Security

Question 1

Which service lets you know AWS is compliant to store healthcare or payment information?

Answer 1

AWS is tested by many compliance programmes (regional and global), and all of their compliance certificates/ documents can be found on AWS artifacts
Remember: This means AWS is compliant up to infrastructure level but does not mean you are. Responsibility for security is SHARED.

Question 2

Which compliance certificate attests to the security of the AWS platform regarding credit card transactions

Answer 2

PCI DSS Level 1

Question 3

Which compliance certificate attests to the fact AWS platform has met the standards required for the secure storage of medical records in the US?

Answer 3

HIPAA

Question 4

What is a SOC certification

Answer 4

Service organization controls: evaluates effectiveness of AWS controls that might after your internal controls over financial reporting

Question 5

What is an ISO certification

Answer 5

Validates AWS complies with ISO internationally recognized standard for security management best practices

Question 6

What is the shared responsibility model?

Answer 6

While AWS manages security OF the cloud, the customer is responsible for security IN the cloud.

This helps relieve the customers operation burden as AWS operates, manages and controls the components from the host OS down to physical security of facilities. Customer assumes responsibility and management of the guest OS, other associates app software and configuration of AWS firewall

Question 7

In the shared responsibility model, what is AWS responsible for?

Answer 7

AWS is responsible for protecting the infrastrcture hat runs all of the services

1) Regions, AZs and edge locations
2) Hardware/ AWS global infrastructure
3) Compute, storage, database, networking (databases refers to DBs that store YOUR info (DynamoDB)
4) Software (hypervisor and in some cases all the way up to the OS, in services such as RDS, S3, Dynamo DB where you do not have access to the OS)

Question 8

In the shared responsibility model, what is the customer responsible for?

Answer 8

Customer responsibility is determined by the services, which affects amount of configuration. EC2 is IAAS and requires customer to perform all necessary security configuration. For S3/DynamoDB, AWS operates the infrastructure and OS layer, so customers are responsible for managing data encryption and IAM tools

1) Client side data, encryption and data integrity authetication
2) Server side encryption (file system/data). (S3 encrypted by default)
3) Networking traffic protections (encryption, integrity, identity). (Communicate via HTTPS when you read/write)
4) Operating system, network and firewall config (EC2 OS, as AWS can’t log into this)
5) Platform, apps, IAM (if you publish user with God access and share details, responsibility is on you)
6) Customer data

Question 9

In the shared responsibility model, name inherited controls (controls customer fully inherits from AWS)

Answer 9

Physical and environmental control

Question 10

In the shared responsibility model, name shared controls (apply to both infrastructure and customer layer but in separate contexts)

Answer 10

1) Patch Management. AWS responsible for patching flaws in infra, customers responsible for patchign guest OS and apps
2) Configuration management. AWS maintains config of infra devices, customer responsible for config of guest OS, dbs and apps
3) Awareness and training. AWS trains AWS employees, customers must train their own employees

Question 11

In the shared responsibility model, name customer specific controls (solely the customer responsibility based on application deployment)

Answer 11

Service and Communications protection or zone security which may require customer to route of zone data within specific security env

Question 12

Explain the shared responsibility of encryption

Answer 12

E.g. if an object is on S3, amazon does all encrption and is responsible for encryption and keys. Customer is responsible for turning on encryption in the first place and ensure object is encrypted in transit using HTTPS

Question 13

What is AWS WAF

Answer 13

Web Application Firewall: Helps you protect your web applications from common web exploits that could affect application availability, compromise security or consumer excessive resources
Goes down to Level 7 OSI level (application level)
Inspects web traffic for malicious activity e.g. SQL injections or cross site scripting

Question 14

What is AWS Shield

Answer 14

Managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. Provides always on detection and automatic inline mitigation to minimize application downtime and latency
There are two levels

Question 15

What is DDoS

Answer 15

Attack where too much traffic is sent to your server from multiple devices causing it to stop responding

Question 16

What are the two levels of AWS Shield

Answer 16

AWS Shield is automatically turned on but comes in 2 types:
1) Standard: comes with all AWS accounts and is automatically turned on. Only offers network flow monitoring and protection from common DDoS attacks. Free
2) Advanced: gives more features, including:
- Cost protection which reimburses DDoS related charges for Route 53, CloudFront an ELB.
- Automatic application (layer 7) traffic monitoring.
- Layer 3/4 attack notification and layer 3/4/7 historical reports
- DDoS response team support
£3000 a month

Question 17

What is AWS Inspector?

Answer 17

Automated security assessment service that helps improve security and compliance of applications deployed on AWS. Install and run an agent on your EC2 instance. Assesses applications for vulnerabilities and deviations (e.g. open ports, missing patches) from best practices and produces report on security findings priorities by severity level

Question 18

What is AWS Trusted Advisor?

Answer 18

Online resource to help reduce cost, increase performance and improve security and fault tolerance by optimizing entire AWS environment. Provides real time guidance to help you provision your resources following AWS best practices. Runs automatically when you select from management and console.
There are two levels

Question 19

What are the two levels of AWS Trusted Advisor?

Answer 19

1) Core checks and recommendations (free)

2) Full trusted advisor (business and enterprise companies only)

Question 20

What is CloudTrail

Answer 20

Monitors API calls in the AWS platform, increasing visibility to your user and resource activity by recording AWS Management Console actions and API calls, to identify users/accounts/IP addresses making the changes and when the calls occurred. Data is stored in S3
Similar to a security camera recording everything going on

Question 21

What is CloudWatch?

Answer 21

Performance monitoring service to monitor AWS resources and applications. Used a lot with EC2.
Host level metrics: CPU, Network, disk utilisation, status check of EC2
Custom metrics (requires script): RAM, EBS storage ramaining, number of people logged into WordPress

Question 22

What is AWS config?

Answer 22

Provides detailed view of the configuration of AWS resources in your AWS account, including how they relate to each other and how they were configured in the past to monitor changes over time e.g. change in security group

Question 23

What is the difference between AWS Config and CloudTrail?

Answer 23

CloudTrail is an event logging system
AWS Config goes deeper providing the ability to audit specific configurations and review relationships, past and present, allowing you to see how other resources are impacted

Question 24

What is Athena?

Answer 24

Interactive query service enabling you to analyse and query data located in S3 using standard SQL queries. Is serverless and pa per query/ TB scanner. o need to set up extract.transform/load (ETL) processes
Located in Analytics services

Question 25

What are the use cases for Athena?

Answer 25

1) Used to query log files stored in S3
2) Generate business reports on data store din S3
3) Analyse AWS costs and usage reports
4) Run queries on click-stream data

Question 26

What is Macie?

Answer 26

Security service which uses Machine Learning and Natural Language Processing to discover, classify and protect sensitive data stored in S3 e.g. PII. Gives you dashboards, reports and alerts. Can also analyse CloudTrail logs. Great for PCI-DSS and preventing ID theft

Question 27

What is PII

Answer 27

Personally identifiable information: information which could be exploited for identity or financial fraud e.g. home address, email address, DOB, passport number, bank details.

Macie uses ML and NLP to classify and protect this

Question 28

True or False: Security in the cloud is the responsibility of AWS

Answer 28

False

Question 29

True or False: The standard version of AWS shield offers automated application (layer 7) traffic monitoring

Answer 29

False

Question 30

Which service helps you optimize your entire AWS environment in real time following AWS best practices

Answer 30

AWS trusted advisor

Question 31

Which service is AWS’s managed DDoS protection service

Answer 31

AWS shield

Question 32

You need to use an AWS service to assess the security and compliance of your EC2 instances. Which service should you use?
Shield, WAF, Inspector, Trusted Advisor

Answer 32

Inspector

Question 33

True or False: Its safer to use Access Keys than it is to use IAM roles

Answer 33

False

Question 34

Which of the following AWS services can help you assess the fault tolerance of your AWS environment?
Inspector, Trusted Advisor, Shield, WAF

Answer 34

Trusted Advisor

Question 35

The AWS web application firewall can go down to which OSI layer?

Answer 35

7

Question 36

Your web app requires temporary authorization to use AWS services. Which IAM entity should be used: Group, role, MFA, user

Answer 36

role

Question 37

Which of the following statements are true about who can use IAM roles? (3)

An IAM user in a different AWS account than the role

An IAM user in the same AWS account as the role

A web service offered by AWS

A web service offered by providers other than AWS

Answer 37

An IAM user in a different AWS account than the role

An IAM user in the same AWS account as the role

A web service offered by AWS

Question 38

Which of the following are components of the AWS Risk and Compliance Program? (3)

Information Security

Security Principles

Environment Automation

Physical Security

Risk Management

Identity and Access Management

Control Environment

Answer 38

Information Security
Risk Management
Control Environment

Question 39

Which of the following options are available for configuring a password policy for IAM users of an AWS account?

Require that passwords contain at least one of the AWS-listed nonalphanumeric characters.

Allow users to change their passwords.

Use at least one numerical character from 1 to 9.

Use between 12 to 64 characters to form the password.

Use between 6 to 128 characters to form the password.

Answer 39

Require that passwords contain at least one of the AWS-listed nonalphanumeric characters.

Allow users to change their passwords

Use between 6 to 128 characters to form the password.

Question 40

When talking about AWS security, what does “Authentication” refer to?

Answer 40

Authentication identifies who is accessing the system and passes that information to the authorization process, which in turn determines what permissions the user has in AWS. Although Authentication is the first part of the process to log in to the console, by itself it it is not enough.

Question 41

What is the recommended way to give your applications running in EC2 permission to other AWS resources?

Answer 41

Create an IAM Role with appropriate permissions and assign it to the instance.

Question 42

Where is the best place to store your Root User Access Key so that your application can use it to make requests to AWS?

Answer 42

Nowhere - you should not use the Root User access keys for this

Question 43

You want to streamline access management for your AWS administrators by assigning them a pre-defined set of permissions based on their job role - which of the below is the best way to approach this?

Use IAM Groups

Use Amazon Cognito

Use AWS Organizations

Use IAM Roles

Answer 43

Use IAM Groups