
Which of the following are components of the AWS Risk and Compliance Program?
Identity and Access Management Control Environment Physical Security Environment Automation Security Principles Risk Management Information Security
Control Environment
Risk Management
Information Security
EXPLANATION:
Control Environment, Risk Management and Information Security are all components of the AWS Risk and Compliance Program. Control Environment includes policies, processes and control activities that are in place to secure the delivery of AWS’ service offerings. AWS management has developed a strategic business plan which includes risk identification and the implementation of controls to mitigate or manage risks as part of the Risk Management component. AWS has implemented a formal information security program designed to protect the confidentiality, integrity, and availability of customers’ systems and data.
You would like to give an application running on one of your EC2 instances access to an S3 bucket - what is the best way to implement this?
Use an IAM user for the application
Assign the instance an IAM role
Make the bucket public
Give the application a set of Access Keys
Assign the instance an IAM role
EXPLANATION:
The recommended method to assign permissions to apps running in EC2 is to use IAM roles. Making the bucket public could work, but will also expose all the data to the internet and is not secure. The other methods are also less secure than using IAM roles and are not recommended in this case.
You are using your corporate directory to grant your users access to AWS services. What is this called?
Role-based Access
Federated Access
Multifactor Authentication Access
User Group Access
Federated Access
EXPLANATION:
Federated Access is when you use an external directory, such as your coroporate one, to grant users in that directory access to AWS resources. Role-based and User group are more used to definied which resources a user is able to access once they have access, not the method by which they gain that access. Multifactor Authentication Access is the concept of a user requiring 2 secrets to be able to access the resources - usually their password and a 1 time code provided by a device under their control (e.g. a mobile phone).
Which of the below are TRUE statements when it comes to data security in AWS?
The customer is responsible for the security of the software that manages the data
AWS is responsible for the security of the hardware the data resides on
AWS is responsible for the security of the software that manages the data
The customer is responsible for the security of the hardware the data resides on
The customer is responsible for managing who can access the data
AWS is responsible for managing who can access the data
AWS is responsible for the security of the hardware the data resides on
AWS is responsible for the security of the software that manages the data
The customer is responsible for managing who can access the data
EXPLANATION:
Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching and other maintenance) and software required to deliver the service - which includes security. The customer is responsible for who can access the data itself.
