Security

Question 1

What is AWS artefact?

Answer 1

features comprehensive list of acmes-controlled documents relevant to compliance and security

Question 2

Which compliance programs does AWS have?

Answer 2

Can access reports for auditors:
ISO
CSA
PCI - credit card
SOC

Question 3

What is the shared responsibility model?

Answer 3

AWS manages security of the cloud, security in the cloud is the responsibility of the customer
Customers retain control of what security they choose to implement their own content, platform, applications, systems and networks

Question 4

What are examples of what the customer is responsible for with EC2?

Answer 4

Security groups, IAM users, patching EC2 operating systems, patching databases running on EC2

Question 5

What are examples of what AWS is responsible for?

Answer 5

Management of data centres, security cameras, cabling, patching RDS operating system

Question 6

What is the AWS WAF?

Answer 6

Web application firewall
Protects your web application from common web exploits that could affect application availability, compromises security, or consume excessive resources
Layer 7 - sees traffic from application layer

Question 7

What is AWS shield ?

Answer 7

Managed distributed denial of service (DDos) protection service that safeguards web applications running on AWS
Provides always-on detection and automatic inline mitigations that minimise application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection

Question 8

What are the tiers of AWS shield?

Answer 8

Standard

Advanced

Question 9

What is AWS inspector?

Answer 9

Automated security assessment service that helps improve the security and compliance of applications deployed on AWS
Automatically assesses applications for vulnerabilities or deviations from best practices
After an assessment it produces a detailed list of security findings prioritised by level of severity
These findings can be reviewed directly or as part of detailed assessment reports

Question 10

What is AWS trusted advisor?

Answer 10

Online resource to help you reduce cost, increase performance, and improve security by optimising your AWS environment
Provides real time guidance to help you provision your resources following AWS best practises
Advisors will advise you on Cost optimisation, performance, security, fault tolerance

Question 11

What are the tiers of AWS trusted advisor?

Answer 11

Core checks and recommendations

Full trusted advisor - business and enterprise companies only

Question 12

What is AWS CloudTrail?

Answer 12

Increases visibility into your used and resource activity. by recording AWS Management Console actions and API calls
You can identify which users and accounts called AWS, the source IP address from which the calls were made and when the calls occurred

Question 13

Where does trusted advisor apply?

Answer 13

Global service - not regional

Question 14

What is CloudWatch?

Answer 14

Monitors performance:
Host level metrics:
CPU
Network
Disk
Status check

Question 15

What is AWS Config?

Answer 15

Detailed view of the configuration of AWS resources in your AWS account
Includes how the resources are related to one another and how they were configured int he past so that you can see how the configurations and relationships change over time

Question 16

What are the key services provided by trusted advisor?

Answer 16

Cost optimisation 
Security
Performance
Fault tolerance
Service limits

To unlock full must upgrade to business

Question 17

What is penetration testing?

Answer 17

Simulated cyber attack against your computer system to check for exploitable vulnerabilities

Question 18

Which services can you test without approval? (8)

Answer 18

EC2, NAT gateways, ELB
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateway
AWS Lamda
Amazon Lightsail Resources
Amazon Elastic Beanstalk Environments

Question 19

What are prohibited activities?

Answer 19

1 DNS zone walking via amazon route 53 Hosted Zones
2 DoS, DDos, Simulated DDoS
3 Port flooding
4 Protocol flooding
5 Request flooding

Question 20

What is Amazon KMS?

Answer 20

Key management service
Regional service that does secure management and encryption/decryption
Manages customer master keys
Ideal for S3 objects, database passwords, API keys
Encrypt and decrypt data put to 4KB
Integrated with most AWS services
KMS is on shared hardware

Question 21

What is CloudHSM?

Answer 21

Dedicated hardware security module
FIPS140-2 Level3
Single tenant, dedicated hardware, multi-AZ cluster

Question 22

What is parameter store?

Answer 22

Component of AWS Systems manager
secure serverless storage of configuration nd secrets
Values stored encrypted KMS or plaintext
Can set TTL
No cost to use however limit of 10000 parameters per account

Question 23

What is secrets manager?

Answer 23

Charge per secret stored and per 10000 API calls
automatically rotate secrets
apply the new key/password for RDS for you
generate random secrets

Question 24

What is GuardDuty?

Answer 24

Uses machine learning algorithms for anomaly detection and third-party data to monitor and protect your AWS account
One click to enable (30-day trial)
Input data includes - cloud trail, VPC flow, DNS logs

Question 25

What is Amazon Control Tower?

Answer 25

the easiest way to set up and govern a new, secure, multi-account AWS environment
Those accounts will conform to company policies
Large enterprises

Question 26

What is security hub?

Answer 26

A comprehensive view of your security alert across multiple AWS accounts
Aggregates, organises, and prioritises your security alerts or findings

Question 27

How to resolve compromised IAM credentials?

Answer 27

1 Determine what resources those credentials have access to
2 Invalidate the IAM credentials
3 Consider any temporary credentials
4 Restore appropriate access
5 Review access to AWS account

Question 28

What is Athena?

Answer 28

Interactive query service which enables you to analyse and query data located in S3 using standard SQL
Serverless
No need for ETL
Works with S3

Question 29

What can Athena be used for?

Answer 29

Log files
Business reports
Analyse AWS cost and usage reports
Run queries on click-stream data

Question 30

What is PII?

Answer 30

Personal data used to establish an individual’s identity
Home address, email, SSN
Passport number, driver license number
DOB, phone number, bank account

Question 31

What is Macie?

Answer 31

security service uses machine learning and NLP to discover, classify and protect sensitive data stored in S3
Can analyse CloudTrail for suspicious API activity
Includes dashboards, reports and alerting
Great for PCI-DSS compliance and preventing ID theft

Question 32

What is AWS acceptable use policy?

Answer 32

Describes prohibited actions on AWS infrastructure:
No illegal, harmful, or offensive use or content
No security violations
No network abuse
No email or other message abuse

Question 33

How can cloudwatch alarms alert the customer?

Answer 33

SNS via:
HTTPS
SQS
Lambda
mobile push notification
Email
SMS